Privacy Notice and GDPR

The purpose of this Privacy Notice is to let you know how we collect, use, share, transfer and otherwise process information about you.  

Who are we?

Company: Chime Social Enterprise
Address: Royal Devon & Exeter Hospital (Wonford),
Barrack Road,

Senior Information Risk Officer: Jonathan Parsons
Data Protection Officer: Anna Trotter
Caldicott Guardian: Murray Meikle

Contact email:

We are committed to protecting your personal information, otherwise known as data, to maintain your trust and confidence in us.  We are registered with the Information Commissioners Office (ICO) and we are a Data Controller.  We will process and store personal data in accordance with the provisions of the Data Protection Act and the General Data Protection Regulations (GDPR).

Personal data is any information that relates to a natural living person who can be identified from the data. Personal data may also include special category data (previously known as sensitive personal data) which relates to you, this may include the following:

• Racial
• Ethnic origin
• Genetic data
• Health data
• Other

We will inform you what category of data we are collecting or that we obtain from any third party concerning you.

What information will we collect about you and why do we process it?
In order for us to provide the services to you we need to collect certain personal data.

We collect the following information:

Personal information about you is collected in a number of ways. This can be from referral details from your GP or another hospital, directly from you or your authorised representative.
We will likely hold the following basic personal information about you: your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts and your GP details, etc. We might also hold your email address, marital status, occupation, and preferred name.

In addition to the above, we may hold sensitive personal information about you which could include:

• Notes and reports about your health, treatment and care, including:

- your medical conditions
- results of investigations, such as hearing or vestibular assessments.
- future care you may need
- personal information from people who care for and know you, such as relatives and health or social care professionals
- other personal information such as any learning disabilities

Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status).
It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.

We are intent on collecting only the information that is appropriate for the purpose and does not invade your privacy. Where we need to contact you for marketing purposes we will seek additional consent.

What is the lawful basis for processing the data?


In certain circumstances we will require consent to process both personal data and special category data, but it must be explicitly given. Where we are asking you for sensitive personal data we will always tell you why and how the information will be used.

You may withdraw consent at any time by contacting the Data Protection Officer for the company.

Public Interest

Any personal information we hold about you is processed under chapter 2, section 6(1)(e) of the Data Protection Act 2018 (subject to parliamentary approval).

How will we use that data that we collect about you?

We will process the information you provide to us in a manner which is compatible with the EU’s GDPR. We will use all reasonable efforts to keep your information accurate and up to date and not keep it for longer than is necessary.

Your records are used to directly, manage and deliver healthcare to you to ensure that:

The staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
Staff have the information they need to be able to assess and improve the quality and type of care you receive.
Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.
The personal information we collect about you may also be used to:

Remind you about your appointments and send you relevant correspondence.
Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement;
support the funding of your care, e.g. with commissioning organisations;
Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies;
Help to train and educate healthcare professionals;
Report and investigate complaints, claims and untoward incidents;
Report events to the appropriate authorities when we are required to do so by law;
Review your suitability for research study or clinical trial;
Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
Where possible, we will always look to anonymise/ pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/ share the minimum information necessary.

Do we share that data with anyone else?

We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as NHS England, Public Health England, other NHS trusts, general practitioners (GPs), ambulance services, primary care agencies, etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.

We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties without your explicit consent unless there are circumstances, such as when the health or safety of others is at risk or where current legislation permits or requires it.

There are occasions where Chime Social Enterprise is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).

For any request to transfer your data internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.

Chime Social Enterprise is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to Chime Social Enterprise in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Chime Social Enterprise will always do its best to notify you of this sharing.

How long will we keep your data?

We will not keep your data for longer than is necessary for the purposes of the processing. We keep some data for the length of time determined by statue and other data is kept in accordance with recommended guidelines by the relevant authority.

What rights do you have as a data subject?

As an Individual you have the right to be informed about the collection and use of your personal data. This is a key transparency requirement under the GDPR.

The right to be informed
The right of access – you have a right to access the information we hold about you.
The right to rectification – you have the right to correct the data that we hold about you that is incomplete or inaccurate.
The right to erasure – under certain circumstances you can ask us to delete data that we hold about you.
The right to restrict processing – you can ask us to restrict the processing under certain circumstances.
The right to data portability – you have the right to request that we transfer information about you to another organisation.
The right to object – you have the right to object to certain types of processing.
Rights in relation to automated decision making and profiling.
In order to exercise your rights, you need to contact us and we will send you a subject access request form.

Can I withdraw consent?

Yes, you can withdraw consent at any time. Please contact the Data Protection representative as above to request a withdrawal of consent.

How do I find out what data is being held about me?

You are entitled to see the information held about you and you may ask us to make any necessary changes to ensure that it is accurate and kept up to date. If you wish to do this, or you have a complaint please contact us at the email address above. There is no charge for this service.

You need to submit a Subject Access Request to us and we can confirm what information we hold about you and how it is processed. If we do hold personal data about you, you can request the relevant information, including the following:

The identity and contact details of the person or organisation that is processing your personal data.
The contact details of our Data Protection Officer or Manager, where appropriate, or the company’s representative.
The reason and the legal basis for the processing.
Whether the processing is based on legitimate interest.
The categories and special categories of data.
How long the data will be stored for.
Whether the provision of the personal data is a contractual requirement or a statutory one and whether and what the consequences are if the individual fails to provide the relevant data.
Any details of automated decision making, such as profiling and any relevant information about the logic involved in the decision-making process, including the significance and expected consequences of the processing.

Who do I complain to if I’m not happy?

If you wish to complain about how your personal data is being processed by us or any third party that processes data on our behalf, or how your complaint has been handled by us, you can complain by contacting us on the details above or direct to the supervisory authority:

Information Commissioners Office
Tel: 0303 123 1113

Online at:

May 2018

Copies of our Data Security and Protection policies are available on written request.

Document Control and Change History
We keep our Privacy Notice under regular review, it was last updated as seen below.

Change History



Description of Change

Date of Review

Next Review



Full Version


May 2019



Governance Officers added


Jan 2023



Reviewed, no changes


Jan 2024



Reviewed, no changes


Jan 2025