Privacy Policy

Information Chelston Hall Surgery Holds About You


As your registered GP surgery, we are the data controller for any personal data that we hold about you.  A data controller is a person, company, or other body that determines the purpose and means of personal data processing.

Chelston Hall Surgery recognise how important it is that our patients are aware of the information we collect about them and how we share this information.

 We use three different types of information:

  1. Person identifiable: information which on its own or with other information can identify you.
  2. Anonymised data: when unique identifiers such as your name and DOB have been removed so the information is no longer 'patient identifiable'. 
  3. Pseudonymised data: where personal information about you is replaced with a code. If this information was shared with a third party they could not identify you.

To ensure you information is kept confidential and that the surgery data is kept safe and secure, all staff receive data protection and information governance training annually. Updates are shared throughout the year when required

Access to your information

Under the General Data Protection Regulation (GDPR), the lawful bases we rely on for processing this information are:

  • Your consent. You are able to remove your consent at any time. You can do this by contacting the Practice Manager
  • We have a legal obligation.
  • We have a vital interest.
  • We need it to perform a public task.

We rely upon Article 6(1)(e) (public interest task) and Article 9(2)(h) (health and social care) for most of our processing and sharing, in particular to:

  • Provide you with health and social care.
  • Share data from, or allow access to, your GP record, for healthcare professionals involved in providing you with health and social care.
  • Receive data from or access your data on other NHS organisation clinician systems.
  • Work effectively with other organisations and healthcare professionals who are involved in your care.
  • Ensure that your treatment and advice, and the treatment of others is safe and effective.
  • Participate in National Screening Programmes.
  • Use a computer program to identify patients who might be at risk from certain diseases or unplanned admissions to Hospitals.
  • Help NHS Digital and the practice to conduct clinical audits to ensure you are being provided with safe, high quality care.
  • Support medical research when the law allows us to do so.
  • Supply data to help plan and manage services and prevent infectious diseases from spreading.

We rely upon Article 6(1)(a) (consent) and Article 9(2)(a) (explicit consent), in order to:

  • Help the practice investigate any feedback, including patient surveys, complaints or concerns you may have about contact with the practice.
  • Help manage how we provide you with services from the practice, for example, when you nominate individuals to contact the practice on your behalf.
  • Share your information with third parties, for example, insurance companies and medical research organisations. We also use anonymised data to plan and improve health care services. Specifically, we use it to.

We rely upon Article 6(1)(d) (vital interest) and Article 9(2)(c) (vital interests) to share information about you with another healthcare professional in a medical emergency.

We rely upon Article 6(1)(e) (public interest task) and Article 9(2)(g) (substantial public interest) to support safeguarding for patients who, for instance, may be particularly vulnerable to protect them from harm or other forms of abuse.

We rely upon Article 6(1)(c) (legal obligation) and Article 9(2)(h) to share your information for mandatory disclosures of information (such as NHS Digital, CQC and Public Health England).

We rely upon Article 6(1)(c) (legal obligation) and Article 9(2)(f) (legal claims) to help investigate legal claims and if a court of law orders us to do so.

Staff only have access to the information that is needed for them to complete their role within the surgery. Staff access of confidential information is monitored to ensure your confidentiality is maintained.



Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare. We do not need your consent or agreement to do this.


How to access your records

The Data Protection Act allows you to find out what information about you is held on computer systems, and also in the form of paper records. This is known as a 'right of subject access'.  You are entitled to receive a copy of this information and are not required to provide the surgery with a reason for the request, however timelines may be asked for to ensure that only relevant documentation is copied.  Although requests do not have to be in writing we are permitted to use the SAR form to verify requests and we will request identification to ensure we are satisfied that the person requesting the information is the data subject to whom the data applies to.  

In regards to third party requests the person requesting the data holds the responsibility for providing the required authority and this is usually in the form of a written statement or consent form, signed by the data subject.  Records are free to access unless an exception applies.


Information we hold about you in your medical record

  • Personal demographics such as name, DOB, address, contact information, next of kin, ethnicity.
  • Details on your care, treatment, and any other relevant clinical information such as test results and examinations.
  • Records of your health and wellbeing, this often includes reports from other organisations such as out of hours reports and ED attendances.
  • Details of each contact we have with you in all forms:
    • Written contact
    • Email correspondence
    • eConsult
    • Telephone calls
    • Face to face conversations
    • Text messaging

EConsult is provided by a third-party organisation and by using eConsult, you are submitting your information to them. This information is then provided to the practice to be reviewed. Further information on eConsult can be found at:  You can also use eConsult via the NHSApp. Further information regarding the role of NHS England and the practice can be found:

For our text message service we use two providers:


Other information we hold about you

  • Information shared in a public domain i.e. surgery reviews on NHS choices.
  • Emails sent to our secure surgery email addresses (, these are kept for a short period of time up to a maximum of six months for reference.
  • Contact details for non-medical communications such as PPG updates and newsletters with your consent.


How your records are used

  • To allow informed decisions to be made about your care
  • To ensure that treatment and advice is safe and effective
  • To help the surgery work alongside other organisations and healthcare representatives to may also be involved in your care.
  • Allowing investigations into any feedback or concerns raised with the surgery.
  • Can be available if you see another GP in the surgery, or are referred to a specialist or another part of the NHS for the purposes of direct care.
  • To help in the investigations of complaints, legal claims and significant events.
  • To help with statistics on NHS performance and help with health research and development.
  • Internal audits to improve the surgeries efficiently and service management and thus patient experience.
  • External audits which will allow for local and national benchmarking
  • Sharing of best practice, significant event reviews and management of adverse events.
  • Personal development reviews (mainly clinician’s appraisals).
  • Patient surveys completed by external parties such as NHS England.


How do we keep your records confidential and secure

Everyone working for the NHS has a legal and professional duty to ensure all information is safely and securely protected and kept confidential.

The sharing of your information is strictly controlled. The surgery will not pass on any information without permission unless there are exceptional circumstances, such as a court order. We adhere to the Caldicott Principles to ensure information is assessed and held securely and appropriately.

The surgery operates under secure networks for both our internal and external IT systems. Use of NHS smartcards and audits ensure that only permitted staff are able to access your records and personal information.  Paper records and documents and kept in secure locations whereby only those individuals that have a legitimate and legal basis can access them.


How long do we hold your data?

We only hold your data for as long as necessary and are required to hold your data in line with the NHS Records Management Code of Practice for Health and Social Care 2016 Retention Schedule which can be found here: Care-2016

Once any records are no longer required they are confidentially and securely destroyed.  For information on how long your information is retained by the surgery please see the link at the bottom of this page.


Third parties we share information with

Some examples of the third parties we share information with are:

  • NHS Trusts
  • Community and District Nurses
  • Ambulance or other Emergency Service
  • Out Of Hours Service / NHS 111
  • Child and Adult Safeguarding Services
  • Local Authorities
  • The Care Quality Commission (CQC), ICO and other regulated auditors
  • Public Health England

For a full list of third parties please see the link at the bottom of this page.

Please be aware that the surgery will only ever pass on information about you if others involved in your care have a need for it; or if there is the potential of risk to public safety. Anyone we share information with is under a legal duty to keep it confidential and secure. Information and data sharing agreements ensure that the surgery only share information in a way that complies with the law.


Sharing of Electronic Patient Records within the NHS

Electronic patient records are kept in most places where you receive healthcare.  We use EMIS as our electronic system, which allows your record to be shared securely with other organisations involved in your care such as:

  • GP practices
  • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
  • Child health services that undertake routine treatment or health screening
  • Urgent care organisations, minor injury units or out of hours services
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Mental Health Trusts
  • Hospitals
  • Social Care organisations
  • Pharmacies

In addition, NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past.


Summary Care Record

Your Summary Care Record is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies.

This means they can give you better care if you need health care away from our surgery:

  • in an emergency
  • when you're on holiday
  • when your surgery is closed
  • at out-patient clinics
  • when you visit a pharmacy

You can add more information to your SCR by asking your doctor. They can add extra details from your medical notes, including:

  • health problems like dementia or diabetes
  • details of your carer
  • your treatment preferences
  • communication needs, for example if you have hearing difficulties or need an interpreter

This will help medical staff care for you properly, and respect your choices, when you need care away from your GP surgery. This is because having more information on your SCR means they will have a better understanding of your needs and preferences.

When you are treated away from you’re the surgery, the health care staff there can't see your GP medical records. Looking at your SCR can speed up your care and make sure you are given the right medicines and treatment.

Staff will ask your permission to look at your SCR (except in an emergency where you are unconscious, for example) and only staff with the right levels of security clearance can access the system, so your information is secure. You can ask an organisation to show you a record of who has looked at your SCR - this is called a Subject Access Request.

SCRs improve care, but if you don't want to have one you can opt out by contacting the surgery and requesting this.


National Screening Programmes

If you do not wish to receive an invitation to the screening programmes, you can opt out at


Type 1 Opt-out

 You have the right to object to your confidential patient data being shared for purposes beyond your direct care by asking the practice to apply a Type 1 opt-out to your medical records. A type 1 opt-out prevents personal data about you, being extracted from your GP record, and uploaded to any other organisations without your explicit consent. If you wish for a Type 1 opt-out to be applied to your record, please contact the Operations Manager.

Please note that the type 1 opt-out will no longer be available after 2020 and therefore you will be unable to object to your data being shared with NHS Digital when it is legally required under the Health and Social Care Act 2012.


National Data Opt-out

You have the right to object to your data being shared under the national data opt-out model. The national data opt-out model provides an easy way for you to opt-out of sharing data that identifies you being used or shared for medical research purposes and quality checking or audit purposes. To opt-out of your identifiable data being shared for medical research or to find out more about your opt-out choices please ask a member of staff or go to NHS Digital’s website:


Cancer Registry

The National Cancer Registration and Analysis Service is run by Public Health England and is responsible for cancer registration in England, to support cancer epidemiology, public health, service monitoring and research.

Further information regarding the registry and your right to opt-out can be found at:


Population Health Analytics

As well as using your data to support the delivery of care to you, your data may be used to help improve the way health and social care is delivered to patients and service users throughout Devon using Population Health Management methods. We will only use a pseudonymised extract (ie. not identifiable information) which will be sent securely to NHS Devon CCG and in partnership with Optum. Optum have been appointed to provide technical assistance to NHS Devon CCG and use the data to support the Devon Integrated Care System to improve short term and medium-term health outcomes for local populations.

Please note that at no time will patient identifiable data be used in the delivery of this programme. Patients who have a Type 1 opt-out will be excluded from this programme and will not have their data extracted for this purpose.

Further information about Population Health Management can be found here:

We will rely on Public interest task as the legal basis for processing your data for this purpose.


Health Risk Screening / Risk Stratification

Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, [NHS number/HCN number/ CHI number], diagnosis, existing long-term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

To summarise Risk Stratification is used in the NHS to:

  • Help decide if a patient is at a greater risk of suffering from a particular condition;
  • Prevent an emergency admission;
  • Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
  • Review and amend provision of current health and social care services.

Your GP will use computer based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider. The risk stratification contracts are arranged by Devon CCG in accordance with the current Section 251 Agreement. Neither the CSU nor your local CCG will at any time have access to your personal or confidential data.  They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention.  The resulting report is then reviewed by a multidisciplinary team of staff within the Practice.  This may result in contact being made with you if alterations to the provision of your care are identified.

A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.


Extended Access

As part of our Extended Access Initiative, our patients can book evening and weekend appointments, both here and at other local GP surgeries. To ensure that the Clinician has full access to your medical records, when you book your appointment the Administrator will ask you to consent to sharing your medical records, which will ensure an effective and safe service.

This sharing occurs electronically through our clinical system and the sharing only occurs when you choose to book an appointment at another practice. You will be reminded of this when you book the appointment and your consent to share your medical record is taken.

Your data will be kept secure using the same clinical system used to access your medical record when you visit us for an appointment. The clinician you visit will be required to gain your consent prior to accessing your record. If you change your mind and do not wish to consent, the clinician will only be able to access your Summary Care Record. This will contain limited medical information and will restrict the care that you can be offered. We will be notified of your record being accessed and of any changes made to your medical record. We will review this to ensure any follow up is actioned.

The practices who could be involved in sharing your data are:  Brunel Medical Practice, Catherine House Surgery, Chilcote Surgery, Compass House Medical Centre, Corner Place Surgery, Croft Hall Medical Practice, Dartmouth Medical Practice, Leatside Surgery, Mayfield Medical Centre, Old Farm Surgery, Parkhill Medical Practice, Pembroke House Surgery, Southover Medical Practice, and St Lukes and Greenswood Medical. 

If you have any concerns about this, or object to the sharing of your medical record in this way, please speak to one of our reception team, who will be able to record your decision and change the settings for your record.


Your rights

You have the right to confidentiality and for your information to be used fairly in a way that is safe and secure under the Data Protection Act 2018 and GDPR, common law of duty of confidentiality and other relevant legislation. The Equality Act 2010 may also apply in certain circumstances. You have the right:

  • To know what information we hold about you, what we use it for and who we share it with.
  • To object to information being disclosed to a third party in a form that identifies you, however, there are certain circumstances in which you are unable to object.
  • To access to a copy of the information comprised in your medical record
  • To object to processing that is likely to cause or is causing damage or distress
  • To object to decisions being taken by automated means
  • In certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • To claim compensation for damages caused by a breach of the Act.


Objections / Complaints

Should you have any concerns about how your information is managed at Chelston Hall Surgery, please contact the Practice Manager or the Data Protection Officer as below. If you are still unhappy following a review by the GP practice, you have a right to lodge a complaint with a supervisory authority: You have a right to complain to the UK supervisory Authority as below.

Information Commissioner’s Office
Wycliffe house
Water Lane

Tel: 0303 123 1113 or 01625 545745

If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact the Practice Data Protection Officer.

If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer as below.


Data Protection Officer:

The Practice Data Protection Officer is Bex Lovewell.  Any queries in regard to Data Protection issues should be addressed to her at: –


Postal:DELT Shared Services Ltd

Building 2 Delt

Derriford Business Park



It is important to point out that we may amend this Privacy Notice from time to time. If you are dissatisfied with any aspect of our Privacy Notice, please contact the Practice Data Protection Officer

Last updated 20th October 2020


Update on the use of your information due to COVID19

This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital. This transparency notice supplements our main practice privacy notice.

The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England. 

Our legal basis for sharing data with NHS Digital

NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.

Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.

The type of personal data we are sharing with NHS Digital

The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:

  • diagnoses and findings
  • medications and other prescribed items
  • investigations, tests and results
  • treatments and outcomes
  • vaccinations and immunisations

How NHS Digital will use and share your data

NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.

NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).

Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information. 

Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.

For more information about how NHS Digital will use your data please see the NHS Digital Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).

National Data Opt-Out

The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.

Your rights over your personal data

To read more about the health and care information NHS Digital collects, its legal basis for collecting this information and what choices and rights you have in relation to the processing by NHS Digital of your personal data, see:

Last edited: 22 May 2020 11:40 am


Third parties

For a full list of third parties please that we may share information with please click on the following link: 

List of Third Parties.pdf

Retention Schedules

For information regarding how long your information is retained by the surgery please click on the following link: 

Retention schedule.pdf