Privacy Policy

How Beacon manages your personal information

Patient Information Privacy Notice

The practice keeps information about you, your health, treatment and care. Health records are held on paper and electronically. We have a legal duty to keep accurate health records. Personal information must be kept confidential and secure in line with Data Protection Legislation and Regulation. Further information on the 8 Caldicott Principles can be found here.

What is personal information?

This is information that can identify you and includes:

  • your name, date of birth, address, phone numbers and email address
  • your hospital number and NHS number
  • information about your health, care, treatment and results of investigations

We may also ask for other information, such as whether you have a disability, your religion or beliefs, sexuality and race. This helps us plan to meet any particular care needs.

Data Protection Legislation and Regulation 

The practice must manage your personal information in line with the:

UK Data Protection Act 18 EU General Data Protection Regulation (GDPR)

We must be clear about the legal basis for processing your information and we record this. Our staff members are trained to handle your information correctly and protect your privacy. We aim to maintain high standards and we regularly check and report on how we are doing. Where we, as a practice, find that we fall below the acceptable standards we investigate and report serious incidents to the Information Commissioner’s Office (ICO).

How do we use your information for direct care?

For Beacon staff to be involved in your treatment we need to have accurate and up to date information to assess your health and provide you with care.  As a GP practice, we have been authorised by the Government to provide healthcare and as such must keep accurate records for this care. Under GDPR our legal basis for holding this information is Article 6(1) (e) and 9(2) (h).

You may receive care from staff from other care organisations – such as Devon Doctors, Livewell South  West and University Hospital Plymouth NHS Trust – and it will be necessary for us to share relevant information with them to insure that your care is optimised.  This will include other health care, social care and educational organisations. Your identifiable information will only be shared for direct care purposes.

The practice will also use carefully selected third party service providers that process data on behalf of the practice. When we use a third party service provider, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating responsibly to ensure the protection of your data. Examples of functions that may be carried out by third parties includes:

  • Organisations that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate video consultation, appointment bookings or electronic prescription services; document management services etc.
  • Organisations who are delivering services on behalf of the practice (for example conducting Medicines Management Reviews to ensure that you receive the most appropriate, up to date and cost-effective treatments or supporting practices in offering choices of providers and appointments to patients who are being referred via the NHS E-Referral system).
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

For further information of who we share your personal data with and our third-party processors, please contact the practice.

Identifying patients who might be at risk of certain diseases

Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible. This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this practice.

What we do not use your information for

Your health information is never collected for direct marketing and is not sold on to third parties. We do not use your information to make automated decisions with no human intervention.

Providing photographs for your medical records

You may be asked to send a photo to a clinician to help with your care. You will be given instruction to use good lighting and take the image in landscape format (Please do not take a selfie). Also, please use a coin in the image to provide scale. 

By sending this image you consent to us storing the image if clinically needed on your records for use in your medical care. Please ensure all intimate areas are covered.​

Photos are normally requested to be sent via AccuRX or eConsult. 

How long do we keep your health record for?

This personal information forms part of your health record (a lifelong record) and needs to be kept to enable general practice to provide a high standard of care to you. Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care 2016 – NHS Digital.

How do I know information about me will be kept in a confidential way?

We ensure the security of your information held on our computer systems and areas where paper records are held are robust to prevent unauthorised access.

What are your information rights?

You have a number of rights under the Data Protection Legislation:

  1. To be informed why, where and how we use your information
  2. To ask for access to your information through your medical records
  3. To ask for your information to be corrected if it is inaccurate or incomplete
  4. To ask for your information to be deleted or removed where there is no need for us to continue processing it
  5. To ask us to restrict the use of your information in certain circumstances
  6. In limited circumstances to ask us to copy or transfer your information from one IT system to another
  7. To object to how your information is used
  8. To challenge decisions made without human intervention (automated decision making)

Other uses of your information

Sometimes we need to pass on your information by law, for example:

  • To notify a birth
  • When an infectious disease is encountered that may endanger the safety of others (such as meningitis or measles (but not HIV/AIDS)
  • Where a formal court order has been issued For prevention and detection of crime
  • Where female genital mutilation is diagnosed

How does your information help us to improve services?

We may use your information to help look after the health of the public and to make sure that our services can meet future patient needs. Your information may also be used to help us to:

  • Review the care we provide to ensure it is of the highest standard
  • Teach and train healthcare professionals
  • Audit NHS accounts and services
  • Investigate complaints, legal claims or untoward incidents

National Data Opt-out Programme

NHS Digital is developing a new system to support the national data opt-out which will give patients more control over how identifiable health and care information is used. The system will offer patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes.

Type 1 opt-out: medical records held at your GP practice

You have the right to object to your confidential patient data being shared for purposes beyond your direct care by asking the practice to apply a Type 1 opt-out to your medical records. A type 1 opt-out prevents personal data about you, being extracted from your GP record, and uploaded to any other organisations without your explicit consent. If you wish for a Type 1 opt-out to be applied to your record, please complete this form.

Telephone Calls

All telephones calls made to and from the surgery are recorded and stored 12 months.

Calls will be used to review complaints and used for staff training or to look at improvements in our services.


Beacon Medical Group is a research active practice and adhere to the NIHR privacy policy. This privacy policy sets out how the NIHR uses and protects any information, including your personal information – that the NIHR collects and receives when you use any of its websites, systems or services.

NIHR Privacy Policy: To view the NIHR’s privacy policy on how your data is used for research, please click the link below.


AccuRx are governed by a Data Processing Agreement and will only act under the instructions of the Data Controller (the Practice). AccuRx have completed the Data Security an Protection Toolkit assurances (under NHS ODS Code 8JT17 and both the Cyber Essentials and Cyber Essentials Plus certification.


The Practice may collect, hold and share information about you in relation to the COVID-19 pandemic in order to plan and manage services, check that care is being provided and prevent COVID-19 from spreading.

Information about your COVID-19 status may be shared within the NHS and with other partners involved in your care and treatment, along with:

  • NHS England,
  • NHS Digital,
  • Public Health England,
  • CCG,
  • The Department of Health,
  • Other Government Departments where it’s legally required, or where it is necessary for the protection of public health or management of the outbreak.

We do not need your consent or agreement to do this.

More information can be found at: and

Our COVID-19 Clinical Risk Assessment Tool

Population Health Analytics

As well as using your information to support the delivery of care to you, your data may be used to help improve the way health and social care is delivered to patients and service users throughout all patinets of Beacon Medical Group using Population Health Management methods. We will only use a pseudonomised extract (ie not identifiable information) which will be sent securely to Livewell and UHP and in partnership with Optum. Please note that at no time will patient identifiable data be used in the delivery of this programme. Patients who have a “type 1” opt- out, will be excluded from this programme and will not have their data extracted for this purpose. I can find here further information about Population Health Management . We will rely on Public interest task as the legal basis for processing your data for this purpose.​

For more information read here

GPES data for pandemic planning and research (COVID-19)

To support the response to the coronavirus outbreak, NHS Digital has been legally directed to collect and analyse healthcare information about patients, including from their GP record, for the duration of the coronavirus emergency period. See GPES data for pandemic planning and research (COVID-19) for more information.

General Practice Data for Planning and Research Data Collection (GPDfPR)

As well as using your information to support the delivery of care to you, your data may be used by NHS Digital to help improve the way health and social care is delivered to patients and service users throughout England. From the 1st September 2021, NHS Digital will securely extract your information to provide access to patient data to the NHS and other organisations who need to use it, to improve health and social care for everyone.

NHS Digital will primarily use your information in a way that does not identify you (your information will be pseudonymised). However, they will be able to use their software to identify you in certain circumstances, and where there is a valid legal reason to do so. NHS Digital may also share your information with third parties such as Local Authorities, primary care networks (PCNs), clinical commissioning groups (CCGs), research organisations, including universities, and pharmaceutical companies.

At the time of publication (May 2021), patients who have a “type 1” opt- out, will  be excluded from this programme and will not have their data extracted for this purpose.  

Further information about GPDfPR can be found here:

We will rely on Legal Obligation (Article (6)(1)(c)), Health and Social Care (Article 9(2)(h)) and Public Health (Article (9)(2)(i)) as the legal basis for processing your data for this purpose.

  • Update your Record of Processing Activities (ROPA) to include this extraction, as part of your DSP Toolkit and Information Asset Owner Compliance document.
  • Finally, become familiar with a patient’s ability to opt-out and what opt-out they would need to apply to prevent their data from being extracted so you can advise them should they have queries:

If a patient does not want their identifiable data to be shared outside of the GP Practice, except for their own direct care, a patient is able to opt-out. If a patient registers a Type 1 opt-out with the practice, their data will not be extracted.

If a patient registers an opt out with the National Data Opt-out, their data will be extracted. However, the National Data Opt-out will be applied on access or dissemination of the data. In this instance, this would mean the information is shared with NHS Digital, but that they will not share it to third parties such as universities and charities.


To ensure you get the right care within the right timeframe, the practice is now using eConsult to gather information about your concern when you call the practice. This involves you answering questions over the phone that you could be asked by a Pharmacist or GP and will likely save you a similar phone call and even a trip to the practice.

When you call the practice, the call handler, with your verbal consent, will enter the information that you provide over the phone into eConsult on your behalf and eConsult will then send this information to the practice for a clinician to review. For further information, including eConsult’s privacy notice, click the following link:

You can also use eConsult via the NHSApp. Further information regarding the role of NHS England and the practice can be found:

Contact for Data Protection Questions or Concerns

If you have any questions or concerns about how we manage your Information then please contact our Data Protection Officer.

Data Protection Officer Beacon Medical Group,
Plympton Health Centre,
Mudge Way,
01752 346634


Bex Lovewell, Data Protection Officer

Bex Lovewell
Data Protection Officer
Delt Shared Services Ltd.
Derriford Business Park

01752 580321 ​


The UK regulator for Data Protection Legislation can be contacted as follows:

Information Commissioner’s Office (ICO
Information Commissioner’s Office
Wycliffe House
Water Lane
03031 231113

Please note the use of a VPN is not supported on our website.

Last Updated: 21/08/20