Practice Privacy Notice




Westbank Practice has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format. 


How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: Information about patients (which covers health and care research); and Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

What Information Do We Collect About You?

We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care. When we collect your mobile number we use it to text you to remind you of appointments. If you no longer wish to receive communication this way, please let a member of staff know who will be able to update your preferences.

When you contact the practice by telephone, all telephone calls received and made by the practice are recorded.


How We Will Use Your Information

Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.

In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the UK GDPR. 


Maintaing Confidentiality and Accessing Your Records

We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the UK General Data Protection Regulation (UK GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.


Information About You From Others

We also collect personal information about you when it is sent to us from the following:

A. a hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare. 


Your Summary Care Record

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.

This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record then please contact our Data Protection Officer.

To find out more about the wider use of confidential personal information and to register your choice to opt-out if you do not want your data to be used in this way, please visit NHS My Data Choice.

Note if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.

You can find out more about the SCR on the NHS Digital website


Who We May Provide Your Personal Information To, And Why

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in improving better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent. 

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you: 

  • Hospital professionals (such as doctors, consultants, nurses, etc);
  • Other GPs/Doctors;
  • Pharmacists;
  • Nurses and other healthcare professionals;
  • Dentists;
  • Any other person that is involved in providing services related to your general healthcare, including mental health professionals. 

Devon and Cornwall Care Record

Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive.

This shared system is called the Devon and Cornwall Care Record.

It’s important that anyone treating you has access to your shared record so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.

It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email.

Only authorised health and care staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include.

More information about the Devon and Cornwall Care Record

Information Governance and Child Health Information Services

Purpose for sharing

NHS South Central and West Commissioning Support Unit (SCW) is a leading provider of Child Health Information Services (CHIS).

CHIS plays a critical role in immunisation scheduling and monitoring for new-born screening; sending invitation and result letters to parents/carers and recording and monitoring NHS public health childhood  immunisation programmes. A CHIS is the definitive source of immunisation uptake and coverage data within England and, as such, are essential to limiting the spread of communicable diseases

The data we hold is provided by midwives, health visitors, school nurses, GPs and Local Authorities to complete the NHS England Healthy Child Record for all 0-19 year olds.

CHIS works with maternity units, general practices, health visitors, school nurses and local authorities to monitor and improve uptake of national childhood screening and immunisation programmes. We notify  health visitors of all new births and of children who have moved into their area, and ensure all babies have received their new born screening. CHIS also ensures that children aged between 0-5 years receive  appointments at the correct age for NHS routine childhood immunisations and we monitor that school-age children have had the immunisations they are due.

Lawful basis for processing

The processing of personal data for the delivery of individual care and for the administration of Child Health Information Services to support that care is lawful under the following provisions of the UK GDPR:

• Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
• Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or  treatment or the management of health or social care systems and services...”

We provide the CHIS under contract to NHS England, which is responsible for the provision of the overall CHIS as part of the Public Health Section 7a Agreement – service specification 28.

Each GP Practice is required to report on immunisation status and 6-8 week baby checks. It is important to maintain immunisation reporting for the protection of all children. We require this information for the  effective management of a complete child health record in CHIS and for reporting to NHS England on local immunisation uptake.

Can parents opt out?

We do not rely on consent as legal basis for sharing. Under UK GDPR an individual does not have the right to opt out of sharing for direct care purposes but can register their objection with their GP Practice. The GP  can choose to continue to share despite any objection. GPs can decide is that it is in the best interests of the child to share the information for direct care, which will mean the child’s health record is up to date and  they can receive an invitation to immunisation at the appropriate time. The GP has a duty of care to the child and a duty to share the information under the Health and Social Care (Quality and Safety) Act for the  purpose of direct care.

Further Information

You can find out more about the Child Health Information Service in SCW’s Privacy Notice at:

Fair Processing Notice Child Health Information Services - NHS SCW Support and Transformation for Health and Care


GP Connect

We share your record using GP Connect to make sure that, whether you are visiting the practice, attending hospital, or being seen in the community or at home by a care professional, everyone knows the care you need and how you want to be treated. Your electronic health record is available to the practices in our Primary Care Network and other local providers who are involved in your care. This includes the sharing of personal contact details, diagnosis, medications, allergies, and test results. Your records will be treated with the strictest confidence and can only be viewed if you use their service. 

You can find more information about GP Connect on the NHS Digital website

Please note that if you have previously opted-out to sharing your records, this decision will be upheld, and your record will only be accessed by the practice. Should you wish to opt-out of this, please speak to one of our staff members who will be able to update your personal preferences. Please note that by opting out of this sharing, other health professionals may not be able to see important medical information, which may impact on the care you receive. 


Clinical Practice Research Datalink (CPRD)

Information in patient records is important for medical research to develop new treatments and test the safety of medicines. Westbank Practice supports medical research by sending some of the information from patient records to the Clinical Practice Research Datalink (CPRD).

CPRD is a Government organisation that provides anonymised patient data for research to improve patient and public health. Identifiable data flows to NHS Digital but you cannot be identified from the information sent to CPRD.

For more information about Clinical Practice Research Datalink


National Obesity Audit

The National Obesity Audit supports the NHS Long Term Plan, which aims to provide better outcomes for the patient. It is a patient-level data set which covers all aspects of adult and child weight management services that are publicly funded by the NHS and the Department of Health and Social Care in England.

The NOA follows the patient journey from primary to secondary care, looking at all areas of weight management care, interventions and outcomes.

What data is collected

The National Obesity Audit data collection includes both personal data and special categories of personal data relating to patients living with overweight or obesity, including:

  • Demographic information - such as NHS number, date of birth, postcode, sex and ethnicity.
  • Health information - such as Body Mass Index (BMI), obesity related co-morbidities, healthcare interventions such as weight loss and bariatric surgery.

The NOA makes use of data already held by NHS England in other data collections.

How your data is used

NOA data will be used for the purposes of informing policy and guidelines for managing obesity across the NHS and local authorities. It will also be used for benchmarking and to enable NHS providers to maximise the use of their resources and to improve patient outcomes.

NHS England will analyse the data held in the NOA to carry out data quality checks, to pseudonymise the data (de-identify) and to derive values, for example turn date of birth into age.

Data is expected to be shared with organisations such as healthcare providers, clinicians, and commissioners of NHS services.

Legal obligation

Article 6 (1) (c ) of UK GDPR. The Secretary of State for Health and Social Care has issued NHS England with a direction to analyse this data for NOA purposes.


Other People Who We Provide Your Information To

  • Research Providers
  • Commissioners
  • Integrated Care Boards
  • Local authorities
  • Community health services
  • For the purposes of complying with the law e.g. Police, Solicitors, Insurance Companies
  • Anyone you have given your consent to, to view or receive your record, or part of your record.

Please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of, your record you give consent to be disclosed.

  • Extended Access – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Integrated Care Board and with the surgeries that form the Exeter GP Federation named Exeter Primary Care. This means, these practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only. 
  • Data Extraction by the Integrated Care Board – the Integrated Care Board at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Integrated Care Board from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this. There are good reasons why the Integrated Care Board may require this pseudo-anonymised information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The ICB also collects information about whether patients have long term conditions such as diabetes; blood pressure, cholesterol levels and medication.

The practice will also use carefully selected third party service providers that process data on behalf of the practice. When we use a third party service provider, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating responsibly to ensure the protection of your data. Examples of functions that may be carried out by third parties includes: 

  • Organisations that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate video consultation, appointment bookings or electronic prescription services; document management services etc. 
  • Organisations who are delivering services on behalf of the practice (for example conducting Medicines Management Reviews to ensure that you receive the most appropriate, up to date and cost-effective treatments or supporting practices in offering choices of providers and appointments to patients who are being referred via the NHS E-Referral system). 
  • Delivery services (for example if we were to arrange for delivery of any medicines to you). 
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Anonymised Information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you. 


Your Rights As A Patient

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

  • Access and Subject Access Requests: You have the right to see what information we hold about you and to request a copy of this information. If you would like a copy of the information we hold about you please put your request in writing for the attention of the Practice Manager. We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive. We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require.
  • Online Access You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity, or verification of who you are. Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.
  • Correction We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.
  • Removal You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible. 
  • Objection We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way. Please note the Anonymised Information section in this Privacy Notice. 
  • Transfer You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this. 

Third Parties Mentioned On Your Medical Record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members. 


How We Use The Information About You

We use your personal and healthcare information in the following ways: 

  • when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or ongoing healthcare; 
  • when we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement. 

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so. 


Where do we store your data?

We use a number of IT systems and tools to store and process your data, on behalf of the practice. Examples of tools we use include our core clinical system (SystmOne), NHSmail, Microsoft 365 and AccuRx. For further information on this, please contact the practice. 


Legal Justification For Collecting And Using Your Information

The Law says we need a legal basis to handle your personal and healthcare information.

  • CONTRACT: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public. 
  • CONSENT: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs. 

Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.

  • NECESSARY CARE: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent. 
  • LAW: Sometimes the Law obliges us to provide your information to an organisation (see above). 

Special Categories

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows: 

  • PUBLIC INTEREST: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment; 
  • CONSENT: When you have given us consent; 
  • VITAL INTEREST: If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment); 
  • DEFENDING A CLAIM: If we need your information to defend a legal claim against us by you, or by another party; 
  • PROVIDING YOU WITH MEDICAL CARE: Where we need your information to provide you with medical and healthcare services

The Data Protection Officer

The Data Protection Officer for the Surgery is Bex Lovewell who can be contacted as follows: email: address: Delt Shared Services Ltd., BUILDING 2 – DELT, Derriford Business Park, Plymouth, PL6 5QZ.

Please contact her if:

  • You have any questions about how your information is being held
  • If you require access to your information or if you wish to make a change to your information
  • If you wish to make a complaint about anything to do with the personal and healthcare information we hold about you
  • Or any other query relating to this Policy and your rights as a patient.

Risk stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including Westbank Practice; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.



We are a research practice and help to deliver research studies and trials. Employees of the practices will access your information in order to determine whether you are suitable to be invited to participate in a study. We will only share your information with the research providers with your explicit consent. 


Invoice validation

Your information may be shared if you have received treatment to determine which Integrated Care Board (ICB) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.



You have the right to object to your information being shared under the national data opt-out model. The national data opt-out model provides an easy way for you to opt-out of sharing information that identifies you being used or shared for medical research purposes and quality checking or audit purposes. To opt-out of your identifiable information being shared for medical research or to find out more about your opt-out choices please ask a member of staff or go to NHS Digital’s website.


Retention periods

In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration. 


What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

  • Contact the practice’s data controller via our secure online form. GP practices are data controllers for the data they hold about their patients
  • Write to the data controller at Westbank Practice, Starcross Surgery, Starcross, EX6 8PZ
  • Ask to speak to the practice manager Claire Conway Wright, or the Practice Assistant Manager Alex Cook. 

The Data Protection Officer (DPO) for Westbank Practice is Bex Lovewell.



In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit Information Commissioners Office website


Our Website

The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.


CCTV (Closed Circuit Television)

We may record CCTV images of people entering, approaching or passing our buildings to:

  • Help staff, patients and visitors feel safer
  • Act as a deterrent to offenders
  • Allow the collection of evidence to help find and convict offenders
  • There will be clear signs within our premises to advise you CCTV is in operation

Your information may be shared with other organisations, but we will only do this when necessary or if they have a legal right to it. Recordings which are not required for the purposes of security of staff, patients and premises, will not be retained for longer than is necessary and no longer than 1 month. This ensures that any subsequent investigations can be completed.

Our legal reasons for processing this data is ‘legitimate interest’ under UK GDPR Article 6(1)(f). The processing achieves its purpose of providing a secure environment for staff, patients and visitors by providing evidence in the case of a security incident. There isn’t an alternative way to provide this level of security for all involved. The only aim of our CCTV is to provide a deterrent and to have a way of evidencing events should an incident occur.

You have the right to:

  • View a copy of the CCTV recording.
  • Request that the CCTV recording be deleted if you believe the practice is processing it for longer than is necessary.

For further information or to request copies of CCTV recordings please contact Claire-Conway Wright.


Changes to our privacy policy

The practice reviews this privacy notice regularly and may amend the notice from time to time. If you wish to discuss any elements of this privacy notice, please contact Managing Partner Claire-Conway Wright.