Fair processing (privacy) notice
NHS Kent and Medway is responsible for planning and buying (also known as commissioning) health services from healthcare providers such as hospitals and GPs, for our local population.
We also monitor the performance and quality of these services. In general we only use data that has been anonymised (identifiable details removed) or pseudonymised for these purposes.
Pseudonymised data/information is anonymous to the people who hold or receive it, for example a research team, but contains information or codes that would allow others, for example those responsible for the person’s care, to identify the person.
This privacy notice tells you:
- who we are
- the type of information (including personal data and special categories of information) the organisation holds and why
- how the organisation uses the information
- who the organisation may share that information with
- how we keep the information, safe, secure and confidential
- how you can contact us regarding your rights.
Full details on each data flow are included in the data flows map.
The organisation is a controller under the terms of the General Data Protection Regulations (GDPR) / Data Protection Act 2018 (the Act). This means we are legally responsible for ensuring all personal information we process, hold, obtain, record, use or share about you is carried out in compliance with data protection principles.
All controllers must register with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is ZB346663 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Under the General Data Protection Regulations (GDPR) and Data Protection Act 2018, the organisation as a public authority must appoint a data protection officer (DPO). All integrated care boards must also appoint a caldicott guardian and senior information risk owner (SIRO). Please see the key individuals section below for more information.
We are committed to protecting your privacy and will only process personal, confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidentiality. The information we do hold about you is protected from unauthorised access. Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
All information we hold about you will be held securely and confidentially. We use administrative and technical controls to do this, such as issuing encrypted secure IT equipment to all staff. We use strict controls to ensure only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, contractors and committee members receive appropriate and on-going data security awareness training to make sure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will not share any information about you to any third party. We will only obtain and use the minimum amount of information necessary about you.
Data Protection Officer (DPO)
The organisation's Data Protection Officer is Head of Corporate Governance Andrew Harvey.
The DPO’s minimum tasks are defined in Article 39 of the GDPR:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed.
All NHS organisations are required to appoint a Caldicott Guardian to ensure compliance with patient data confidentiality. The organisation’s Caldicott Guardian is our Chief Nurse Dame Eileen Sills, who is responsible for protecting the confidentiality of patients’ and service users’ information and enabling appropriate information sharing.
The Caldicott Guardian plays a key role in ensuring the organisation satisfies the highest possible standards for handling personal information.
Acting as the conscience of an organisation, the Caldicott Guardian supports work to enable information sharing where it is appropriate and advises on options for lawful and ethical processing of information.
Senior Information Risk Owner (SIRO)
In addition to the Caldicott Guardian, the organisation also has a SIRO who owns our overall information risk policy and risk assessment process. This involves making sure there are robust incident reporting processes for any information risks identified. The SIRO is our Executive Director of Corporate Governance Mike Gilbert. The Deputy SIRO is the Deputy Director of Corporate Services Nigel Scott.
Your doctor and other health professionals caring for you, such as nurses or physiotherapists, keep records about your health and treatment, the care we have provided, or plan to provide to you, so they are able to provide you with the best possible care.
These records are called your health care record and may be stored in paper form or on an electronic system. They may include:
- details about you, such as your address, date of birth, NHS number, and next of kin,
- details of the contacts we have had with you, such as clinical visits,
- notes and reports about your health,
- records about your treatment and care, results of x-rays, laboratory tests etc.
Your health care records are used for the following reasons:
- by healthcare professionals looking after you to have accurate and up-to-date information to help them decide on any future care you may need
- to make sure accurate and complete information is available, should you see another doctor or be referred to a specialist or another part of the NHS,
- to have a good basis for assessing the type and quality of care you have received,
- to make sure your concerns can be properly investigated if you need to complain.
The law provides some NHS bodies, such as NHS Digital, the ability to collect and use unidentifiable patient data which they can then provide to help commissioners to design and acquire the combination of services that best suit the population they serve.
Data may be linked and anonymised by these bodies so it can be used to improve health care and development and monitor NHS performance. This is often referred to as a secondary use of data. Where data is used for these statistical purposes, rigorous measures are taken to ensure patients cannot be identified (see information below regarding anonymisation).
For the majority of our work, we do not need to use personal/confidential data and wherever possible, anonymised data is used.
Anonymised data refers to the process of turning personal and/or sensitive data into a form which does not identify individuals and where identification is not likely to take place. The Data Protection Act 2018 / GDPR only applies to personal identifiable information and therefore anonymised data is not covered by the act as there is only a slim, to no, chance of the information being re-identifiable.
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this. Examples include:
- to check the quality and efficiency of the health services we commission,
- to prepare performance reports on the services we commission,
- checking NHS accounts and services,
- working out what illnesses people will have in the future so we can work with local services to make sure patients' needs are met,
- reviewing the care we commission to make sure it is of a high standard.
As the organisation is responsible for funding services, we do not provide any healthcare services and therefore we do not routinely hold medical records or patient confidential data.
There are some specific areas, however, where we do hold and use personal confidential information. In order to process that information we will have met a legal requirement, as follows:
- meeting a legal basis for processing under the Data Protection Act 2018,
- to protect children or vulnerable adults,
- where there is an overriding public interest in using the information, for example, to safeguard an individual, or to prevent a serious crime,
- where there is a legal requirement that will allow us to use or provide information (a formal court order),
- where we have special permission for health or research purposes (granted by the Health Research Authority Section 251),
- for the health and safety of others, for example to report an infectious disease.
The organisation has a limited number of functions, where personal confidentiality is required. Full details of these functions are included in our data flows map.
The GDPR / Data Protection Act 2018 provides the following rights for individuals depending on the legal basis for processing (as identified in the data flows map):
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights related to automated decision making including profiling.
Further information on these rights can be accessed here.
If you wish to exercise any of the rights available to you, or to speak to somebody to understand what impact this may have, please contact the Data Protection Officer.
You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.
If your wishes cannot be followed you will be told the reasons (including the legal basis) for that decision. This includes situations such as to fulfil our safeguarding obligations and any areas where we have legal obligations to share your information.
If you wish to exercise your right to opt-out, or to speak to somebody to understand what, if any, impact this may have please contact the Data Protection Officer.
Whenever you use a health or care service, such as attending an emergency department or using community care services, important information about you is collected in a patient record by that service.
The information collected about you when you use these services can be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services.
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, unidentifiable data is used for research and planning, in which case your confidential patient information isn’t needed.
You have a choice about whether you want your information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
Find out more and register your choice to opt out here.
You can also find out more about how patient information is used for health and care research here.
Find out more about how and why patient information is used, the safeguards and how decisions are made here.
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.
Any information obtained by the organisation will be retained for as long as is necessary for the purpose we collected it for.
Records are kept in accordance with Data Protection Act 2018 principles and are maintained in line with the Records Management Code of Practice for Health and Social Care retention schedule which determines the length of time records should be kept.
Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities to:
- ensure information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a reputable confidential waste company that complies with European Standard EN15713,
- ensure electronic storage media used to hold or process information are destroyed or overwritten to current CESG standards,
- retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract (where we have contracted with external organisations to do this for us),
- ensure any arrangement made to sub-contract secure disposal services from another provider, complies with clause GC12 of the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the Data Protection Act 2018.
This notice is not exhaustive, however, we are happy to provide any additional information or explanation needed.
Requests for this should be sent to the Data Protection Officer: firstname.lastname@example.org
NHS Kent and Medway
Unit A, Compass Centre North
Pembroke Road, Chatham Maritime
For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about how your data is used and processed, you can contact:
The Information Commissioner
Wycliffe House, Water Lane,
Wilmslow, Cheshire SK9 5AF
Phone: 08456 30 60 60 or 01625 545745
Reviews and changes to this page
We will keep our privacy notice under regular review. This privacy notice was last reviewed in June 2022.