Privacy Policy

Information Chelston Hall Surgery Holds About You


As your registered GP surgery, we are the data controller for any personal data that we hold about you.  A data controller is a person, company, or other body that determines the purpose and means of personal data processing.

Chelston Hall Surgery recognise how important it is that our patients are aware of the information we collect about them and how we share this information.

 We use three different types of information:

  1. Person identifiable: information which on its own or with other information can identify you.
  2. Anonymised data: when unique identifiers such as your name and DOB have been removed so the information is no longer 'patient identifiable'. 
  3. Pseudonymised data: where personal information about you is replaced with a code. If this information was shared with a third party they could not identify you.

To ensure you information is kept confidential and that the surgery data is kept safe and secure, all staff receive data protection and information governance training annually. Updates are shared throughout the year when required

Access to your information

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

(a) Your consent. You are able to remove your consent at any time. You can do this by contacting the Practice Manager

 (c) We have a legal obligation.

(d) We have a vital interest.

(e) We need it to perform a public task.

Staff only have access to the information that is needed for them to complete their role within the surgery. Staff access of confidential information is monitored to ensure your confidentiality is maintained.


How to access your records

The Data Protection Act allows you to find out what information about you is held on computer systems, and also in the form of paper records. This is known as a 'right of subject access'.  You are entitled to receive a copy of this information and are not required to provide the surgery with a reason for the request, however timelines may be asked for to ensure that only relevant documentation is copied.  Although requests do not have to be in writing we are permitted to use the SAR form to verify requests and we will request identification to ensure we are satisfied that the person requesting the information is the data subject to whom the data applies to.  

In regards to third party requests the person requesting the data holds the responsibility for providing the required authority and this is usually in the form of a written statement or consent form, signed by the data subject.  Records are free to access unless an exception applies.


Information we hold about you in your medical record

  • Personal demographics such as name, DOB, address, contact information, occupation, ethnicity and next of kin.
  • Details on your care, treatment, and any other relevant clinical information such as test results and examinations.
  • Records of your health and wellbeing, this often includes reports from other organisations such as out of hours reports and ED attendances.
  • Details of each contact we have with you in all forms:
    • Written contact
    • Email correspondence
    • Telephone calls
    • Face to face conversations
    • Text messaging

Other information we hold about you

  • Information shared in a public domain i.e. surgery reviews on NHS choices.
  • Emails sent to our secure surgery email addresses (, these are kept for a short period of time up to a maximum of six months for reference.
  • Contact details for non-medical communications such as PPG updates and newsletters with your consent.

How your records are used

  • To allow informed decisions to be made about your care
  • To ensure that treatment and advice is safe and effective
  • To help the surgery work alongside other organisations and healthcare representatives to may also be involved in your care.
  • Allowing investigations into any feedback or concerns raised with the surgery.
  • Can be available if you see another GP in the surgery, or are referred to a specialist or another part of the NHS for the purposes of direct care.
  • To help in the investigations of complaints, legal claims and significant events.
  • To help with statistics on NHS performance and help with health research and development.
  • Internal audits to improve the surgeries efficiently and service management and thus patient experience.
  • External audits which will allow for local and national benchmarking
  • Sharing of best practice, significant event reviews and management of adverse events.
  • Personal development reviews (mainly clinician’s appraisals).
  • Patient surveys completed by external parties such as NHS England.
  • NHS Screening services - such as cancer screening.
  • To allow text messaging of appointment reminders

How do we keep your records confidential and secure

Everyone working for the NHS has a legal and professional duty to ensure all information is safely and securely protected and kept confidential.


The sharing of your information is strictly controlled. The surgery will not pass on any information without permission unless there are exceptional circumstances, such as a court order. We adhere to the Caldicott Principles to ensure information is assessed and held securely and appropriately.


The surgery operates under secure networks for both our internal and external IT systems. Use of NHS smartcards and audits ensure that only permitted staff are able to access your records and personal information.  Paper records and documents and kept in secure locations whereby only those individuals that have a legitimate and legal basis can access them.

Records are only kept for as long as is needed and the surgery work in accordance with national guidelines such as NHS Records Management and Code of Practice. After any records are no longer required they are confidentially and securely destroyed.  For information on how long your information is retained by the surgery please see the link below


Third parties we share information with

Some examples of the third parties we share information with are:

  • NHS Trusts
  • Community and District Nurses
  • Ambulance or other Emergency Service
  • Out Of Hours Service / NHS 111
  • Child and Adult Safeguarding Services
  • Local Authorities
  • The Care Quality Commission (CQC), ICO and other regulated auditors
  • Public Health England

For a full list of third parties please see the link below

Please be aware that the surgery will only ever pass on information about you if others involved in your care have a need for it; or if there is the potential of risk to public safety. Anyone we share information with is under a legal duty to keep it confidential and secure. Information and data sharing agreements ensure that the surgery only share information in a way that complies with the law.

Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept in most places where you receive healthcare.  We use EMIS as our electronic system, which allows your record to be shared securely with other organisations involved in your care such as:

  • GP practices
  • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
  • Child health services that undertake routine treatment or health screening
  • Urgent care organisations, minor injury units or out of hours services
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Mental Health Trusts
  • Hospitals
  • Social Care organisations
  • Pharmacies

In addition, NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past.

Summary Care Record

Your Summary Care Record is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies.


This means they can give you better care if you need health care away from our surgery:

  • in an emergency
  • when you're on holiday
  • when your surgery is closed
  • at out-patient clinics
  • when you visit a pharmacy


You can add more information to your SCR by asking your doctor. They can add extra details from your medical notes, including:

  • health problems like dementia or diabetes
  • details of your carer
  • your treatment preferences
  • communication needs, for example if you have hearing difficulties or need an interpreter


This will help medical staff care for you properly, and respect your choices, when you need care away from your GP surgery. This is because having more information on your SCR means they will have a better understanding of your needs and preferences.


When you are treated away from you’re the surgery, the health care staff there can't see your GP medical records. Looking at your SCR can speed up your care and make sure you are given the right medicines and treatment.


Staff will ask your permission to look at your SCR (except in an emergency where you are unconscious, for example) and only staff with the right levels of security clearance can access the system, so your information is secure. You can ask an organisation to show you a record of who has looked at your SCR - this is called a Subject Access Request.


SCRs improve care, but if you don't want to have one you can opt out by contacting the surgery and requesting this.

Health Risk Screening / Risk Stratification

Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, [NHS number/HCN number/ CHI number], diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

To summarise Risk Stratification is used in the NHS to:

  • Help decide if a patient is at a greater risk of suffering from a particular condition;
  • Prevent an emergency admission;
  • Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
  • Review and amend provision of current health and social care services.

Your GP will use computer based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider. The risk stratification contracts are arranged by Devon CCG in accordance with the current Section 251 Agreement. Neither the CSU nor your local CCG will at any time have access to your personal or confidential data.  They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention.  The resulting report is then reviewed by a multidisciplinary team of staff within the Practice.  This may result in contact being made with you if alterations to the provision of your care are identified.

A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.

Extended Access

As part of our Extended Access Initiative, our patients can book evening and weekend appointments, both here and at other local GP surgeries. To ensure that the Clinician has full access to your medical records, when you book your appointment the Administrator will ask you to consent to sharing your medical records, which will ensure an effective and safe service.

This sharing occurs electronically through our clinical system and the sharing only occurs when you choose to book an appointment at another practice. You will be reminded of this when you book the appointment and your consent to share your medical record is taken.

Your data will be kept secure using the same clinical system used to access your medical record when you visit us for an appointment. The clinician you visit will be required to gain your consent prior to accessing your record. If you change your mind and do not wish to consent, the clinician will only be able to access your Summary Care Record. This will contain limited medical information and will restrict the care that you can be offered. We will be notified of your record being accessed and of any changes made to your medical record. We will review this to ensure any follow up is actioned.

The practices who could be involved in sharing your data are:  Brunel Medical Practice, Catherine House Surgery, Chilcote Surgery, Compass House Medical Centre, Corner Place Surgery, Croft Hall Medical Practice, Dartmouth Medical Practice, Leatside Surgery, Mayfield Medical Centre, Old Farm Surgery, Parkhill Medical Practice, Pembroke House Surgery, Southover Medical Practice, and St Lukes and Greenswood Medical. 

If you have any concerns about this, or object to the sharing of your medical record in this way, please speak to one of our reception team, who will be able to record your decision and change the settings for your record.

Your rights

You have the right to confidentiality and for your information to be used fairly in a way that is safe and secure under the Data Protection Act 2018 and GDPR, common law of duty of confidentiality and other relevant legislation. The Equality Act 2010 may also apply in certain circumstances. You have the right:

  • To know what information we hold about you, what we use it for and who we share it with.
  • To object to information being disclosed to a third party in a form that identifies you, however, there are certain circumstances in which you are unable to object.
  • To access to a copy of the information comprised in your medical record
  • To object to processing that is likely to cause or is causing damage or distress
  • To object to decisions being taken by automated means
  • In certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • To claim compensation for damages caused by a breach of the Act.


Objections / Complaints

Should you have any concerns about how your information is managed at Chelston Hall Surgery, please contact the Practice Manager or the Data Protection Officer as below. If you are still unhappy following a review by the GP practice, you have a right to lodge a complaint with a supervisory authority: You have a right to complain to the UK supervisory Authority as below.

Information Commissioner’s Office
Wycliffe house
Water Lane
SK9 5AFthird

Tel: 0303 123 1113 or 01625 545745

If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact the Practice Data Protection Officer.

If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer as below.

Data Protection Officer:

The Practice Data Protection Officer is Bex Lovewell.  Any queries in regard to Data Protection issues should be addressed to her at: –


Postal:DELT Shared Services Ltd

Building 2 Delt

Derriford Business Park




It is important to point out that we may amend this Privacy Notice from time to time. If you are dissatisfied with any aspect of our Privacy Notice, please contact the Practice Data Protection Officer



Update on the use of your information due to COVID19

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital. This transparency notice supplements our main practice privacy notice.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England. 

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information. 

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.

Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:

Last edited: 22 May 2020 11:40 am


Third parties

For a full list of third parties please that we may share information with please click on the following link: 

List of Third Parties.pdf

Retention Schedules

For information regarding how long your information is retained by the surgery please click on the following link: 

Retention schedule.pdf