Click for IMPORTANT NEWS
Watford Health Centre Logo

Privacy Notice

Prioritising Your Privacy

At our core, we greatly value the trust you place in us to protect your personal information. Safeguarding your privacy is a fundamental responsibility that we take seriously. We have implemented strong security measures to ensure your data is handled with the highest level of care, undergoing regular assessments to uphold the best standards.

Please take the time to read this Privacy Policy (‘Privacy Policy’) carefully, as it contains essential details about how we collect, use, and protect your personal and healthcare information.

  1. Transparent Communication: Your Privacy Matters

We provide this Privacy Notice in full compliance with legal obligations. Its purpose is to clearly explain how we gather, use, and safeguard your personal and healthcare information. We prioritise transparency so that you have a complete understanding of our approach. This notice covers the following key areas:

Why We Collect Information: We will clarify the reasons for collecting your personal and healthcare data, ensuring you understand its purpose and necessity.

How We Use Your Information: We will outline how we utilise your personal and healthcare information, ensuring complete awareness of its intended use.

Data Handling Procedures: We will explain the steps we take to manage and protect your information, including any circumstances where it may be shared with third parties and the reasons for doing so.

Retention Policies: We will inform you about how long we retain your personal and healthcare data, following legal and operational requirements.

If you have any questions, concerns, or need further clarification regarding this Privacy Policy or any aspect of your data privacy, please contact Harshik Jethwa at the practice. We are here to assist you and provide the reassurance you need

  1. The Data Protection Officer

Our designated Data Protection Officer (DPO) is:

hweicbenh.dpo-gpcontractedservice@nhs.net

The DPO is responsible for overseeing our compliance with data protection regulations. You can contact them with any questions or concerns about how your personal data is used.

For any enquiries, you can also reach the DPO team through Watford Health Centre at watfordhealthcentre@nhs.net, which serves as your primary contact point for:

Questions regarding how your personal and healthcare information is collected, stored, and protected.

Requests to access, update, or amend your information.

Filing a complaint or raising concerns about how your personal and healthcare data is managed.

Any other questions or clarifications related to this Privacy Policy and your rights as a patient.

  1. About Us

At Watford Health Centre, we are committed to delivering high-quality healthcare services to all our patients.

As the data controller, Watford Health Centre is responsible for the collection, storage, and management of your personal and healthcare information when you register as a patient with us.

We are registered with the Information Commissioner’s Office (ICO) under the registration number Z5764169.

There are instances where we also process your information for specific purposes, as outlined in this Privacy Policy.

  1. Information We Collect From You

We collect a range of information to provide you with the best possible care:

Personal Details

Contact information: Name, date of birth, NHS number, gender, phone numbers, email address, place of work, and work contact details.

Additional personal details: Marital status, religion, ethnicity, sexual orientation.

Emergency contacts: Details and contact numbers of your next of kin.

Medical Information

Your medical history and relevant details.

The reason for your visit to the practice.

Medical records, including diagnosis details, consultation notes, and interactions with clinicians and other healthcare professionals involved in your care.

Information may be collected and recorded during in-person consultations, telephone calls (which may be recorded), or via SMS messaging services.

Feedback Surveys and Forms

Responses to patient feedback surveys, including the Friends and Family Test (FFT).

  1. Information About You We Collect From Others

Alongside the details you provide directly, we may also receive personal and healthcare information about you from various external sources, including:

Healthcare Providers

Hospitals

Consultants

Other medical or healthcare professionals involved in your care

 

Caregivers

Relevant details provided by relatives or individuals responsible for your care

Legal and Government Entities

Court Orders

Police

Home Office

Solicitors

Insurance Companies

Information related to your coverage or claims provided by your insurer

Digital Communication

Emails

Social Media

Website interactions

  1. Identifying Risk and Enabling Preventative Care

The NHS actively collects patient medical information to help identify individuals at risk of developing certain health conditions. This proactive approach helps prevent emergency hospital admissions and ensures timely preventative care. Your data may be gathered from sources such as NHS Trusts and our GP Practice.

Risk Stratification Process

Your medical information is anonymised and analysed using specialised software.

The results are sent back to your GP, who is the only person able to identify you.

This process, known as Risk Stratification, helps GPs focus on preventive care rather than just treating illnesses.

If necessary, your GP may offer additional services tailored to your identified risks.

You have the right to opt out if you do not wish for your data to be used in this manner.

Population Health Management and Risk Stratification

The Hertfordshire and West Essex Integrated Care Board (ICB) conducts population health management and risk stratification using the data we share through our computer systems.

This information is pseudo-anonymised, meaning it cannot be directly linked to you by the ICB—only our practice can identify you through a unique code.

The ICB may use this data to:

Analyse existing healthcare services and plan for future improvements.

 

Develop risk stratification models to assist GPs in managing long-term conditions, reducing unplanned hospital admissions, and mitigating risks for diseases like diabetes.

Assess the health needs of the local population to design and commission suitable healthcare services.

This process is conducted by Oracle Health, commissioned by the ICB.

Opting Out

If you prefer not to have your data included in this process, even in a form that does not directly identify you, you can opt out. Please contact the Practice, and we will apply an opt-out code to your records to ensure your information is excluded.

  1. Your Summary Care Record

Your Summary Care Record (SCR) is an electronic health record containing key details about your medical history and other relevant personal information. This record is securely stored on a national database managed by NHS England, ensuring healthcare professionals can access your medical data when needed.

Sharing Your Information for Better Care

Your SCR may be shared with healthcare professionals directly involved in your treatment. Additionally, authorised healthcare providers and organisations can contribute to your record, keeping it up to date and comprehensive.

Your Right to Privacy

You have the right to restrict access to your Summary Care Record for anyone not directly involved in your healthcare. If you would like to learn more about your options regarding data-sharing restrictions, please contact Harshik Jethwa at the practice.

Wider Use of Confidential Information

To understand how your confidential personal information may be used beyond your direct care and to register your preferences, please visit www.nhs.uk/my-data-choice.

If you do not wish for your data to be used in this broader capacity, you can opt out at any time.

Even if you opt out, you can still consent to specific uses of your data when needed.

If you are comfortable with the existing use of your information, no action is required, but you have the flexibility to change your preference at any time.

  1. Who We May Share Your Personal Information With, And Why

When you access healthcare services—such as visiting an Accident & Emergency department or using Community Care Services—essential information about you is collected to ensure you receive the highest quality care. This information may be shared with authorised organisations, where legally permitted, to support service planning, enhance care quality, conduct medical research, and prevent illness. These efforts contribute to improving care for you, your family, and future generations. However, as outlined in this privacy policy, your confidential health and care information is only shared when legally permitted and will never be used for any other purpose without your explicit consent.

Direct Healthcare Providers

To ensure you receive appropriate healthcare, we may share your personal information with the following professionals and organisations:

Hospital staff, including doctors, consultants, and nurses

Other GPs and doctors

Pharmacists

Nurses and allied healthcare professionals

Dentists

Mental health professionals and other healthcare service providers involved in your care

Other Recipients of Your Information

Beyond direct healthcare providers, we may also share your information with:

Commissioners

Clinical Commissioning Groups (CCGs) or Integrated Care Boards (ICBs)

Local authorities

Community health services

Legal and compliance entities (e.g., Police, Solicitors, Insurance Companies)

Any person or organisation you have given explicit consent to access your records

If you grant consent for another person or organisation to view your record, we will contact you to verify your approval before releasing any information. It is important to be clear about the details you are authorising to be disclosed.

Data Extraction by the Hertfordshire and West Essex ICB

At times, the Hertfordshire and West Essex Integrated Care Board (ICB) extracts medical information from our system. However, the data we provide to them is pseudo-anonymised, meaning it cannot be used to identify you. Instead, your information is assigned a unique code that only our practice can link back to you.

This ensures that even if someone at the ICB has access to the extracted data, they cannot identify you personally. Additionally, we will never provide them with any identifiable information.

The Hertfordshire and West Essex ICB may require this information for:

Ensuring GP practices comply with local and national healthcare guidelines

Promoting high-quality medical care across the region

  1. Who Are Our Partner Software Suppliers?

To provide effective healthcare services, we work with a range of trusted software suppliers. Below is a list of the providers we partner with to facilitate patient care. For more details on how they handle data, please visit their respective websites and review their privacy policies

  1. Who We May Share Your Personal Information With, And Why

When you access healthcare services—such as visiting an Accident & Emergency department or using Community Care Services—essential information about you is collected to ensure you receive the highest quality care. This information may be shared with authorised organisations, where legally permitted, to support service planning, enhance care quality, conduct medical research, and prevent illness. These efforts contribute to improving care for you, your family, and future generations. However, as outlined in this privacy policy, your confidential health and care information is only shared when legally permitted and will never be used for any other purpose without your explicit consent.

Direct Healthcare Providers

To ensure you receive appropriate healthcare, we may share your personal information with the following professionals and organisations:

Hospital staff, including doctors, consultants, and nurses

Other GPs and doctors

Pharmacists

Nurses and allied healthcare professionals

Dentists

Mental health professionals and other healthcare service providers involved in your care

Other Recipients of Your Information

Beyond direct healthcare providers, we may also share your information with:

Commissioners

Clinical Commissioning Groups (CCGs) or Integrated Care Boards (ICBs)

Local authorities

Community health services

Legal and compliance entities (e.g., Police, Solicitors, Insurance Companies)

Any person or organisation you have given explicit consent to access your records

If you grant consent for another person or organisation to view your record, we will contact you to verify your approval before releasing any information. It is important to be clear about the details you are authorising to be disclosed.

Data Extraction by the Hertfordshire and West Essex ICB

At times, the Hertfordshire and West Essex Integrated Care Board (ICB) extracts medical information from our system. However, the data we provide to them is pseudo-anonymised, meaning it cannot be used to identify you. Instead, your information is assigned a unique code that only our practice can link back to you.

This ensures that even if someone at the ICB has access to the extracted data, they cannot identify you personally. Additionally, we will never provide them with any identifiable information.

The Hertfordshire and West Essex ICB may require this information for:

Ensuring GP practices comply with local and national healthcare guidelines

Promoting high-quality medical care across the region

  1. Who Are Our Partner Software Suppliers?

To provide effective healthcare services, we work with a range of trusted software suppliers. Below is a list of the providers we partner with to facilitate patient care. For more details on how they handle data, please visit their respective websites and review their privacy policies

Name   Description       Privacy Link

Emis Web           EMIS Web is a clinical software system that allows GP practices to securely store, access, and manage patient medical records and information, enabling efficient delivery of healthcare services and continuity of care. Records are stored in a safe and secure manner in data centres owned and operated by Amazon Web Services which has been approved by NHS Digital.          https://www.emishealth.com/privacy-policy

Accurx (Patient Triage) AccuRx Patient Triage is a secure messaging platform that allows GP practices to safely communicate with patients, triage symptoms, and manage medical queries. It stores patient information in an encrypted format on secure servers, ensuring data privacy and compliance with healthcare regulations while facilitating efficient access to care.      https://www.accurx.com/privacy-policy

Surgery Connect             Surgery Connect telephone system enables GP practices to securely store and access patient information through its cloud-based platform. It facilitates efficient communication between healthcare providers while ensuring patient data privacy by employing robust encryption and access controls for storing sensitive medical records in compliance with data protection regulations.     https://www.x-on.co.uk/privacy-notice/

Docman              DocMan is a document management system used by GP practices to securely store and manage patient medical records and correspondence digitally. It allows authorised healthcare staff to access, share, and update patient documents while ensuring data privacy through encryption and access controls compliant with healthcare regulations.               https://www.docman.com/privacy-policy/

Docmail              DocMail is provided by CFH Total Document Management Ltd a secure print and mailing company which provides print and mailing services for Local Government, GPs, Dentists, Medical Practices, Schools, Exam Boards and Banks etc. https://www.docmail.co.uk/downloads/Docmail-Privacy.pdf

ITS Digital           ITS Digital is the practice’s primary general IT support provider.

Their support staff are able to remotely dial in with the consent of our staff for technical problem solving.                https://itsdigital.co.uk/privacy-policy/

Numed                Numed provides software and remote support for our spirometer and blood pressure monitoring devices. With staff consent, their personnel can remotely access these systems for troubleshooting while we maintain strict security protocols to safeguard patient data privacy and confidentiality.                https://www.numed.co.uk/privacy-policy

DXS Systems    DXS provides a clinical knowledge platform that integrates evidence-based guidance, treatment pathways, and patient information into GP workflows, enabling efficient access to up-to-date medical knowledge to improve patient care and outcomes.       https://www.dxs-systems.co.uk/privacy.php

Microsoft Suite In GP surgeries, Microsoft Suite is essential: Word is used for documentation and patient letters, Excel for data analysis and tracking, Outlook for secure communication, and Teams for virtual meetings and collaboration. It’s a key provider to the NHS, streamlining operations and enhancing patient care efficiency.                https://privacy.microsoft.com/en-gb/privacystatement

Heidi AI               ​Heidi AI is an artificial intelligence-powered medical scribe that automates the creation of clinical documentation during patient encounters, allowing clinicians to focus more on patient care by reducing administrative tasks     https://www.heidihealth.com/uk/legal/privacy-policy

Patient Access The Patient Access app enables GP practices to provide patients with remote access to book appointments, order repeat prescriptions, and message the practice directly, facilitating convenient digital healthcare services while ensuring secure access through NHS login authentication.                https://patient.info/privacy-policy

NHS App             The NHS App allows GP practices to securely share medical records and enable patients to access health services like booking appointments, ordering prescriptions, and viewing their GP health data, facilitating efficient digital healthcare delivery while ensuring proper access controls over sensitive patient information.      https://www.nhs.uk/our-policies/

  1. Anonymised Data Management Procedures

We may sometimes use anonymised data about you, ensuring that no details can identify you as an individual or be traced back to you. This protects your privacy while enabling the responsible use of data for purposes such as research and service improvement. The anonymisation process involves removing or obscuring any personally identifiable information (PII) or sensitive details. We employ robust techniques such as data masking, pseudonymisation, and aggregation to ensure that anonymised data cannot reveal your identity. Your privacy remains safeguarded throughout this process.

  1. Your Rights as a Patient

Under data protection laws, you have certain rights regarding the personal and healthcare information we hold about you. These include:

  1. Access and Subject Access Requests (SARs)

You have the right to request a copy of the personal data we hold about you. To do so, please complete a SARs form in person. We provide this information free of charge, though in cases of excessive, complex, or repetitive requests, an administrative fee may apply. We will respond to your request within one month. Please submit requests in writing and specify the information you require.

  1. Online Access

You can request online access to your medical records. Before granting access, we must verify your identity and obtain your written consent. Once granted, it is your responsibility to safeguard your account and prevent unauthorised access.

  1. Correction

If you believe any information we hold about you is incorrect or outdated, you have the right to request corrections. Please inform us promptly if your contact details change.

  1. Removal

You may request the removal of your personal information. However, if this data is essential for providing you with medical services, we may be unable to comply with the request.

  1. Objection

We will not share your data for purposes unrelated to your healthcare—such as research or education—without your consent. You have the right to object to such sharing. Please refer to the “Anonymised Information” section for details.

  1. Transfer

You may request that your healthcare information be transferred to another organisation in an electronic or other format. We require your explicit consent to do so.

  1. Automated Decision-Making

We may use automated processes for certain administrative functions, such as registering new patients.

  1. Safeguarding Third-Party Information in Your Medical Records

During consultations, you may mention third parties, such as family members or caregivers. We have an obligation to protect their confidentiality. Before sharing information with you or others, we will redact or anonymise details that could compromise their privacy.

We take great care in handling third-party information and adhere to strict confidentiality standards to protect the privacy rights of all individuals referenced in your records.

  1. How We Use Your Information

We use your personal and healthcare information for the following purposes:

  1. Facilitating Coordinated Care

To ensure seamless care, we may share your information with relevant healthcare professionals, such as doctors, consultants, nurses, and medical organisations involved in your treatment.

  1. Legal and Regulatory Compliance

In specific circumstances, we are legally required to share your data with law enforcement, courts, solicitors, or other authorities. Any disclosures are strictly in compliance with applicable laws.

 

  1. Consent-Based Sharing

We will never share your personal information with third parties who do not have a legal or legitimate need for access without your explicit consent.

  1. Legal Justification for Processing Your Information

Under the UK General Data Protection Regulation (UK GDPR), we must have a legal basis for processing your data. The legal justifications we rely on include:

  1. Contractual Obligation

We have a contract with NHS England to provide healthcare services, which legally requires us to process patient information.

  1. Consent

In some cases, we rely on your explicit consent to process your data. You have the right to withdraw consent at any time.

  1. Necessary Care

We process your data when necessary to protect your health and wellbeing. This is referred to as “protecting your vital interests” under the law.

  1. Legal Obligation

We may be required to share your data with authorised entities in compliance with UK laws.

  1. Handling Sensitive Health Information (Special Category Data)

Under Article 9 of UK GDPR, health-related data falls into a special category due to its sensitive nature. We may process this data under the following circumstances:

  1. Public Interest

In cases such as disease outbreaks, we may need to contact you for treatment or share data with relevant organisations to ensure you receive appropriate care.

  1. Consent

We process sensitive data when you have explicitly consented to its use.

  1. Vital Interest

If you are unable to provide consent (e.g., in a medical emergency), we may process your data to protect your health.

  1. Defending a Claim

If a legal claim is made against us, we may use relevant medical information to defend ourselves.

  1. Providing Medical Care

We process your health data when necessary to provide you with medical care and treatment.

 

  1. Data Retention: How Long We Keep Your Personal Information

At Watford Health Centre, we retain patient records in accordance with the NHS Records Management Code of Practice and data protection laws.

We consider the following when determining retention periods:

Legal and clinical requirements for maintaining medical records

Operational needs for patient care continuity

NHS regulations, which mandate that GP patient records be kept for at least 10 years after death or after a patient permanently leaves the country (unless within the European Union)

Electronic patient records, which are typically retained for the patient’s lifetime plus additional contingency periods

We regularly review data retention schedules to align with best practices and legal requirements. When records reach the end of their retention period, they are securely deleted.

Your data will only be retained as long as necessary to support your healthcare and our professional obligations.

  1. Patient Participation Group (PPG)

The Patient Participation Group (PPG) is a voluntary group of patients who provide feedback to help improve healthcare services.

Information Collected for PPG Membership

If you choose to join the PPG, we may collect:

Name, title, and date of birth

Gender and ethnic group

Contact details (phone, email)

Frequency of practice visits

This data is securely stored and will not be shared without your consent.

Managing Your PPG Information

If you wish to be removed from the PPG’s records, please email manorview@nhs.net, and we will process your request promptly.

  1. Complaints

If you have concerns about how we handle your personal data, please submit a complaint in writing to watfordhealthcentre@nhs.net or via our website’s Complaint Form.

You may also escalate your complaint to the UK’s Information Commissioner’s Office (ICO) if you are unsatisfied with our response.

 

We take complaints seriously and are committed to resolving them transparently.

  1. Website Privacy Policy

This Privacy Policy applies only to www.watfordhealthcentre.co.uk. If you access other websites through links on our site, their privacy policies will apply.

We do not take responsibility for the content or privacy practices of third-party websites. We encourage you to review their policies before providing any personal information.

  1. Cookies Policy

Our website uses cookies to improve functionality and user experience. For details on the cookies we use and how to manage them, please refer to our Cookie Policy.

  1. Website Security and Third-Party Links

This Privacy Policy applies exclusively to the Watford Health Centre website (www.watfordhealthcentre.co.uk). If you navigate to external websites via links on our site, please review their privacy policies, as they govern the handling of your information on those platforms.

We do not assume responsibility for the content, privacy practices, or security measures of third-party websites accessed through our links. The protections outlined in this Privacy Policy apply only to information collected and processed through our website.

When visiting external websites, we recommend exercising caution and reviewing their privacy policies to understand how they collect, use, and protect your personal data. We cannot guarantee the security or privacy practices of websites outside our direct control.

At Watford Health Centre, we prioritise the security of your personal data. We use industry-standard security measures to protect information collected through our website from unauthorised access, disclosure, alteration, or loss. However, no online data transmission or electronic storage method is entirely secure. While we strive to protect your information, we cannot guarantee absolute security.

If you have concerns about website security or how your data is handled, please contact us. We are committed to transparency and addressing any issues promptly.

  1. Keeping Your Contact Details Updated

To protect your privacy and ensure effective communication, it is essential that you keep your contact details up to date.

Why Accurate Contact Information is Important

We may contact you via SMS, phone, or email regarding:

Appointment reminders

Important healthcare updates

Services related to your care

 

Having accurate contact details ensures that we reach you directly and do not inadvertently share confidential information with someone else.

Your Responsibility

It is your responsibility to notify us immediately of any changes to your:

Mobile phone number

Email address

Postal address

By keeping your information current, you help us maintain secure and reliable communication, safeguarding your personal and healthcare data.

  1. Accessing Our Privacy Policy

You can access the Watford Health Centre Privacy Policy through the following channels:

Online: Available on our website at www.watfordhealthcentre.co.uk

In Person: Request a printed copy from our staff

We encourage all patients to review our Privacy Policy to understand how we collect, use, and protect personal and healthcare information.

Privacy Policy for Under-16s

There is a separate Privacy Notice for patients under 16 years old.

[Click here] to view the Privacy Policy for Children.

  1. Keeping Our Privacy Policy Up to Date

We regularly review and update our Privacy Policy to ensure it remains current, accurate, and compliant with legal requirements.

This Privacy Policy was last reviewed and updated in April 2025.