Medefer has been set up by NHS Specialist Consultants to enhance and improve the NHS services. Medefer empowers GPs and hospitals to easily gain Specialist Consultant support in your care. This may mean that on many occasions, your GP can diagnose and treat you without you having to wait several weeks to see a consultant at the hospital. On the other hand, if a hospital is required, the Consultant may advise your GP to carry out some tests whilst you are waiting for your hospital appointment. This way, when you do visit the Consultant, you will receive the most appropriate treatment the first time, without further delays.
Medefer is the custodian of personal information relating to your medical treatment and will only use your information in accordance with all applicable law and guidance. This Privacy Notice provides you with a detailed overview of how we will manage your data from the point at which it is gathered and onwards, and how that complies with the law. Medefer will use your personal information to provide you with care and treatment.
In addition, you have several rights as a data subject. You can, for instance, seek access to your medical information, object to us using your information in particular ways, request rectification of any information which is inaccurate or deletion of information which is no longer required (subject to certain exceptions). This Privacy Notice also sets out your rights in respect of your personal information, and how to exercise them.
Introduction
This Privacy Notice sets out details of the information Medefer may collect from you and how that information may be used. Please take your time to read this Privacy Notice carefully.
If you have any queries, comments or concerns about any information in this document, please contact data.protection@medefer.com
Your personal data
Medefer is the Data Controller in respect of your personal information which we hold about you relating to your medical treatment. We must comply with the data protection legislation and relevant guidance when handling your personal information. Medefer has appointed a Data Protection Officer who can be contacted by emailing data.protection@medefer.com or writing to our address: Medefer Ltd, 19 Eastbourne Terrace, London, W2 6LG
What personal information does Medefer collect and use from patients?
Medefer will obtain, hold and use the following information about you:
Name
Contact details, such as postal address, email address and telephone number (including mobile number)
Occupation
Emergency contact details, including next of kin
Background referral details
Special Categories Personal Information
Medefer will hold information relating to your medical treatment which is known as a special category of personal data under the law, meaning that it must be handled even more sensitively. This may include the following:
Details of your current or former physical or mental health, including information about any healthcare you have received from other healthcare providers such as GPs, or NHS hospitals which may include details of clinic and hospital visits, as well as medicines administered.
Medefer will hold information about you such as:
Details of services you have received from us.
Details of your nationality, race and/or ethnicity.
Details of your religion.
Details of any genetic data or biometric data relating to you.
Data concerning your sex life and/or sexual orientation.
The confidentiality of your medical information is extremely important, and the company adheres to and often exceeds the high NHS security standards to ensure that your information is kept secure and confidential.
We will comply with data protection law. This means the personal information we hold about you must be:
Used lawfully, fairly and in a transparent manner.
Collected only for the purposes that we have clearly explained to you and not used in a way that is incompatible with those purposes.
Relevant to the purposes we have told you about and limited only to those purposes.
Accurate and kept up to date.
Kept as long as necessary for the purposes we have told you about.
Kept securely.
We are accountable for our data processing activities.
How does Medefer obtain your information?
Medefer will collect information about you from your GP, hospital and/or Health Board, and from other NHS hospitals who have treated you, where it is applicable to your referral. We will collect information provided by you.
If you require a prescription, your NHS Summary Care Record (SCR) will be available to view by the staff involved in your care, unless you have previously opted out of having an SCR. This is to ensure you are prescribed medication safely. Your SCR contains important information from your GP record including current medications, allergies and details of any previous bad reactions to medicines that you have had in the past. Further information such as significant medical history (past and present) may also be included. If you do not want clinical staff involved in your care to access your SCR, please contact Medefer via email patients@medefer.com or call us on 08000 112 113.
How will Medefer communicate with you?
We may communicate with you in a range of ways, including by telephone, SMS, email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your answering service including only sufficient basic details to enable you to identify who the call is from, very limited detail as to the reason for the call and how to call us back.
To ensure that we provide you with timely updates and reminders in relation to your healthcare (including basic administration information and appointment information (including reminders), we may communicate with you by SMS and/or unencrypted email (where you have provided us with your mobile number or email address). Medefer will communicate with you in one or more of the following options: letter sent by post and/or email and/or SMS. We may use any or all these methods to ensure you are promptly informed about your healthcare. We may use encrypted emails to safeguard information.
Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner. We are not relying on your consent to process your personal data to correspond with you about your treatment. As set out further below, processing your personal data for those purposes is justified on the basis that it is necessary to provide you with healthcare.
What are the purposes for which your information is used?
Each time we use our data we must have a legal justification to do so, which are:
We use your information to provide NHS services and have official authority to process personal data in the delivery of these services through our commissioning contracts. Article 6 (1)(e).
If you are a Self-Pay patient, we will use your information to deliver contractual services to you. Article 6 (1) (b).
We will use your information to provide preventive medicine, medical diagnosis, the provision of health care/treatment. Article 9(h).
We may also use your personal information in the following ways:
Vital Interests: Article 6 (1) (d) There may be occasions where we rely on the lawful basis of Vital Interests if we need to process personal data to protect an individual’s life.
Legal Obligation: Article 6 (1) (c) Sometimes we are required by law to collect and/share your information. Examples of this may include to safeguard children or vulnerable adults, where it is in the wider public interest (including public health), detection or prevention of a serious crime, to defend a legal claim, reporting to DVLA, or where required by court order.
Legitimate interests: Article 6 (1) (f) Where processing is necessary for the purposes of our legitimate interests and your interests and fundamental rights do not override those interests.
Consent: Article 6 (1) (a) Consent under data protection legislation will not be the basis for providing you with healthcare services. However, your consent will be sought in certain instances, where we do not rely on another lawful basis to process your information. For example, if you wish to sign up to receive marketing information from us, or to release your information to a third party (who we do not have a lawful basis to share your information with). Where consent is given as the lawful basis for processing your information, your consent can be withdrawn at any time.
Note that failure to provide your information may mean Medefer is unable to fulfil its contractual obligations to provide you with healthcare and treatment.
The right to object to other uses of your personal data
You have a range of rights in respect of your personal data, as set out below. This includes the right to object to us using your personal information in a particular way, and we must stop using it in that way unless specific exceptions apply. Exemptions can include, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing treatment.
Medefer may use your information for the purposes of local clinical audit – i.e. an audit carried out by us or an employee of the company to audit the care and treatment provided to patients to ensure that we are providing the best possible care in line with the Care Quality Commission (CQC) strict codes of practice. You can object to Medefer using your information for clinical audit, if you wish to raise an objection, please email us at data.protection@medefer.com
Feedback, queries and complaints
From time to time, patients may raise queries or complaints, with Medefer. To resolve such matters fully Medefer will use your personal information.
Your feedback matters to us. We are keen to learn more about patient experience with Medefer, therefore there are 3 ways in which we will collect feedback from you about your experience of Medefer:
Where you choose to submit your personal details and feedback about your experience via our website.
We may call you on the number we have on record for you and ask you to tell us more about your experience with Medefer, it will be your choice to agree to provide feedback.
After we receive an email from you, we will ask you to rate the assistance you have received from us. The feedback request will be sent automatically to your email after we come back to your initial query.
We will keep the feedback we collect from you for 2 years; this will then be deleted.
As a company who provide services to the NHS, we are required to use the same patient experience feedback tools as the NHS e.g. Friends and Family survey. If you do not want to participate or be contacted to provide feedback on our services, please inform a member of the customer service team.
Automated decision making
An automated decision is a decision made by computer without any human input. There is no automated decision-making in relation to your treatment or other clinical decisions.
Data Protection Impact Assessments
Medefer is fully compliant with the Data Protection Act 2018 and ensures a Data Protection Impact Assessment (DPIA) is undertaken against all new processing.
How long do Medefer keep personal information for?
Medefer will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and to comply with our legal and regulatory obligations. Medefer complies with the NHS Records Management Code of Practice, which details the length of times records in the NHS must be retained.
If you would like further information regarding the retention periods for which your personal information will be stored, please contact us on data.protection@medefer.com
Your rights
Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us on data.protection@medefer.com
The right to access your personal information
You are entitled to a copy of the personal information we hold about you and details about how we use it.
Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
There will not usually be a charge for handling a request to exercise your rights.
If we cannot comply with your request to exercise your rights, we will usually tell you why.
The right to rectification
We will take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is not the case, you can ask us to update or amend it.
The right to erasure (also known as the right to be forgotten)
In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information. For example, we do not have to comply with your request if it is necessary to keep your information in order to manage our business, legal requirement to keep your records, and/or for the purposes of establishing, exercising or defending legal claims.
The right to restriction of processing
In some circumstances, we must “pause” our use of your personal data if you ask us to do so, e.g. while we are updating your records, or considering a request to delete to restrict the use of your information.
You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with your request to exercise any of these rights, or if you think we have not complied with our legal obligations.
More information can be found on the Information Commissioner’s Office website: https://ico.org.uk
Making a complaint will not affect any other legal rights or remedies that you have.
National Data Opt-Out programme
The National Opt-Out provides individuals with the right to opt out of their data being used for research and planning (secondary) purposes. To register, please refer to: National data opt-out – NHS Digital
Data Processors
To assist with giving you the best possible care, We have contracted The Telemarketing Company (TTMC) to help contact its patients to provide support with activity such as booking appointments and completing health questionnaires. Both Medefer and TTMC are based in the UK and all data is held in the UK. Medefer has a contract with TTMC who process very limited information on its behalf. TTMC hold information security accreditation and process information in line with UK data protection law. Your healthcare record is not accessible to TTMC staff.
We have a contract with Dial-a-Chemist who are registered Pharmacists. A registered pharmacist will check your record to ensure you are being prescribed the correct medication and issue your prescription. Dial-a-Chemist are registered in the UK and are compliant with all UK data protection laws.
We have contracts in place with other providers who will be supporting your care (for example; diagnostic providers). Where we refer you to one of our contracted service providers, only the minimum amount of data will be shared to ensure you can access these services. All providers are registered in the UK and are compliant with UK data protection laws.
If you are a Self-Pay patient we use Stripe for payments, analytics, and other business services. Stripe may collect personal data including via cookies and similar technologies. The personal data Stripe collects may include transactional data and identifying information about devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, and analytics related to the performance of its services. You can learn more about Stripe and read its privacy policy at https://stripe.com/privacy
Updates to this privacy notice
We may update this Privacy Notice from time to time to ensure that it remains accurate. If these changes result in any material difference to the way we process your personal data then we will provide you with an updated copy of the Notice.
This privacy notice was last updated 27/03/2025
Cookies
Cookies are small files that are placed on a user’s computer, or computerised device, by websites you visit. Cookies are then sent back to the originating website on every subsequent visit by the user. Cookies are widely used to enable websites and/or the applications they run to function, or function more efficiently, and to remember information, either for the duration of a user’s visit (using ‘session cookies’) or repeat visits (“persistent cookies”, which are stored on a user’s browser until a set expiry date or are deleted).
Third party cookies
This website may use essential or ‘functional’ cookies to enable basic website functionality, which are managed by Squarespace and stored when you visit the website.
Medefer may use embedded Google Maps, for which a cookie is stored when you visit the Contact page.
Medefer may use embedded Forms by Microsoft, for which cookies may be stored when you visit other pages.
This website may use embedded widgets by Freshworks to support customer service when you visit any page. These are managed by Freshworks according to their Privacy Policy.
This website uses Microsoft Clarity, Google Analytics and Google Tag Manager to understand user behaviour to help us understand how users are interacting with our website and allows us to identify improvements in user experience. It also helps us identify if you have followed a link or sponsored link to our website.
This website uses Google Ads for advertising.
Advertising analytics
We work with specialist advertising platforms to improve the performance of our campaigns. These platforms may use tracking scripts to help us measure website visits that result from digital ads. These scripts are only activated once you have given explicit consent via our cookie banner or preference centre.
No personally identifiable information is shared, and we only work with providers who adhere to UK GDPR standards and provide contractual data protection guarantees.
User consent
Where the cookies used by Medefer are not strictly necessary for the provision of its services, or use of its websites, users will be asked to consent to their use each time they visit a Medefer website.
How cookies are used
The cookies that Medefer uses to which consent is required store information to ensure the security of its public website and the continuity of its website visitors’ user experience.
Disabling cookies
Most internet browsers allow a user to prevent the setting of cookies on a user’s device. If a user prevents the setting of cookies on its browser, it may not be able to fully access Medefer’s websites and/or services.
Medefer newsletters and updates
If you provide your details to receive updates and newsletters from Medefer, your data will be kept secure in a separate database. You can opt out of receiving newsletters at any time by clicking the link in the correspondence. If you opt out, we will mark your record as ‘do not contact’.
Medefer business partners and business enquiries
If you have provided information to us as a business partner or prospective business partner, we use Hubspot to manage our communications and business relations with you. Hubspot has a HubSpot Privacy Policy