General Data Protection Regulation
The General data Protection Regulation (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data.
The regulation applies from 25 May 2018, and will apply even after the UK leaves the EU.
What GDPR Will Mean For Patients
The GDPR sets out the kept principles about processing personal data, for staff or patients;
- data must be processed lawfully, fairly and transparently
- It must be collected for specific, explicit and legitimate purposes
- It must be limited to what is necessary for the purposes for which it is processed
- Information must be accurate and kept up to date
- Data must be held securely
- It can only be retained for as long as is necessary for the reasons it was collected
There are also stronger rights for patients regarding the information that practices hold about them. These include:
- Being informed about how their data is used
- Patients to have access to their own data
- Patients can ask to have incorrect information changed
- Restrict how their data is used
- Move their patient data from one health organisation to another
- The right to object to their patient information being processed (in certain circumstances)
How We Use Your Information
Your information will be held by Devon Doctors Group. This privacy notice is to let you know how the group will undertake to look after your personal information. This includes what you tell us about yourself and what we learn in the course of providing you with care or treatment. This notice also tells you about your privacy rights and how the law protects you.
Who We Are
Mayflower Medical Group is part of the Devon Doctors Group; an organisation made up of all the partly and wholly owned companies owned by Devon Doctors Limited, which is a not-for-profit social enterprise, owned by the GP practices of Devon. Devon Doctors Group hold contracts for healthcare services including:
Devon Doctors Limited provides GP out-of-hours services in Devon, as part of the integrated urgent care service for the county and now also provides the out-of-hours service in Somerset. Other contracts include district nurse message handling in Devon and end-of-life and palliative care services such as the EpPaCCS end-of-life register.
Access Dental provides out-of-hours and prison dental care and treatment, including emergency dental helplines and waiting list support, in Devon and Somerset.
Access Health Care provides primary care services including:
- Clock Tower surgery in Exeter and the Mayflower Group in Plymouth
- Appointment and referral services including physiotherapy and the Special Allocation Scheme for violent patients in Devon, Cornwall and Somerset.
Our registered address is:
Sowton Industrial Estate
Telephone: 01392 822345
You may be interested to know that privacy information is also available on our website in other formats to make this information as widely accessible as possible.
When You Contact Us By Phone
We record all calls made to and from this organisation.
The following patient announcement is provided to all callers accessing our service via our patient lines to inform them of the following:
All telephone calls to and from our organisation are recorded for your protection, and for monitoring purposes. They may be used for training and audit purposes to maintain our quality and high standards. Patient confidentiality is important. However, in certain circumstances, it may be necessary to share your details with third parties including health and social care professionals.
How The Law Protects You
Your privacy is protected by legislation and below is an explanation of how this works in practice.
The law says that we are allowed to use personal information only if we have good reason to do so and this includes sharing it outside Devon Doctors Group. The law says we must have one or more of these reasons to process your data. The law requires us to have a separate reason for processing special category data such as health data. These reasons are grouped and summarised below.
|Any Type of Personal Data||Special Category Data, e.g. Medical Information|
|Performing a public interest task With your explicit consent||Performing a public interest task With your explicit consent|
|Legal obligation Protecting your other vital interests||Legal obligation Protecting your other vital interests|
|Protecting your or other vital interests Defend legal claims||Protecting your or other vital interests Defend legal claims|
|With your consent Medical purposes||With your consent Medical purposes|
|For entering into a contract Research purposes||For entering into a contract Research purposes
The table below lists the individual purposes we may use your data and identifies the reason or the legal basis that the law permits us to do this.
|What We Use Your Information For||Our Reason / Legal Basis|
|To inform the decisions made about your care
||Public interest task /
|To help ensure that your treatment and advice, and the treatment of others is safe and effective
||Public interest task / medical purpose / vital interests|
|To help us work effectively with other organisations and healthcare professionals who may be involved in your care
||Public interest task /
|We send it to your registered GP practice so that your GP, nurse, or other medical professionals involved in your care can assess your health and any care you may need||Public interest task / medical purpose|
| Help us to thoroughly investigate any feedback, including patient surveys, or concerns you may have about the contact with our service
||Public task / substantial public interest|
| Provided to other health professionals involved in your direct care, eg specialist in an acute hospital
||Public interest task /
|Help us to investigate complaints, legal claims, and untoward events||Public task / substantial public interest / legal claims|
| Supply data to help plan and manage services; check that the care being provided is safe; prevent infectious diseases from spreading
||Legal obligation / public interest task / medical purpose|
| Help us conduct clinical audit to ensure we are providing a safe, high quality service and support the provision of care by other healthcare professionals
|| Public interest task / medical purpose
|To facilitate payment for dental treatment or NHS prescriptions||For entering into a contract|
|To participate in national screening programmes|| Public interest task / medical purpose
|To support medical research when the law allows us to do so, eg to learn more about why people get ill and what treatments might work best||Public interest task / research / medical purpose|
| To support safeguarding for patients who, for instance, may be particularly vulnerable to protect them from harm or other forms of abuse
||Public interest task / vital interest / medical purpose|
| Using risk profiling tools to help in the identification of patients at risk of particular diseases or unplanned hospital admissions
||Public interest task /
|For an administrative purpose to help manage how we provide you with services, eg where you nominate individuals to manage your appointments on your behalf||Consent|
|To inform our clinicians and support staff of any relevant factor which may pose a risk to their wellbeing while delivering care to patients. This is to fulfill our duty of care to staff.||Legitimate interest|
|To process requests you make to access your personal data||Legal obligation / substantial public interest / statutory purposes|
National Data Opt-out Programme
Mayflower Medical Group is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, or one of our practices, important information about you is collected to help ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to provide better health and care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
You have a choice about whether you want your confidential patient information to be used in this way.
To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the NHS website for more information. If you do choose to opt out you can still consent to your data being used for specific purposes.
If you are happy with this use of information you do not need to do anything. You can change your choice at any time.
Groups Of Personal Information
This explains the different types of personal information that are covered by data protection law.
We use different kinds of personal information. The groups are all listed here so that you can see what categories of information we hold about you.
|Type Of Personal Information||Description|
|Contact||Name, contact details and address|
|Medical||Record of treatment or care received. Medical diagnosis, referrals and history of prescribed medicine|
|Transactional||Details of any payments you have made, including payments
for out-of-hours dental treatment or prescriptions
|Locational||Where you received treatment or care; the address where you connect a computer to the internet|
|Communication||This includes correspondence or online submissions relating to concerns, complaints, or feedback about the services you have received. All telephone calls received by the organisation are recorded|
Where We Collect Your Data From
We collect data that you provide to us when you:
- Contact us by phone
- Complete a paper or electronic form
- When you receive treatment or care from us
- Visit our websites
We also receive information about you from other sources to ensure that we provide you with effective and comprehensive treatment as well as the delivery of other services we may provide. These sources include:
- GP practices
- NHS trusts
- Clinical commissioning groups
- Social networks [for instance if you communicate with us through Facebook or Twitter]
- NHS Digital
- NHS England
- Local authorities
- Third party suppliers of software services (e.g eConsult)
How Long We Retain Your Records
We only hold on to your information for as long as is necessary and in line with Retention Schedule (link is external) of the NHS Records Management Code of Practice for Health Social Care 2016. Please go to the NHS Digital website for more information about how long we retain certain types of personal data.
If You Choose Not To Give Personal Information
You can choose not to give us personal information. In this section we explain the effects this may have.
In some instances we may require your consent to collect personal information about you. If you choose not to give it to us it may, in some instances, delay or prevent us from providing you with a service. For instance we may be unable to follow up or deal effectively with any concerns or complaints you have reported to us. We may sometimes ask for information that is useful, but not essential. We will make this clear when we ask for it. You do not have to give us these extra details and it won’t affect the care or treatment you receive from us.
This section contains a link to our Cookies Policy.
Cookies are small computer files that get sent down to your PC, tablet or mobile phone by websites when you visit them. They stay on your device and get sent back to the website they came from, when you go there again. Cookies store information about your visits to that website, such as your choices and other details. Some of this data does not contain personal details about you but it is still protected by this Privacy notice.
Your Data – Your Rights
The following sections contain information about how you can exercise your rights to have control on the personal data we hold on you.
How to complain
This section gives details of how to contact us to make a complaint about data privacy. It also shows you where you can get in touch with the Information Commissioner Office (ICO) who is the UK supervisory authority and regulates data protection law.
Please let us know if you are unhappy with how we have used your personal information. You can contact us at firstname.lastname@example.org (link sends e-mail) or by writing to the Governance Team at the above registered office address.
You also have the right to complain to the regulator, and to lodge an appeal if you are not happy with the outcome of a complaint by using the ICO’s report a concern (link is external). Alternatively you can contact them in writing at:
Information Commissioners Office
or by telephone on 0303 123 1113.
How to withdraw your consent
If we are using your consent as the basis for processing your data you have the right to withdraw it at any time. Once you have indicated that you no longer give consent we will cease to process it for this purpose. Please note that this will only apply in circumstances where we are relying on your consent to use your personal data. Please also be aware that if you withdraw your consent, we may in certain circumstances not be able to provide certain services to you. If this is the case, we will tell you.
Letting us know if your personal information is incorrect
Here you can find out how to contact us if you think the information we hold for you is wrong, incomplete or out of date. You have the right to question any information we have about you that you think is incorrect. We’ll take reasonable steps to check this for you and correct it.
If you want to do this please contact us at email@example.com or by writing to the Governance Team at the above registered office address.
How to get a copy of your personal information
You can request a copy of the information we hold about you by writing in to us. You will need to provide forms of identification however the service is free of charge, although the law permits us to charge in certain limited circumstances and we let you know if this is the case. You can read more about requesting your data (link is external) by going to the link.
What if you want us to stop using your personal information? This section explains about your right to object and other data privacy rights you have – as well as how to contact us about them.
You can object to us keeping or using your personal information. This is known as the ‘right to object’.
You can also ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. This is known as the ‘right to erasure’ or the ‘right to be forgotten’.
Please be aware that this is not an absolute right and there may be reasons why we why we cannot comply with your request. However please tell us if you think that we should not be using it.
We may sometimes be able to restrict the use of your data. This means that it can only be used for certain things, such as legal claims or to exercise legal rights.
You can ask us to restrict the use of your personal information if:
- It is not accurate
- It has been used unlawfully but you don’t want us to delete it
- It is not relevant any more, but you want us to keep it for use in legal claims
- You have already asked us to stop using your data but you are waiting for us to tell you if we are allowed to keep on using it
If we do restrict your information in this way, we will not use or share it in other ways while it is restricted.
If you want to object to how we use your data, or ask us to delete it or restrict how we use it or, please contact us at firstname.lastname@example.org or by writing to the Governance Team at the above address.
Who we may share information with
Sometimes we need to share your information with other organisations. For example, you may be receiving care from social services and we may need to share information about you so we can co-operate with partner agencies for your benefit. In most cases we will not require your consent to do this.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. Anyone who receives information from us is also under a legal duty to keep it confidential and secure.
Please be aware that when assisting the police with the investigation of a serious crime, or if there are concerns regarding child protection/vulnerable adults, it may be necessary for us to share your personal information with external agencies without your knowledge or consent.
We may also share information with organisations such as:
- NHS Trusts [eg hospitals]
- Clinical commissioning groups
- Community / district nurses
- The ambulance or other emergency services
- General Practitioners
- Local authorities
- Multi-Agency Safeguarding Hub [MASH]
- NHS 111
- The Care Quality Commission, ICO and other regulated auditors
- Public Health England
- NHS Digital
- Non-NHS health care providers
Furthermore in supporting the treatment and care we deliver to our patients we engage the professional services of other organisations to assist us in delivering our objectives. This may sometimes require the need for these organisations to process personal data on our behalf. Please note that your information will only be used in support of the purposes for processing your data, which have been listed in the table above and only under our instruction. We have contractual or similar agreements with these organisations which strictly govern how any personal data is used. Under no circumstances will your data be used for any marketing purposes.
The organisations that may process personal data on our behalf are from the following sectors:
- Auditing and consultation services
- Call handling service 111
- Courier services
- Information Management services [eg secure data destruction]
- IT system support services [eg clinical systems and office support]
- Legal services
- Payment card services [to facilitate card payment transactions]
- Scanning and data storage services
- Translation services
The following organisations also process data on behalf of the practice in conjunction with patient services:
AccuRX provide digital software services to the practice as part of the provision of direct care. Further information can be found at www.accurx.com.
Ardens Healthcare Informatics
Ardens HI provide data entry templates for use and storage within practice based clinical systems as part of accuracy in coding patient diagnostics. Further information can be found at www.ardens.org.uk.
Clarity (TeamNet) provide IntraNet based services for practices for storage of practice based documents. Further information can be found at www.clarity.co.uk.
DataSharp provide telephony based services to the practice, including the hosting of calls via IP and the recording of calls and relevant reporting data. Further information can be found here www.datasharp.co.uk.
Devon Referral Support Services
Part of NHS Devon CCG to process patient referrals as part of onward care www.devonccg.nhs.uk.
Providing mass mailing services on behalf of the practice www.cfhdocmail.com.
Risk stratification tool for Management of Diabetes and other health care conditions. Please view the GDPR Compliance booklet for more information.
Online triage consultation tool. Further information for this purpose can be found on the eConsult website.
TV display/check in system. Further information can be found at www.deltservices.com.
GPES Data Extraction for Pandemic Planning and Research (COVID 19)
The purpose of this data collection is to respond to the intense demand, from across a wide range of interested parties, for General Practice data to be shared in support of vital planning and research for COVID-19 purposes, including under the legal notices issued by the Secretary of State under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI). Further information including the scope, legal basis and DPN for this purpose can be found here
ICE are carrying out insight research on behalf of Devon Digital Accelerator programme to explore attitudes and beliefs towards e-Consult and to understand patients’ needs in relation to accessing primary care in Devon. The findings will inform a local engagement approach designed to support patients to access the care and guidance they need when they need it. More information can be found at www.icecreates.com.
Electronic report completion and medical record redaction
INR Star (LumiraDX Care Solutions)
Anticoagulant result processing software www.lumiradxcaresolutions.com.
Digital Dictation Software www.lexacom.co.uk.
M8 Health Monitors
Lifestyle and health questionnaire terminals located in the practice. www.keito.com.
Mass text messaging and appointment reminder system www.mjog.com.
Diagnostic software utilised for ECGs www.numed.co.uk.
Pharmacy led intervention software to reduce medication prescribing errors, in conjunction with University of Nottingham. More information can be found here: www.nottingham.ac.uk.
Silicone Practice (website)
Mayflower Medical Group’s Practice website provider www.siliconpractice.co.uk.
South West Academic Health Science Network (SWAHSN)
A limited company working to improve health ad patient experience in regional locations through support and acceleration of innovation and quality improvement in healthcare provision: www.swahsn.com.
TPP provide the patient clinical system for the practice: www.tpp-uk.com.
General Practice Data for Planning and Research Data Collection (GPDfPR)
As well as using your information to support the delivery of care to you, your data may be used by NHS Digital to help improve the way health and social care is delivered to patients and service users throughout England. From the 1st July 2021, NHS Digital will securely extract your information to provide access to patient data to the NHS and other organisations who need to use it, to improve health and social care for everyone.
NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, charities and pharmaceutical companies.
At the time of publication (May 2021), patients who have a “type 1” opt- out, will be excluded from this programme and will not have their data extracted for this purpose.
Further information about GPDfPR can be found on the NHS Digital website.
We will rely on Legal Obligation (Article (6)(1)(c)), Health and Social Care (Article 9(2)(h)) and Public Health (Article (9)(2)(i)) as the legal basis for processing your data for this purpose.
The Practice may collect, hold and share information about you in relation to the COVID-19 pandemic in order to plan and manage services, check that care is being provided and prevent COVID-19 from spreading. Information about your COVID-19 status may be shared within the NHS and with other partners involved in your care and treatment, along with:
- NHS England
- NHS Digital
- Public Health England
- The Department of Health
Other Government Departments where it’s legally required, or where it is necessary for the protection of public health or management of the outbreak.
Processing of data for the purpose of public protection
The organisation may provide information to, and receive information from, other agencies for the purpose of protecting the public from individuals who may pose a risk eg MAPPA. The organisation may process this information either as a public task function or because it has a legal duty to do so. Further information, including the other agencies involved in the data sharing, can be found here.
Not a patient but perhaps a relative, friend, next of kin or otherwise have an involvement with a patient?
It is possible that we also hold information about you as part of someone else’s record. The nature of the information held about you will depend on the circumstances in which that the information was collected. For instance, if you have been named as a patient’s next of kin we will hold your name and a means of contacting you such as a phone number or address. Under data protection law, you will be entitled to receive a copy of this information unless there is good reason not to provide it.
If our clinicians are attending a call-out to attend a patient they will carry a ‘lone worker’ device that is designed to keep them safe. When activated, which will only be in the event that they or someone else is at risk of harm or otherwise threatened, an alarm will be relayed to an external call centre provider which will monitor and record the audio received and if necessary direct assistance to them. The audio recordings are not designed to capture any medical information and would only be retained, where necessary, for the purpose of an investigation.
Devon Doctors Group will be processing this data on the basis of Legitimate Interest. If you have any questions around how this affects your personal data please contact our DPO using the contact details below.
Sending data outside of the European Economic Area [EEA]
In the normal course of our business we do not send personal data outside the EEA. However in the event that this is required we would only do it with your explicit consent.
Data Protection Officer
Devon Doctors Group has appointed a Data Protection Officer and they can be contacted at email@example.com or by post:
Data Protection Officer
Devon Doctors Ltd
Covid-19 and your information
Supplementary COVID-19 privacy notice for patients
This supplementary notice describes how we may use your information to protect you and others during the Covid-19 outbreak.
The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example neighbouring GP practices, hospitals, Clinical Commissioning Group and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.
During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response can be found on the How data is supporting the COVID-19 response page.
NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards. We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.