Privacy Policy

Privacy Notice

  1. Medefer has been set up by NHS Specialist Consultants to enhance and improve the NHS services. Medefer empowers GPs to easily gain Specialist Consultant support in your care. This may mean that on many occasions, your GP can diagnose and treat you without you having to wait several weeks to see a consultant at the hospital. On the other hand, if a hospital is required, the Consultant may advise your GP to carry out some tests whilst you are waiting for your hospital appointment. This way, when you do visit the Consultant, you will receive the most appropriate treatment the first time, without further delays.
  2. Medefer is the custodian of personal information relating to your medical treatment, and will only use your information in accordance with all applicable law and guidance. This Privacy Notice provides you with a detailed overview of how we will manage your data from the point at which it is gathered and onwards, and how that complies with the law. Medefer will use your personal information to provide you with care and treatment.
  3. In addition, you have a number of rights as a data subject. You can, for instance, seek access to your medical information, object to us using your information in particular ways, request rectification of any information which is inaccurate or deletion of information which is no longer required (subject to certain exceptions). This Privacy Notice also sets out your rights in respect of your personal information, and how to exercise them.


  1. This Privacy Notice sets out details of the information Medefer may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.
  2. If you have any queries, comments or concerns about any information in this privacy notice, please contact Medefer at or 08000 112 113.

Your personal data

  1. Medefer is the Data Controller in respect of your personal information which we hold about you relating to your medical treatment. We must comply with the data protection legislation and relevant guidance when handling your personal information.

What personal information does Medefer collect and use from patients?

  1. Medefer will obtain, hold and use the following information about you:
    1. Name
    2. Contact details, such as postal address, email address and telephone number (including mobile number)
    3. Occupation
    4. Emergency contact details, including next of kin
    5. Background referral details

Special Categories Personal Information

  1. Medefer will hold information relating to your medical treatment which is known as a special category of personal data under the law, meaning that it must be handled even more sensitively. This may include the following:
    1. Details of your current or former physical or mental health, including information about any healthcare you have received from other healthcare providers such as GPs, or NHS hospitals which may include details of clinic and hospital visits, as well as medicines administered.
    Medefer will hold information about you such as:
    1. Details of services you have received from us
    2. Details of your nationality, race and/or ethnicity
    3. Details of your religion
    4. Details of any genetic data or biometric data relating to you
    5. Data concerning your sex life and/or sexual orientation
  2. The confidentiality of your medical information is extremely important, and the company adheres to and often exceeds the high NHS security standards to ensure that your information is kept secure and confidential.
  3. From 25 May 2018, the current Data Protection Act will be replaced by the EU General Data Protection Regulation (GDPR) and a new Data Protection Act. All uses of your information will comply with the GDPR and the new Data Protection Act from that date onwards

How does Medefer obtain your information?

  1. Medefer will collect information about you from your GP and from other NHS hospitals.

How will Medefer communicate with you?

  1. We may communicate with you in a range of ways, including by telephone, SMS, email, and / or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate, and including only sufficient basic details to enable you to identify who the call is from, very limited detail as to the reason for the call and how to call us back.
  2. However to ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders)), we may communicate with you by SMS and/or unencrypted email (where you have provided us with your SMS or email address). We will communicate with you following your expressed preference in the patient registration form.
  3. Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, we are not relying on your consent to process your personal data in order to correspond with you about your treatment. As set out further below, processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare service.

What are the purposes for which your information is used?

  1. Each time we use your data we must have a legal justification to do so, which are:
    1. We use your information to deliver a contract of care and treatment to your GP or your local NHS Clinical Commissioning Group (CCG) (article 6(b)).
    2. We will use your information to provide preventive medicine, medical diagnosis, the provision of health care/treatment (article 9(h).
  2. Note that failure to provide your information will mean that Medefer is unable to provide you with healthcare and treatment.

The right to object to other uses of your personal data

  1. You have a range of rights in respect of your personal data, as set out in detailed below. This includes the right to object to us using your personal information in a particular way (such as sharing that information with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing treatment.

Clinical audit

  1. Medefer may use your information for the purposes of local clinical audit – i.e. an audit carried out by us or an employee of the company to audit the care and treatment provided to patients to ensure that we are providing the best possible care in line with the Care Quality Commission (CQC) strict codes of practice. You can object to Medefer using you information for clinical audit, if you wish to raise an objection, please email us at


  1. From time to time, patients may raise queries, or even complaints, with Medefer. In order to resolve such matters fully Medefer will use your personal information.

Automated Decision Making

  1. An automated decision is a decision made by computer without any human input, and there will be no automated decision-making in relation to your treatment or other decisions which will produce legal or similarly significant effects.

Data Protection Impact Assessments

  1. Medefer is fully compliant with the Data Protection Act 2018 and ensures a Data Protection Impact Assessment (DPIA) has been undertaken against all new processing since May 2018.

International data transfers

  1. Medefer does not store or process information any information about you outside of England, all information is held in encrypted and secure data centres in England.

How long do I keep personal information for?

  1. Medefer will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. Medefer complies with the Department of Health Records Management Code of Practice 2016, which details the length of times records in the NHS must be retained.
  2. If you would like further information regarding the periods for which your personal information will be stored, please contact us on

Your rights

  1. Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us on

The right to access your personal information

  1. You are entitled to a copy of the personal information we hold about you and details about how we use it.
  2. Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
  3. There will not usually be a charge for handling a request to exercise your rights.
  4. If we cannot comply with your request to exercise your rights we will usually tell you why.

The right to rectification

  1. We will take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

The right to erasure (also known as the right to be forgotten)

  1. In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to manage our business, legal requirement to keep your records, and/or for the purposes of establishing, exercising or defending legal claims.

The right to restriction of processing

  1. In some circumstances, we must "pause" our use of your personal data if you ask us to do so, e.g. while we are updating your records, or considering a request to delete to restrict the use of your information.

The right to complain to the Information Commissioner's Office

  1. You can complain to the Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.
  2. More information can be found on the Information Commissioner’s Office website:
  3. Making a complaint will not affect any other legal rights or remedies that you have.

National Data Opt-Out Programme

  1. NHS Digital is currently developing a national programme which will go live on 25 May 2018, pursuant to which all patients will be able to log their preferences as to sharing of their personal information. All health and care organisations will be required to uphold patient choices, but only from March 2020. In the meantime you should make us aware directly of any uses of your data to which you object.

Updates to this Privacy Notice

  1. We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data then we will provide you with an updated copy of the Policy.
  2. This Privacy Notice was last updated on 22nd May 2018.