top of page
Bideford Medical Centre Logo

Helping you live well

NHS Logo

Google Translate >

Tel: 01237 476363

Privacy Notice for Patients

This privacy notice describes the data, the practice holds about you, why we hold it, where and how we store it, how long for and how we protect it. It also tells you about your rights under the Data Protection Legislation and how the law protects you.

Who we are and what do we do?

Bideford Medical Centre, Abbotsham Road, 01237 476363 email bideford.systmone@nhs.net Bideford Medical Centre is a Data Controller for the data we hold about you. We hold your data in order to provide you with health and social care.

What is personal data and what data do we use?

Your personal data is any information that can be connected to you personally. If you can be identified from the data, it is personal data. The types of personal data we use and hold about you are:

  • Details about you: your name, address, contact number, email address, date of birth, gender and NHS number. We may also hold information about your emergency contact, next of kin and carer.

  • Details about your medical care: medical diagnosis, record of treatment received, referrals, history of prescribed medication, results of investigations such as X-rays etc.

  • Information provided by you: this includes correspondence relating to feedback, concerns and complaints about the service you have received.

  • Relevant information from other healthcare professionals, relatives or those who care for you.

  • CCTV – your vehicle registration number (this is recorded on our ANPR camera and premises CCTV cameras after any visit to the practice. Your vehicle registration number may be viewed on camera by the police in the event of an incident at the practice (which may or may not involve your vehicle).

 

We may also hold the following information about you:

  • Religion or other beliefs of a similar nature,

  • Family, lifestyle and/or social circumstances

  • Employment details,

  • Financial details.

When we collect your mobile number we use it for the following text communications:

  • to remind you of appointments

  • to remind you of annual clinics (if applicable to you),

  • to inform you of other services which relate directly to your healthcare,

  • to notify you about temporary changes to our opening hours (for example for staff training)

  • to send links to participate in video consultations (when an appointment is booked as a remote video consultation).

  • to send links to upload images for medical diagnosis (only when approved by you)

  • to send you links to secure documents when requested by you (eg a MED3)

If you no longer wish to receive communication this way, please let a member of staff know who will be able to update your preferences.

When we collect your email address, we use it to:

  • inform you of other services which relate directly to your healthcare,

  • send you electronic leaflets and videos relating to your healthcare,

  • send you electronic documents as requested by you (for example MED3 form, or Subject Access Request)

  • send a response to an accurx request submitted by you.

If you no longer wish to receive communication this way, please let a member of staff know who will be able to update your preferences.

Why do we process your data and what legal basis do we have to process your data?

In order to process your personal data or share your personal data outside of the practice, we need a legal basis to do so.

 

If we process or share special category data, such as health data, we will need an additional legal basis to do so. We rely upon GDPR Article 6(1)(e) (public interest task) and Article 9(2)(h) (health and social care) for most of our processing and sharing, in particular to:

  • Provide you with health and social care

  • Share data from, or allow access to, your GP record, for healthcare professionals involved in providing you with health and social care,

  • Receive data from or access your data on other NHS organisation clinical systems,

  • Work effectively with other organisations and healthcare professionals who are involved in your care,

  • Ensure that your treatment and advice, and the treatment of others is safe and effective,

  • Participate in National Screening Programmes,

  • Use a computer program to identify patients who might be at risk from certain diseases or unplanned admissions to Hospitals,

  • Help NHS Digital and the practice to conduct clinical audits to ensure you are being provided with safe, high quality care,

  • Support medical research when the law allows us to do so,

  • Supply data to help plan and manage services and prevent infectious diseases from spreading.

We rely upon GDPR Article 6(1)(d) (vital interest) and Article 9(2)(c) (vital interests) to share information about you with another healthcare professional in a medical emergency.

 

We rely upon GDPR Article 6(1)(e) (public interest task) and Article 9(2)(g) (substantial public interest) to support safeguarding for patients who, for instance, may be particularly vulnerable to protect them from harm or other forms of abuse.

 

We rely upon GDPR Article 6(1)(c) (legal obligation) and Article 9(2)(h) to share your information for mandatory disclosures of information (such as NHS Digital, CQC and Public Health England).

 

We rely upon GDPR Article 6(1)(c) (legal obligation) and Article 9(2)(f) (legal claims) to help us investigate legal claims and if a court of law orders us to do so. Last updated: 12/08/2025

 

We rely upon GDPR Article 6(1)(a) (consent) and Article 9(2)(a) (explicit consent), in order to:

  • Help the practice investigate any feedback, including patient surveys, complaints or concerns you may have about contact with the practice,

  • Help manage how we provide you with services from the practice, for example, when you nominate individuals to contact the practice on your behalf,

  • Share your information with third parties, for example, insurance companies and medical research organisations.

We also use anonymised data to plan and improve health care services. Specifically, we use it to:

  • Review the care being provided to make sure it is of the highest standard,

  • Check the quality and efficiency of the services we provide,

  • Prepare performance reports on the services we provide.

Healthcare staff will respect and comply with their obligations under the common law duty of confidence.

Common law duty of confidentiality

  • Healthcare staff will respect and comply with their obligations under the common law duty of confidence. We meet the duty of confidentiality under one of the following:

  • You have provided us with your explicit consent,

  • For direct care, we rely on implied consent

  • We have approval from the Confidentiality Advisory Group

  • We have a legal requirement to collect, share and use the data,

  • On a case-by-case basis, we will share information in the public interest.

How do we collect your data?

The practice collects data that you provide when you:

  • Receive treatment or care from the practice,

  • Contact the practice by telephone (all telephone calls received and made by the practice are recorded for training and monitoring purposes), online or in person,

  • Complete a form electronically or in paper,

  • Contact the practice via a Social Network

  • Visit the practice’s website (If cookies are enabled).

We receive information about you from other providers to ensure that we provide you with effective and comprehensive treatment. These providers may include:

  • The GP Practices Wooda Surgery, Northam Surgery, Castle Gardens Surgery, Torrington Health Centre and Hartland Surgery within the Torridge Primary Care Network

  • Other GP Practices

  • NHS Trusts/Foundation Trusts

  • NHS Commissioning Support Units (CSUs)

  • Community Services (Community Nurses,

  • First Contact Physiotherapists,

  • Rehabilitation Services and out of hours services) -

  • Child Health Information Service

  • Ambulance or emergency services

  • Independent contractors such as Pharmacies, Dentists and Opticians

  • Devon Clinical Commission Group (CCG)

  • Devon Partnership Trust

  • NHS Digital

  • NHS England

  • North Devon Hospice

  • Local authorities

  • Health and Social Care Information Centre (HSCIC)

  • Police and Judicial Services

  • Educational Services

  • NHS 111

  • Public Health England and Screening

  • Non-NHS health care providers

  • Research providers

We also use accurx which is an online tool that allows you to get advice and treatment, request sick notes and results or self-help. accurx is provided by a third-party organisation and by using accurx, you are submitting your information to them.

 

This information is then provided to the practice to be reviewed. Further information on accurx can be found: https://www.accurx.com/security

Who do we share your data with?

In order to deliver and coordinate your health and social care, we may sometimes share information with other organisations. We will only ever share information about you if other agencies involved in your care have a genuine need for it. Anyone who receives information from the practice is under a legal duty to keep it confidential and secure.

 

Please be aware that there may be certain circumstances, such as assisting the police with the investigation of a serious crime, where it may be necessary for the practice to share your personal information with external agencies without your knowledge or consent.

 

We may share information with the following organisations:

  • The GP Practices Wooda Surgery, Northam Surgery, Castle Gardens Surgery, Torrington Health Centre and Hartland Surgery within the Torridge Primary Care Network

  • Other GP Practices

  • Inspira Health Primary Care Heart Failure Service

  • NHS Trusts/Foundation Trusts

  • Devon Clinical Commission Group (CCG)

  • NHS Commissioning Support Units

  • Community Services (Community Nurses, First Contact Physiotherapists, Rehabilitation Services and out of hours services)

  • Devon Partnership Trust

  • Ambulance or emergency services

  • Independent contractors such as Pharmacies, Dentists and Opticians

  • Local authorities

  • Multi-Agency Safeguarding Hub (MASH)

  • Health and Social Care Information Centre (HSCIC)

  • Police and Judicial Services

  • Educational Services

  • Fire and Rescue Services

  • NHS 111

  • The Care Quality Commission, ICO and other regulated auditors

  • Public Health England and Screening

  • NHS England

  • NHS Digital

  • North Devon Hospice

  • Non-NHS health care providers

  • Child Health Information Service

  • Research providers

In addition to sharing data with the above services, the practice will also use carefully selected third party service providers that process data on behalf of the practice. When we use a third party service provider, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating responsibly to ensure the protection of your data. Examples of functions that may be carried out by third parties includes:

  • Organisations that provide IT services & support, including our core clinical systems; systems which manage patient facing services; data hosting service providers; systems which facilitate video consultation, appointment bookings or electronic prescription services; document management services etc.

  • Organisations who are delivering services on behalf of the practice (for example conducting Medicines Management Reviews to ensure that you receive the most appropriate, up to date and cost-effective treatments or supporting practices in offering choices of providers and appointments to patients who are being referred via the NHS E-Referral system).

  • Delivery services (for example if we were to arrange for delivery of any medicines to you).

  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

For further information of who we share your personal data with and our third-party processors, please contact the Practice IT Manager.

Where do we store your data?

We use a number of IT systems and tools to store and process your data, on behalf of the practice. Examples of tools we use include our Core Clinical System TPP SystmOne, NHSmail, Microsoft 365, accurx, Niche Health iGPR, (for electronic insurance reports / subject access requests).

 

For further information on this, please mark your query for the attention of the Practice IT Manager (either via bideford.systmone@nhs.net) or post to the following address: Bideford Medical Centre, Abbotsham Road, Bideford, EX39 3AF.

GPConnect / Interoperability / Enhanced Data Sharing Module systems

We share your record using GP Connect / Interoperability / Enhanced Data Sharing Module systems to make sure that, whether you are visiting the practice, attending hospital, or being seen in the community or at home by a care professional, everyone knows the care you need and how you want to be treated. Your electronic health record is available to the practices in the Torridge Primary Care Network and other local providers (local Out Of Hours health services, hospital wards, A&E, community health services and South West Ambulance Trust), who are involved in your care. This includes the sharing of, personal contact details, diagnosis, medications, allergies and test results. Your records will be treated with the strictest confidence and can only be viewed if you use their service.

 

You can find more information about GP Connect at:

https://digital.nhs.uk/services/gp-connect/gp-connect-in-your-organisation/transparency-notice

 

You can also search for organisations who use GP Connect here: https://transparency.ndsp.gpconnect.nhs.uk/Name

 

Please note that if you have previously dissented (opted-out) to sharing your records, this decision will be upheld, and your record will only be accessed by the practice. Should you wish to opt-out of, please speak to our reception team, who will be able to update your personal preferences. Please note that by opting out of this sharing, other health professionals may not be able to see important medical information, which may impact on the care you receive.

Summary Care Record (SCR)

Bideford Medical Centre, Abbotsham Road, 01237 476363 email bideford.systmone@nhs.net Bideford Medical Centre is a Data Controller for the data we hold about you. We hold your data in order to provide you with health and social care.

NHS England have implemented the SCR which contains information about you; including your name, address, data of birth, NHS number, medication you are taking and any bad reactions to medication that you have had in the past. This information is automatically extracted from your records and uploaded onto a central system.

 

Many patients who are seen outside of their GP Practice are understandably not able to provide a full account of their care or may not be in a position to do so. The SCR means patients do not have to repeat their medical history at every care setting and the healthcare professional they are seeing is able to access their SCR. The SCR can only be viewed within the NHS on NHS smartcard-controlled screens or by organisations, such as pharmacies, contracted to the NHS.

 

As well as this basic record, additional information can be added to include further information. However, any additional data will only be uploaded if you specifically request it and with your consent. You can find out more about the SCR here: https://digital.nhs.uk/services/summary-care-records-scr

National Clinical Audits

National Clinical Audits aim to measure service provision, interventions and outcomes to support current and future services to deliver efficient, effective and equitable prevention and care.

National Screening Programmes

The NHS provides national screening programmes so that certain diseases can be detected at early stages. These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. More information on the national screening programmes can be found at:

https://www.gov.uk/topic/population-screening-programmes

Risk Stratification

Your medical records will be searched by a computer program so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible.

 

This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this practice. More information can be found at https://www.england.nhs.uk/ig/risk-stratification/ or speak to the practice.

One Devon Dataset

As well as using your data to support the delivery of care to you, your data may be used to help improve the way health and social care is delivered to patients and service users throughout Devon using Population Health Management methods.

 

We will use a pseudonymised extract (i.e., not identifiable information) which will be sent securely to NHS Devon ICB (Integrated Care Board) and in partnership with the Local Authorities. Data will be used to support the Devon Integrated Care System to improve short-term and medium-term health outcomes for local populations. If you would benefit from some additional care or support, your information will be shared back to the practice, or another local provider involved in your care, so that they can offer you direct care.

 

Further information about Population Health Management can be found here:

https://www.england.nhs.uk/integratedcare/phm/

 

Further information about the One Devon Dataset can be found here:

https://devon.icb.nhs.uk/privacy-notice/

 

We will rely on public interest task as the legal basis for processing your data for this purpose. You have a right to object to your information being used in this way. If you wish to discuss this further, please speak to the practice.

Research

We are a research practice and work with RD&E Research, University of Oxford, Cancer Research, University of Birmingham, & Network South West Peninsular to deliver research studies and trials. Employees of the practices will access your information in order to determine whether you are suitable to be invited to participate in a study. We will only share your information with the research providers with your explicit consent.

OpenSAFELY Data Analytics Service

NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

 

Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.

 

Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals. Patients who do not wish for their data to be used as part of this process can register a type 1 opt out with their GP. For type 1 opt outs please see the section on page 9 of this document. Here you can find additional information about OpenSAFELY. We will rely on Legal Obligation (Article (6)(1)(c)) as the legal basis for processing your data for this purpose.

General Practice Data for Planning and Research Data Collection (GPDfPR)

As well as using your information to support the delivery of care to you, your data may be used by NHS Digital to help improve the way health and social care is delivered to patients and service users throughout England. From the 1st September 2021, NHS Digital will securely extract your information to provide access to patient data to the NHS and other organisations who need to use it, to improve health and social care for everyone.

 

NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, and pharmaceutical companies.

 

At the time of publication (May 2021), patients who have a “type 1” opt- out, will  be excluded from this programme and will not have their data extracted for this purpose (please see the Type 1 Opt Out section below).

 

Further information about GPDfPR can be found here: https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research

We will rely on Legal Obligation (Article (6)(1)(c)), Health and Social Care (Article 9(2)(h)) and Public Health (Article (9)(2)(i)) as the legal basis for processing your data for this purpose.

How long do we hold your data?

We only hold your data for as long as necessary and are required to hold your data in line with the NHS Records Management Code of Practice. Further information can be found online at:

 

https://transform.england.nhs.uk/information-governance/guidance/records-management-code/records-management-code-of-practice/

Other retention periods which are not covered by the NHS Record Management code are as follows:

  • Subject Access Request – held for 3 years from the date the report is supplied

  • Insurance Reports – held for 6 months from the date the report is supplied

  • Telephone Recordings – held 3 years from the date of the call

  • CCTV – footage is held for 56 days, or for as long is as is deemed necessary in order to comply with a request for footage in the event of an incident onsite

What rights do you have?

You have various rights under the UK GDPR and Data Protection Act 2018

Right of access:

You have the right to request access to view or request copies of the personal data, we hold about you; this is known as a Subject Access Request (SAR). In order to request access you should contact the practice, or you can sign up for online services and view your medical record online (please visit our practice website for further details on this).

 

Please note that you are entitled to a copy of your data that we hold free of charge; however, we are entitled to charge in certain circumstances where the law permits us to do so. We are also entitled to refuse a request, where the law permits us to do so. If we require a fee or are unable to comply with your request, we will notify you within 1 calendar month of your request.

Right to restrict or object the use of your information:

There are certain circumstances in which you can object from your data being shared. Information regarding your rights to opt-out is detailed below:

Consent:

If the practice is relying on the consent as the basis for processing your data, you have the right to withdraw your consent at any time. Once you have withdrawn your consent, we will stop processing your data for this purpose.

 

However, this will only apply in circumstances on which we rely on your consent to use your personal data. Please be aware that if you do withdraw your consent, we may not be able to provide certain services to you. If this is the case, we will let you know.

Implied consent  - in order to deliver and coordinate your health and social care, we may sometimes share information with other organisations (for example when making a referral to the hospital). We will only ever share information about you if other agencies involved in your care have a genuine need for it. Anyone who receives information from the practice is under a legal duty to keep it confidential and secure.

Please note that if you have informed us that you do not wish to share your information outside the practice at all (for any purpose – including direct healthcare), clinicians may, in some circumstances still need to share certain information if they believe that not doing so could affect your safety or the quality of your care.

Summary Care Record:

The SCR improves care; however, if you do not want one, you have the right to object to sharing your data or to restrict access to specific elements of your records. This will mean that the information recorded by the practice will not be visible at any other care setting.

 

If you wish to discuss your options regarding the SCR, please speak to a member of staff at the practice. You can also reinstate your consent at any time by giving your permission to override your previous dissent.

National Screening Programmes:

If you do not wish to receive an invitation to the screening programmes, you can opt out at

https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes or speak to the practice.

Type 1 Opt-out:

You have the right to object to your confidential patient data being shared for purposes beyond your direct care by asking the practice to apply a Type 1 opt-out to your medical records. A type 1 opt-out prevents personal data about you, being extracted from your GP record, and uploaded to any other organisations without your explicit consent. If you wish for a Type 1 opt-out to be applied to your record, please direct your request to the reception team or download a Type 1 Opt Out For Medical Records Form from the following page on our website:

Type 1 Opt Outs

 

Sign and return it to the practice and mark for the attention of the reception team. You can return it either via the following email address: bideford.systmone@nhs.net or post to: Bideford Medical Centre, Abbotsham Road, Bideford, EX39 3AF.

National Data Opt-out:

You have the right to object to your data being shared under the national data opt-out model. The national data optout model provides an easy way for you to opt-out of sharing data that identifies you being used or shared for medical research purposes and quality checking or audit purposes.

 

To opt-out of your identifiable data being shared for medical research or to find out more about your opt-out choices please ask a member of staff or go to NHS Digital’s website:

 

https://digital.nhs.uk/services/national-data-opt-out-programme

All health and care organisations (including GP practices) are required to comply with this information standard which was initially introduced on 25 May 2018.

 

The standard exists in order to enable patients to be able to opt out from the use of their personal data for anything other than their individual care and treatment (for example research or planning purposes in line with the recommendations of the National Data Guardian).

 

This standard requires us to inform our patients that we must have a suitable mechanism in place, which can identify and remove any patient information belonging to patients wanting to opt out of data sharing for such purposes.

 

For reference you can update your data sharing opt-out preferences at any time by visiting:

https://digital.nhs.uk/services/national-data-opt-out

At present having reviewed data flows within the practice (which is a process that we must regularly carry out), Bideford Medical Centre is currently not participating in any research or planning activities which require a review and application of data opt outs (all data flows fall within the scope of permissible sharing without consent - which can automatically be shared with the requesting partner organisation – for example National Diabetes Audits shared to NHS Digital under section 259, or Invoice backing data for contracted or non-contracted activity to Controlled Environments for Finance (Confidentiality Advisory Group granted exemption under Section 251).

 

Should the need arise in future, however, our clinical system provider has implemented a technical solution which will enable us to identify any data opt outs and apply them. We will also hold any procedures and policies in place so that we can carry out this task.

 

Bideford Medical Centre participates in local research projects which facilitate research into specific medical conditions, but these only include your data with your direct explicit consent. For further information on compliance with the national data opt out policy please visit:

https://digital.nhs.uk/services/national-data-opt-out/compliance-with-the-national-data-opt-out

Cancer Registry:

The National Cancer Registration and Analysis Service is run by Public Health England and is responsible for cancer registration in England, to support cancer epidemiology, public health, service monitoring and research. Further information regarding the registry and your right to opt-out can be found at:

https://www.gov.uk/guidance/national-cancer-registration-and-analysis-service-ncras

Right to rectification:

You have the right to have any errors or mistakes corrected within your medical records. This applies to matters of fact, not opinion. If the information is of clinical nature, this will need to be reviewed and investigated by the practice. If you wish to have your records amended, please contact Mrs L Watts – Deputy Practice Manager.

 

If your personal information changes, such as your contact address or number, you should notify the practice immediately so that we can update the information on our system. We will also ask you from time to time to confirm the information we hold for you, is correct.

Right to erasure:

The practice is not aware of any circumstances in which you will have the right to delete correct data from your medical record, which the practice is legally bound to retain. Although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the data and contact the practice if you hold a different view.

Right to complain:

We take all suggestions, concerns and complaints very seriously. Our aim is to provide the highest standard of care, and we follow a consistent and fair process when handling any issues raised by our patients.

Although we prefer complaints to be made in writing (as this helps us to investigate thoroughly and provide a detailed response), we are also happy to discuss concerns with patients over the telephone or in person. Written complaints can be addressed to our Operations Manager, Mrs Z. Smale, and emailed to: bideford.systmone@nhs.net (please mark for her attention in the subject line).

We will acknowledge your complaint promptly and investigate it in line with the NHS complaints procedure. You will be kept informed throughout the process, and we will provide a full response once our investigation is complete.

You also have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link: https://ico.org.uk/global/contact-us/ or call the helpline on 0303 123 1113.

Data outside the EEA

We do not send your personal data outside of the EEA. However, if this is required, the practice would only do so, with your explicit consent.

Data Protection Officer

The Data Protection Officer for the practice is Bex Lovewell and she can be contacted via email on

d-ccg.deltdpo@nhs.net

 

or by post: Delt Shared Services Limited, BUILDING 2 – Delt, Derriford Business Park, Plymouth, PL6 5QZ.

Cookies

The practice’s website uses cookies. A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you access certain websites. Cookies allow a website to recognise a user’s device. Some cookies help websites to remember choices you make (e.g. which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to our website. The two types the practices uses are ‘Session’ and ‘Persistent’ cookies.

 

Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time. We do not knowingly collect or intend to collect any personal information about you using cookies. We do not share your personal information with anyone.

What can I do to manage cookies on my devices? Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit https://www.allaboutcookies.org/

Changes to privacy notice

The practice reviews this privacy notice regularly and may amend the notice from time to time. If you wish to discuss any elements of this privacy notice, please send an email to bideford.systmone@nhs.net and mark it for the attention of the Practice IT Manager.

bottom of page