Catherine House Surgery

Lines open: 8.00am to 6.30pm


Privacy notice

As data controllers, GPs have fair processing responsibilities under the Data Protection Act and GDPR law 2018. This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.

Our contact details
Name: Catherine House Surgery
Address: Westward House, New Walk, TOTNES, TQ9 5WB
Phone Number: 01803 862073

Reviewed 29.7.2022

Catherine House Surgery is the Data Controller for the data we hold about you.  We hold your data in order to provide you with health and social care.

The type of personal information we collect

Your personal data is any information that can be connected to you personally. We are mandated to ensure that it is treated in confidence and with respect, using the Caldicott Principles as our basis for managing your information. If you can be identified from the data, it is personal data. We may hold the following information about you:

  • Demographic and contact details (name, date of birth, address, contact numbers, email address, gender, sex, religion, marital status etc)
  • Relationships/Next of Kin, family, lifestyle and/or social circumstances
  • Employment details
  • Financial details
  • Details of each contact that we have had with you, including home visits and telephone consultations
  • Diagnoses (including physical disabilities and mental health conditions)
  • Records of your health and wellbeing, including reports from other health and care providers
  • Details of your care and treatments, including medication, test results and investigations that have been undertaken
  • Relevant information from people who care for you, including other health and care providers, carers and relatives.

When we collect your mobile number we use it to text you to remind you of appointments, health checks due, medication to be collected, blood results etc. We use your email address in a similar manner. If you no longer wish to receive communication this way, please let a member of staff know who will be able to update your preferences.

 How we get the personal information;

A lot of the personal information we process is provided to us directly by you when you register with the practice.

We also collect date when you

  • Receive treatment or care from the practice,
  • Contact the practice by telephone (all telephone calls received and made by the practice are recorded)], online or in person,
  • Complete a form electronically or in paper,
  • Contact the practice via a Social Network (e.g. if you communicate with the practice through Twitter or Facebook),
  • Visit the practice’s website (If cookies are enabled).

We receive information about you from other providers to ensure that we provide you with effective and comprehensive treatment.

These providers may include:

  • The GP Practices within the South Dartmoor and Totnes Primary Care Network
  • Other GP Practices
  • NHS Trusts/Foundation Trusts
  • NHS Commissioning Support Units (CSUs)
  • Community Services (District Nurses, Rehabilitation Services and out of hours services)
  • Ambulance or emergency services
  • Independent contractors such as Pharmacies, Dentists and Opticians
  • Devon Clinical Commission Group (CCG)
  • NHS Digital
  • NHS England
  • Local authorities
  • Multi-Agency Safeguarding Hub (MASH)
  • Health and Social Care Information Centre (HSCIC)
  • Police and Judicial Services
  • Educational Services
  • Fire and Rescue Services
  • NHS 111
  • The Care Quality Commission, ICO and other regulated auditors
  • Public Health England and Screening
  • Non-NHS health care providers
  • Research providers

How we share your personal data

We may also share your information with the same providers (listed above) to deliver and coordinate your health and social care.  We will only ever share information about you if other agencies involved in your care have a genuine need for it.  Anyone who receives information from the Practice is under a legal duty to keep it confidential and secure.

Please be aware that there may be certain circumstances, such as assisting the police with the investigation of a serious crime, where it may be necessary for the practice to share your personal information with external agencies without your knowledge or consent.

We recognise that each of our patients have differing health and social care needs and you may wish to control yourself how your personal data is shared. This can be done via ‘Your Choice’ stated below.

In addition to sharing data with the above services, the practice will also use carefully selected third party service providers that process data on behalf of the practice. When we use a third party service provider, we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating responsibly to ensure the protection of your data. Examples of functions that may be carried out by third parties includes:

  • Organisations that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate video consultation, appointment bookings or electronic prescription services; document management services etc.
  • Organisations who are delivering services on behalf of the practice (for example conducting Medicines Management Reviews to ensure that you receive the most appropriate, up to date and cost-effective treatments or supporting practices in offering choices of providers and appointments to patients who are being referred via the NHS E-Referral system)
  • Delivery services (for example if we were to arrange for delivery of any medicines to you)
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations

Enhanced Data Sharing Module:

We share your record using Enhanced Data Sharing Module to make sure that, whether you are visiting the practice, attending hospital, or being seen in the community or at home by a care professional, everyone knows the care you need and how you want to be treated. Your electronic health record could be shared with:

  • Other GP Practices involved in any Out of Hours care
  • NHS Trusts/Foundation Trusts
  • Rowcroft Hospice
  • Community Services (District Nurses, Rehabilitation Services and out of hours services)
  • Ambulance or emergency services
  • Devon Clinical Commission Group (CCG)
  • NHS Digital
  • NHS England
  • Health and Social Care Information Centre (HSCIC)
  • NHS 111
  • Public Health England and Screening
  • Research providers to which you have consented Your records will be treated with the strictest confidence and can only be viewed if you use their service.

Please note that if you have previously dissented (opted-out) to sharing your records, this decision will be upheld, and your record will only be accessed by the practice. Should you wish to opt-out, please speak to a member of the Reception team who will be able to update your personal preferences.

Please note that by opting out of this sharing, other health professionals may not be able to see important medical information, which may impact on the care you receive.

Summary Care Record (SCR)

NHS England have implemented the SCR which contains information about you; including your name, address, data of birth, NHS number, medication you are taking and any bad reactions to medication that you have had in the past. This information is automatically extracted from your records and uploaded onto a central system. Many patients who are seen outside of their GP Practice are understandably not able to provide a full account of their care or may not be in a position to do so. The SCR means patients do not have to repeat their medical history at every care setting and the healthcare professional they are seeing is able to access their SCR. The SCR can only be viewed within the NHS on NHS smartcard-controlled screens or by organisations, such as pharmacies, contracted to the NHS.

As well as this basic record, additional information can be added to include further information. However, any additional data will only be uploaded of you specifically request it and with your consent. You can find out more about the SCR here:

Access to your information

Our staff will only have access to information that is necessary for them to complete the business activity they are involved in. This is reflected in Caldicott Principles that access to your information should be on a need to know basis only.

Risk Stratification

Your medical records will be searched by a computer program so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible.

This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this practice. More information can be found at or speak to the practice.

What legal basis do we have to process your data?

In order to process your personal data or share your personal data outside of the practice, we need a legal basis to do so. If we process or share special category data, such as health data, we will need an additional legal basis to do so.

We rely upon Article 6(1)(e) (public interest) and Article 9(2)(h) (health and social care) for most of our processing and sharing, in particular to:

  • Provide you with health and social care,
  • Share data from, or allow access to, your GP record, for healthcare professionals involved in providing you with health and social care,
  • Receive data from or access your data on other NHS organisation clinician systems,
  • Work effectively with other organisations and healthcare professionals who are involved in your care,
  • Ensure that your treatment and advice, and the treatment of others is safe and effective,
  • Participate in National Screening Programmes,
  • Use a computer program to identify patients who might be at risk from certain diseases or unplanned admissions to Hospitals, • Help NHS Digital and the practice to conduct clinical audits to ensure you are being provided with safe, high quality care,
  • Support medical research when the law allows us to do so,
  • Supply data to help plan and manage services and prevent infectious diseases from spreading.

We rely upon Article 6(1)(d) (vital interest) and Article 9(2)(c) (vital interests) to share information about you with another healthcare professional in a medical emergency.

We rely upon Article 6(1)(e) (public interest task) and Article 9(2)(g) (substantial public interest) to support safeguarding for patients who, for instance, may be particularly vulnerable to protect them from harm or other forms of abuse.

We rely upon Article 6(1)(c) (legal obligation) and Article 9(2)(h) to share your information for mandatory disclosures of information (such as NHS Digital, CQC and Public Health England).

We rely upon Article 6(1)(c) (legal obligation) and Article 9(2)(f) (legal claims) to help us investigate legal claims and if a court of law orders us to do so.

We rely upon Article 6(1)(a) (consent) and Article 9(2)(a) (explicit consent), in order to:

  • Help the practice investigate any feedback, including patient surveys, complaints or concerns you may have about contact with the practice,
  • Help manage how we provide you with services from the practice, for example, when you nominate individuals to contact the practice on your behalf,
  • Share your information with third parties, for example, insurance companies and medical research organisations. We also use anonymised data to plan and improve health care services. Specifically, we use it to:
  • Review the care being provided to make sure it is of the highest standard,
  • Check the quality and efficiency of the services we provide,
  • Prepare performance reports on the services we provide.

Where possible, we ensure your information is anonymised or pseudonymised (especially when using information for purposes other than for direct patient care).

Healthcare staff will respect and comply with their obligations under the common law duty of confidence.

How we store your personal information

Your information is securely stored.

We use a number of IT systems and tools to store and process your data, on behalf of the practice. Examples of the tools we use include our Core Clinical System (TPP), NHSmail, Microsoft 365 and AccuRx. For further information regarding this, please contact the practice.

How long do we hold your data?

We only hold your data for as long as necessary and are required to hold your data in line with the NHS Records Management Code of Practice for Health and Social Care 2016 Retention Schedule. Further information can be found online at:


Your data protection rights

Under data protection law, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information. These will be provided free of charge, however, we are entitled to charge in certain circumstances.  We are also entitled to refuse a request, where the law permits us to do so, If we require a fee or are unable to comply with your request we will notify you.

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at if you wish to make a request.


If the practice is relying on the consent as the basis for processing your data, you have the right to withdraw your consent at any time. Once you have withdrawn your consent, we will stop processing your data for this purpose. However, this will only apply in circumstances on which we rely on your consent to use your personal data. Please be aware that if you do withdraw your consent, we may not be able to provide certain services to you

National Screening Programmes:

The NHS provides national screening programmes so that certain diseases can be detected at early stages. These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. More information on the national screening programmes can be found at:

If you do not wish to receive an invitation to the screening programmes, you can opt out at or speak to the practice.

Type 1 Opt-out:

You have the right to object to your confidential patient data being shared for purposes beyond your direct care by asking the practice to apply a Type 1 opt-out to your medical records. A type 1 opt-out prevents personal data about you, being extracted from your GP record, and uploaded to any other organisations without your explicit consent. If you wish for a Type 1 opt-out to be applied to your record, please complete the Type 1 opt-out form and forward to a member of the reception team.

National Data Opt-out:

You have the right to object to your data being shared under the national data opt-out model. The national data opt-out model provides an easy way for you to opt-out of sharing data that identifies you being used or shared for medical research purposes and quality checking or audit purposes.

To opt-out of your identifiable data being shared for medical research or to find out more about your opt-out choices please ask a member of staff or go to NHS Digital’s website:

Our organisation is currently compliant with the national data opt-out policy.

Cancer Registry:

The National Cancer Registration and Analysis Service is run by Public Health England and is responsible for cancer registration in England, to support cancer epidemiology, public health, service monitoring and research.

Further information regarding the registry and your right to opt-out can be found at:

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at Catherine House Surgery, contact the Practice Manager – Sheila Lamkin.

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane

Helpline number: 0303 123 1113

ICO website:

Data outside EEA

We do not send your personal data outside of the EEA. However, if this is required, the practice would only do so, with your explicit consent.

Data Protection Officer

The Data Protection Officer for the practice is Bex Lovewell and she can be contacted via email on or by post: Delt Shared Services Limited, BUILDING 2 – Delt, Derriford Business Park, Plymouth, PL6 5QZ.


The practice’s website uses cookies. A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you access certain websites. Cookies allow a website to recognise a user’s device. Some cookies help websites to remember choices you make (e.g. which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to our website. The two types the practices uses are ‘Session’ and ‘Persistent’ cookies.

Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time. We do not knowingly collect or intend to collect any personal information about you using cookies. We do not share your personal information with anyone.

What can I do to manage cookies on my devices?

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit

Changes to privacy notice

The practice reviews this privacy notice regularly and may amend the notice from time to time.


Date published: 18th October, 2014
Date last updated: 2nd August, 2022