Prioritising Your Privacy
At our core, we greatly value the trust you place in us to protect your personal information. Safeguarding your privacy is a fundamental responsibility that we take seriously. We have implemented strong security measures to ensure your data is handled with the highest level of care, undergoing regular assessments to uphold the best standards.
Please take the time to read this Privacy Policy (‘Privacy Policy’) carefully, as it contains essential details about how we collect, use, and protect your personal and healthcare information.
We provide this Privacy Notice in full compliance with legal obligations. Its purpose is to clearly explain how we gather, use, and safeguard your personal and healthcare information. We prioritise transparency so that you have a complete understanding of our approach. This notice covers the following key areas:
Why We Collect Information: We will clarify the reasons for collecting your personal and healthcare data, ensuring you understand its purpose and necessity.
How We Use Your Information: We will outline how we utilise your personal and healthcare information, ensuring complete awareness of its intended use.
Data Handling Procedures: We will explain the steps we take to manage and protect your information, including any circumstances where it may be shared with third parties and the reasons for doing so.
Retention Policies: We will inform you about how long we retain your personal and healthcare data, following legal and operational requirements.
If you have any questions, concerns, or need further clarification regarding this Privacy Policy or any aspect of your data privacy, please contact Harshik Jethwa at the practice. We are here to assist you and provide the reassurance you need
Our designated Data Protection Officer (DPO) is:
hweicbenh.dpo-gpcontractedservice@nhs.net
The DPO is responsible for overseeing our compliance with data protection regulations. You can contact them with any questions or concerns about how your personal data is used.
For any enquiries, you can also reach the DPO team through Watford Health Centre at watfordhealthcentre@nhs.net, which serves as your primary contact point for:
Questions regarding how your personal and healthcare information is collected, stored, and protected.
Requests to access, update, or amend your information.
Filing a complaint or raising concerns about how your personal and healthcare data is managed.
Any other questions or clarifications related to this Privacy Policy and your rights as a patient.
At Watford Health Centre, we are committed to delivering high-quality healthcare services to all our patients.
As the data controller, Watford Health Centre is responsible for the collection, storage, and management of your personal and healthcare information when you register as a patient with us.
We are registered with the Information Commissioner’s Office (ICO) under the registration number Z5764169.
There are instances where we also process your information for specific purposes, as outlined in this Privacy Policy.
We collect a range of information to provide you with the best possible care:
Personal Details
Contact information: Name, date of birth, NHS number, gender, phone numbers, email address, place of work, and work contact details.
Additional personal details: Marital status, religion, ethnicity, sexual orientation.
Emergency contacts: Details and contact numbers of your next of kin.
Medical Information
Your medical history and relevant details.
The reason for your visit to the practice.
Medical records, including diagnosis details, consultation notes, and interactions with clinicians and other healthcare professionals involved in your care.
Information may be collected and recorded during in-person consultations, telephone calls (which may be recorded), or via SMS messaging services.
Feedback Surveys and Forms
Responses to patient feedback surveys, including the Friends and Family Test (FFT).
Alongside the details you provide directly, we may also receive personal and healthcare information about you from various external sources, including:
Healthcare Providers
Hospitals
Consultants
Other medical or healthcare professionals involved in your care
Caregivers
Relevant details provided by relatives or individuals responsible for your care
Legal and Government Entities
Court Orders
Police
Home Office
Solicitors
Insurance Companies
Information related to your coverage or claims provided by your insurer
Digital Communication
Emails
Social Media
Website interactions
The NHS actively collects patient medical information to help identify individuals at risk of developing certain health conditions. This proactive approach helps prevent emergency hospital admissions and ensures timely preventative care. Your data may be gathered from sources such as NHS Trusts and our GP Practice.
Risk Stratification Process
Your medical information is anonymised and analysed using specialised software.
The results are sent back to your GP, who is the only person able to identify you.
This process, known as Risk Stratification, helps GPs focus on preventive care rather than just treating illnesses.
If necessary, your GP may offer additional services tailored to your identified risks.
You have the right to opt out if you do not wish for your data to be used in this manner.
Population Health Management and Risk Stratification
The Hertfordshire and West Essex Integrated Care Board (ICB) conducts population health management and risk stratification using the data we share through our computer systems.
This information is pseudo-anonymised, meaning it cannot be directly linked to you by the ICB—only our practice can identify you through a unique code.
The ICB may use this data to:
Analyse existing healthcare services and plan for future improvements.
Develop risk stratification models to assist GPs in managing long-term conditions, reducing unplanned hospital admissions, and mitigating risks for diseases like diabetes.
Assess the health needs of the local population to design and commission suitable healthcare services.
This process is conducted by Oracle Health, commissioned by the ICB.
Opting Out
If you prefer not to have your data included in this process, even in a form that does not directly identify you, you can opt out. Please contact the Practice, and we will apply an opt-out code to your records to ensure your information is excluded.
Your Summary Care Record (SCR) is an electronic health record containing key details about your medical history and other relevant personal information. This record is securely stored on a national database managed by NHS England, ensuring healthcare professionals can access your medical data when needed.
Sharing Your Information for Better Care
Your SCR may be shared with healthcare professionals directly involved in your treatment. Additionally, authorised healthcare providers and organisations can contribute to your record, keeping it up to date and comprehensive.
Your Right to Privacy
You have the right to restrict access to your Summary Care Record for anyone not directly involved in your healthcare. If you would like to learn more about your options regarding data-sharing restrictions, please contact Harshik Jethwa at the practice.
Wider Use of Confidential Information
To understand how your confidential personal information may be used beyond your direct care and to register your preferences, please visit www.nhs.uk/my-data-choice.
If you do not wish for your data to be used in this broader capacity, you can opt out at any time.
Even if you opt out, you can still consent to specific uses of your data when needed.
If you are comfortable with the existing use of your information, no action is required, but you have the flexibility to change your preference at any time.
When you access healthcare services—such as visiting an Accident & Emergency department or using Community Care Services—essential information about you is collected to ensure you receive the highest quality care. This information may be shared with authorised organisations, where legally permitted, to support service planning, enhance care quality, conduct medical research, and prevent illness. These efforts contribute to improving care for you, your family, and future generations. However, as outlined in this privacy policy, your confidential health and care information is only shared when legally permitted and will never be used for any other purpose without your explicit consent.
Direct Healthcare Providers
To ensure you receive appropriate healthcare, we may share your personal information with the following professionals and organisations:
Hospital staff, including doctors, consultants, and nurses
Other GPs and doctors
Pharmacists
Nurses and allied healthcare professionals
Dentists
Mental health professionals and other healthcare service providers involved in your care
Other Recipients of Your Information
Beyond direct healthcare providers, we may also share your information with:
Commissioners
Clinical Commissioning Groups (CCGs) or Integrated Care Boards (ICBs)
Local authorities
Community health services
Legal and compliance entities (e.g., Police, Solicitors, Insurance Companies)
Any person or organisation you have given explicit consent to access your records
If you grant consent for another person or organisation to view your record, we will contact you to verify your approval before releasing any information. It is important to be clear about the details you are authorising to be disclosed.
Data Extraction by the Hertfordshire and West Essex ICB
At times, the Hertfordshire and West Essex Integrated Care Board (ICB) extracts medical information from our system. However, the data we provide to them is pseudo-anonymised, meaning it cannot be used to identify you. Instead, your information is assigned a unique code that only our practice can link back to you.
This ensures that even if someone at the ICB has access to the extracted data, they cannot identify you personally. Additionally, we will never provide them with any identifiable information.
The Hertfordshire and West Essex ICB may require this information for:
Ensuring GP practices comply with local and national healthcare guidelines
Promoting high-quality medical care across the region
To provide effective healthcare services, we work with a range of trusted software suppliers. Below is a list of the providers we partner with to facilitate patient care. For more details on how they handle data, please visit their respective websites and review their privacy policies
When you access healthcare services—such as visiting an Accident & Emergency department or using Community Care Services—essential information about you is collected to ensure you receive the highest quality care. This information may be shared with authorised organisations, where legally permitted, to support service planning, enhance care quality, conduct medical research, and prevent illness. These efforts contribute to improving care for you, your family, and future generations. However, as outlined in this privacy policy, your confidential health and care information is only shared when legally permitted and will never be used for any other purpose without your explicit consent.
Direct Healthcare Providers
To ensure you receive appropriate healthcare, we may share your personal information with the following professionals and organisations:
Hospital staff, including doctors, consultants, and nurses
Other GPs and doctors
Pharmacists
Nurses and allied healthcare professionals
Dentists
Mental health professionals and other healthcare service providers involved in your care
Other Recipients of Your Information
Beyond direct healthcare providers, we may also share your information with:
Commissioners
Clinical Commissioning Groups (CCGs) or Integrated Care Boards (ICBs)
Local authorities
Community health services
Legal and compliance entities (e.g., Police, Solicitors, Insurance Companies)
Any person or organisation you have given explicit consent to access your records
If you grant consent for another person or organisation to view your record, we will contact you to verify your approval before releasing any information. It is important to be clear about the details you are authorising to be disclosed.
Data Extraction by the Hertfordshire and West Essex ICB
At times, the Hertfordshire and West Essex Integrated Care Board (ICB) extracts medical information from our system. However, the data we provide to them is pseudo-anonymised, meaning it cannot be used to identify you. Instead, your information is assigned a unique code that only our practice can link back to you.
This ensures that even if someone at the ICB has access to the extracted data, they cannot identify you personally. Additionally, we will never provide them with any identifiable information.
The Hertfordshire and West Essex ICB may require this information for:
Ensuring GP practices comply with local and national healthcare guidelines
Promoting high-quality medical care across the region
To provide effective healthcare services, we work with a range of trusted software suppliers. Below is a list of the providers we partner with to facilitate patient care. For more details on how they handle data, please visit their respective websites and review their privacy policies
Name Description Privacy Link
Emis Web EMIS Web is a clinical software system that allows GP practices to securely store, access, and manage patient medical records and information, enabling efficient delivery of healthcare services and continuity of care. Records are stored in a safe and secure manner in data centres owned and operated by Amazon Web Services which has been approved by NHS Digital. https://www.emishealth.com/privacy-policy
Accurx (Patient Triage) AccuRx Patient Triage is a secure messaging platform that allows GP practices to safely communicate with patients, triage symptoms, and manage medical queries. It stores patient information in an encrypted format on secure servers, ensuring data privacy and compliance with healthcare regulations while facilitating efficient access to care. https://www.accurx.com/privacy-policy
Surgery Connect Surgery Connect telephone system enables GP practices to securely store and access patient information through its cloud-based platform. It facilitates efficient communication between healthcare providers while ensuring patient data privacy by employing robust encryption and access controls for storing sensitive medical records in compliance with data protection regulations. https://www.x-on.co.uk/privacy-notice/
Docman DocMan is a document management system used by GP practices to securely store and manage patient medical records and correspondence digitally. It allows authorised healthcare staff to access, share, and update patient documents while ensuring data privacy through encryption and access controls compliant with healthcare regulations. https://www.docman.com/privacy-policy/
Docmail DocMail is provided by CFH Total Document Management Ltd a secure print and mailing company which provides print and mailing services for Local Government, GPs, Dentists, Medical Practices, Schools, Exam Boards and Banks etc. https://www.docmail.co.uk/downloads/Docmail-Privacy.pdf
ITS Digital ITS Digital is the practice’s primary general IT support provider.
Their support staff are able to remotely dial in with the consent of our staff for technical problem solving. https://itsdigital.co.uk/privacy-policy/
Numed Numed provides software and remote support for our spirometer and blood pressure monitoring devices. With staff consent, their personnel can remotely access these systems for troubleshooting while we maintain strict security protocols to safeguard patient data privacy and confidentiality. https://www.numed.co.uk/privacy-policy
DXS Systems DXS provides a clinical knowledge platform that integrates evidence-based guidance, treatment pathways, and patient information into GP workflows, enabling efficient access to up-to-date medical knowledge to improve patient care and outcomes. https://www.dxs-systems.co.uk/privacy.php
Microsoft Suite In GP surgeries, Microsoft Suite is essential: Word is used for documentation and patient letters, Excel for data analysis and tracking, Outlook for secure communication, and Teams for virtual meetings and collaboration. It’s a key provider to the NHS, streamlining operations and enhancing patient care efficiency. https://privacy.microsoft.com/en-gb/privacystatement
Heidi AI Heidi AI is an artificial intelligence-powered medical scribe that automates the creation of clinical documentation during patient encounters, allowing clinicians to focus more on patient care by reducing administrative tasks https://www.heidihealth.com/uk/legal/privacy-policy
Patient Access The Patient Access app enables GP practices to provide patients with remote access to book appointments, order repeat prescriptions, and message the practice directly, facilitating convenient digital healthcare services while ensuring secure access through NHS login authentication. https://patient.info/privacy-policy
NHS App The NHS App allows GP practices to securely share medical records and enable patients to access health services like booking appointments, ordering prescriptions, and viewing their GP health data, facilitating efficient digital healthcare delivery while ensuring proper access controls over sensitive patient information. https://www.nhs.uk/our-policies/
We may sometimes use anonymised data about you, ensuring that no details can identify you as an individual or be traced back to you. This protects your privacy while enabling the responsible use of data for purposes such as research and service improvement. The anonymisation process involves removing or obscuring any personally identifiable information (PII) or sensitive details. We employ robust techniques such as data masking, pseudonymisation, and aggregation to ensure that anonymised data cannot reveal your identity. Your privacy remains safeguarded throughout this process.
Under data protection laws, you have certain rights regarding the personal and healthcare information we hold about you. These include:
You have the right to request a copy of the personal data we hold about you. To do so, please complete a SARs form in person. We provide this information free of charge, though in cases of excessive, complex, or repetitive requests, an administrative fee may apply. We will respond to your request within one month. Please submit requests in writing and specify the information you require.
You can request online access to your medical records. Before granting access, we must verify your identity and obtain your written consent. Once granted, it is your responsibility to safeguard your account and prevent unauthorised access.
If you believe any information we hold about you is incorrect or outdated, you have the right to request corrections. Please inform us promptly if your contact details change.
You may request the removal of your personal information. However, if this data is essential for providing you with medical services, we may be unable to comply with the request.
We will not share your data for purposes unrelated to your healthcare—such as research or education—without your consent. You have the right to object to such sharing. Please refer to the “Anonymised Information” section for details.
You may request that your healthcare information be transferred to another organisation in an electronic or other format. We require your explicit consent to do so.
We may use automated processes for certain administrative functions, such as registering new patients.
During consultations, you may mention third parties, such as family members or caregivers. We have an obligation to protect their confidentiality. Before sharing information with you or others, we will redact or anonymise details that could compromise their privacy.
We take great care in handling third-party information and adhere to strict confidentiality standards to protect the privacy rights of all individuals referenced in your records.
We use your personal and healthcare information for the following purposes:
To ensure seamless care, we may share your information with relevant healthcare professionals, such as doctors, consultants, nurses, and medical organisations involved in your treatment.
In specific circumstances, we are legally required to share your data with law enforcement, courts, solicitors, or other authorities. Any disclosures are strictly in compliance with applicable laws.
We will never share your personal information with third parties who do not have a legal or legitimate need for access without your explicit consent.
Under the UK General Data Protection Regulation (UK GDPR), we must have a legal basis for processing your data. The legal justifications we rely on include:
We have a contract with NHS England to provide healthcare services, which legally requires us to process patient information.
In some cases, we rely on your explicit consent to process your data. You have the right to withdraw consent at any time.
We process your data when necessary to protect your health and wellbeing. This is referred to as “protecting your vital interests” under the law.
We may be required to share your data with authorised entities in compliance with UK laws.
Under Article 9 of UK GDPR, health-related data falls into a special category due to its sensitive nature. We may process this data under the following circumstances:
In cases such as disease outbreaks, we may need to contact you for treatment or share data with relevant organisations to ensure you receive appropriate care.
We process sensitive data when you have explicitly consented to its use.
If you are unable to provide consent (e.g., in a medical emergency), we may process your data to protect your health.
If a legal claim is made against us, we may use relevant medical information to defend ourselves.
We process your health data when necessary to provide you with medical care and treatment.
At Watford Health Centre, we retain patient records in accordance with the NHS Records Management Code of Practice and data protection laws.
We consider the following when determining retention periods:
Legal and clinical requirements for maintaining medical records
Operational needs for patient care continuity
NHS regulations, which mandate that GP patient records be kept for at least 10 years after death or after a patient permanently leaves the country (unless within the European Union)
Electronic patient records, which are typically retained for the patient’s lifetime plus additional contingency periods
We regularly review data retention schedules to align with best practices and legal requirements. When records reach the end of their retention period, they are securely deleted.
Your data will only be retained as long as necessary to support your healthcare and our professional obligations.
The Patient Participation Group (PPG) is a voluntary group of patients who provide feedback to help improve healthcare services.
Information Collected for PPG Membership
If you choose to join the PPG, we may collect:
Name, title, and date of birth
Gender and ethnic group
Contact details (phone, email)
Frequency of practice visits
This data is securely stored and will not be shared without your consent.
Managing Your PPG Information
If you wish to be removed from the PPG’s records, please email manorview@nhs.net, and we will process your request promptly.
If you have concerns about how we handle your personal data, please submit a complaint in writing to watfordhealthcentre@nhs.net or via our website’s Complaint Form.
You may also escalate your complaint to the UK’s Information Commissioner’s Office (ICO) if you are unsatisfied with our response.
We take complaints seriously and are committed to resolving them transparently.
This Privacy Policy applies only to www.watfordhealthcentre.co.uk. If you access other websites through links on our site, their privacy policies will apply.
We do not take responsibility for the content or privacy practices of third-party websites. We encourage you to review their policies before providing any personal information.
Our website uses cookies to improve functionality and user experience. For details on the cookies we use and how to manage them, please refer to our Cookie Policy.
This Privacy Policy applies exclusively to the Watford Health Centre website (www.watfordhealthcentre.co.uk). If you navigate to external websites via links on our site, please review their privacy policies, as they govern the handling of your information on those platforms.
We do not assume responsibility for the content, privacy practices, or security measures of third-party websites accessed through our links. The protections outlined in this Privacy Policy apply only to information collected and processed through our website.
When visiting external websites, we recommend exercising caution and reviewing their privacy policies to understand how they collect, use, and protect your personal data. We cannot guarantee the security or privacy practices of websites outside our direct control.
At Watford Health Centre, we prioritise the security of your personal data. We use industry-standard security measures to protect information collected through our website from unauthorised access, disclosure, alteration, or loss. However, no online data transmission or electronic storage method is entirely secure. While we strive to protect your information, we cannot guarantee absolute security.
If you have concerns about website security or how your data is handled, please contact us. We are committed to transparency and addressing any issues promptly.
To protect your privacy and ensure effective communication, it is essential that you keep your contact details up to date.
Why Accurate Contact Information is Important
We may contact you via SMS, phone, or email regarding:
Appointment reminders
Important healthcare updates
Services related to your care
Having accurate contact details ensures that we reach you directly and do not inadvertently share confidential information with someone else.
Your Responsibility
It is your responsibility to notify us immediately of any changes to your:
Mobile phone number
Email address
Postal address
By keeping your information current, you help us maintain secure and reliable communication, safeguarding your personal and healthcare data.
You can access the Watford Health Centre Privacy Policy through the following channels:
Online: Available on our website at www.watfordhealthcentre.co.uk
In Person: Request a printed copy from our staff
We encourage all patients to review our Privacy Policy to understand how we collect, use, and protect personal and healthcare information.
Privacy Policy for Under-16s
There is a separate Privacy Notice for patients under 16 years old.
[Click here] to view the Privacy Policy for Children.
We regularly review and update our Privacy Policy to ensure it remains current, accurate, and compliant with legal requirements.
This Privacy Policy was last reviewed and updated in April 2025.