Patient Privacy Notice

1. Medefer has been set up by NHS Specialist Consultants to enhance and improve the NHS services. Medefer empowers GPs and hospitals to easily gain Specialist Consultant support in your care. This may mean that on many occasions, your GP can diagnose and treat you without you having to wait several weeks to see a consultant at the hospital. On the other hand, if a hospital is required, the Consultant may advise your GP to carry out some tests whilst you are waiting for your hospital appointment. This way, when you do visit the Consultant, you will receive the most appropriate treatment the first time, without further delays.

2. Medefer is the custodian of personal information relating to your medical treatment and will only use your information in accordance with all applicable law and guidance. This Privacy Notice provides you with a detailed overview of how we will manage your data from the point at which it is gathered and onwards, and how that complies with the law. Medefer will use your personal information to provide you with care and treatment.

3. In addition, you have a number of rights as a data subject. You can, for instance, seek access to your medical information, object to us using your information in particular ways, request rectification of any information which is inaccurate or deletion of information which is no longer required (subject to certain exceptions). This Privacy Notice also sets out your rights in respect of your personal information, and how to exercise them.


4. This Privacy Notice sets out details of the information Medefer may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.

5. If you have any queries, comments or concerns about any information in this document, please contact

Your personal data

6. Medefer is the Data Controller in respect of your personal information which we hold about you relating to your medical treatment. We must comply with the data protection legislation and relevant guidance when handling your personal information.

What personal information does Medefer collect and use from patients?

7. Medefer will obtain, hold and use the following information about you:

a) Name
b) Contact details, such as postal address, email address and telephone number (including mobile number)
c) Occupation
d) Emergency contact details, including next of kin
e) Background referral details

Special Categories Personal Information

8. Medefer will hold information relating to your medical treatment which is known as a special category of personal data under the law, meaning that it must be handled even more sensitively. This may include the following:

a) Details of your current or former physical or mental health,
including information about any healthcare you have received from other
healthcare providers such as GPs, or NHS hospitals which may include details of
clinic and hospital visits, as well as medicines administered

Medefer will hold information about you such as:

b) Details of services you have received from us
c) Details of your nationality, race and/or ethnicity
d) Details of your religion
e) Details of any genetic data or biometric data relating to you
f) Data concerning your sex life and/or sexual orientation

9. The confidentiality of your medical information is extremely important, and the company adheres to and often exceeds the high NHS security standards to ensure that your information is kept secure and confidential.

10. The old Data Protection Act 1998 has been repealed by the General Data Protection Regulation 2018 (GDPR). Therefore, the UK government approved a new Data Protection Act 2018, the Act mirrors GDPR and remains in force after Brexit.

How does Medefer obtain your information?

11. Medefer will collect information about you from your GP, hospital and/or Health Board, and from other NHS hospitals who have treated you, where it is applicable to your referral.

How will Medefer communicate with you?

12. We may communicate with you in a range of ways, including by telephone, SMS, email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate and including only sufficient basic details to enable you to identify who the call is from, very limited detail as to the reason for the call and how to call us back.

13. However, to ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders), we may communicate with you by SMS and/or unencrypted email (where you have provided us with your mobile number or email address). Medefer will communicate with you in one or more of the following options: letter sent by post and/or email and/or SMS. We may use any or all of these methods to ensure you are promptly informed about your healthcare.

14. Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner, we are not relying on your consent to process your personal data in order to correspond with you about your treatment. As set out further below, processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare service.

What are the purposes for which your information is used?

15. Each time we use your data we must have a legal justification to do so, which are:

a) We use your information to provide NHS services and have official authority to process personal data in the delivery of these services through our commissioning contracts (Article 6 (1)(e).

b) We will use your information to provide preventive medicine, medical diagnosis, the provision of health care/treatment (article 9(h)).

16. Note that failure to provide your information may mean that Medefer is unable to provide you with healthcare and treatment.

The right to object to other uses of your personal data

17. You have a range of rights in respect of your personal data, as set out in detailed below. This includes the right to object to us using your personal information in a particular way (such as sharing that information with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing treatment.

Clinical audit

18. Medefer may use your information for the purposes of local clinical audit – i.e. an audit carried out by us or an employee of the company to audit the care and treatment provided to patients to ensure that we are providing the best possible care in line with the Care Quality Commission (CQC) [akin to the Care Inspectorate Wales] strict codes of practice. You can object to Medefer using your information for clinical audit, if you wish to raise an objection, please email us at

Queries and complaints

19. From time to time, patients may raise queries, or even complaints, with Medefer. In order to resolve such matters fully Medefer will use your personal information.

Your feedback matters to us

20. We are very keen to learn more about patients experience with Medefer therefore there are 3 ways in which we will collect feedback from you about your experience with Medefer. These are listed below:

– Where you choose to submit your personal details and feedback about your experience via our website

– We may call you on the number we have on record for you and ask you to tell us more about your experience with Medefer, it will be your choice to agree to provide feedback or not.

– After we receive an email from you, we will ask you to rate the assistance you have received from us. The feedback request will be sent automatically to your email after we come back to your initial query.

– We will keep the feedback we collect from you for 2 years; this will then be deleted.

As a company who provide services to the NHS, we are required to use the same patient experience feedback tools as the NHS e.g. Friends and Family survey.  If you do not want to participate or be contacted to provide feedback on our services, please inform a member of the customer service team.

Automated Decision Making

21. An automated decision is a decision made by computer without any human input, and there will be no automated decision-making in relation to your treatment or other clinical decisions.

Data Protection Impact Assessments

22. Medefer is fully compliant with the Data Protection Act 2018 and ensures a Data Protection Impact Assessment (DPIA) has been undertaken against all new processing since May 2018.

How long do I keep personal information for?

23. Medefer will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. Medefer complies with the NHSX Records Management Code of Practice, which details the length of times records in the NHS must be retained.

24. If you would like further information regarding the retention periods for which your personal information will be stored, please contact us on

Your rights

25. Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us on

The right to access your personal information

26. You are entitled to a copy of the personal information we hold about you and details about how we use it.

27. Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

28. There will not usually be a charge for handling a request to exercise your rights.

29. If we cannot comply with your request to exercise your rights we will usually tell you why.

The right to rectification

30. We will take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.

The right to erasure (also known as the right to be forgotten)

31. In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to manage our business, legal requirement to keep your records, and/or for the purposes of establishing, exercising or defending legal claims.

The right to restriction of processing

32. In some circumstances, we must “pause” our use of your personal data if you ask us to do so, e.g. while we are updating your records, or considering a request to delete to restrict the use of your information.

The right to complain to the Information Commissioner’s Office

33. You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.

34. More information can be found on the Information Commissioner’s Office website:

35. Making a complaint will not affect any other legal rights or remedies that you have.

National Data Opt-Out Programme

36. The National Opt Out provides individuals with the right to opt out of their data being used for research and planning (secondary) purposes.  To register, please refer to: National data opt-out – NHS Digital

Updates to this Privacy Notice

37. We may update this Privacy Notice from time to time to ensure that it remains accurate. In the event that these changes result in any material difference to the manner in which we process your personal data then we will provide you with an updated copy of the Notice.

38. This Privacy Notice was last updated on 05/07/2022

About Cookies

39. Cookies are small files that are placed on a user’s computer, or computerised device, by websites they visit. Cookies are then sent back to the originating website on every subsequent visit by the user. Cookies are widely used to enable websites and/or the applications they run to function, or function more efficiently, and to remember information, either for the duration of a user’s visit (using ‘session cookies’) or repeat visits (“persistent cookies”, which are stored on a user’s browser until a set expiry date or are deleted).

Third Party Cookies

40. This website may use essential or ‘functional’ cookies to enable basic website functionality, which are managed by Squarespace and stored when you visit the website.

41. Medefer may use embedded Google Maps, for which a cookie is stored when you visit the Contact page.

42. Medefer may use embedded Forms by Microsoft, for which cookies may be stored when you visit other pages.

43. This website may use embedded widgets by Freshworks to support customer service when you visit any page. These are managed by Freshworks according to their Privacy Policy.

User Consent

44. Where the cookies used by Medefer are not strictly necessary for the provision of its services, or use of its websites, users will be asked to consent to their use each time they visit a Medefer website.

How Cookies Are Used

45. The cookies that Medefer uses to which consent is required store information to ensure the security of its public website and the continuity of its website visitors’ user experience.

Disabling Cookies

46. Most internet browsers allow a user to prevent the setting of cookies on a user’s device. If a user prevents the setting of cookies on its browser, it may not be able to fully access Medefer’s websites and/or services.