The Kent and Medway Care Record

What is it?

The Kent and Medway Care Record (KMCR) is a single, shared care record for each patient who is cared for by the NHS or social services in Kent and Medway. Relevant information from the record will be able to be seen by all the health and care professionals who need to see it, and patients will be able to access their own records as well.

This represents a significant change for the health and social care system across Kent and Medway and is a legal requirement under the Health and Social Care (Safety and Quality) Act 2015.

Creating a shared record will:

  • Improve the quality of clinical and professional decision making: taking into account all relevant information, especially in complex cases.
  • Support better integrated care by sharing data for handovers and multi-disciplinary teams and enabling new models for delivering integrated care.
  • Improve safeguarding by ensuring that children and vulnerable adults that are at risk are immediately known as being so, enabling care decisions to be better informed and reducing the level of risk.

When will it be delivered?

There are three project phases:

  • Phase one – Solution design and market readiness – July 2017 to April 2019
  • Phase two – Procurement – April 2019 to December 2019
  • Phase three – Mobilisation – January 2020 to December 2021 (extending as business as usual to September 2026)

Work commenced on the mobilisation of the KMCR in April 2020 and is spread over an 18-month period to the end of December 2021, to make sure it is properly embedded within each organisation.

How was it developed?

The initial specification for the KMCR was developed with input from technical and clinical experts from across the acute, mental health and community trusts in Kent and Medway, South East Coast Ambulance NHS Trust, GPs and NHS commissioners, as well as Kent County Council and Medway Council.

To ensure that the views of our community are reflected in the development of the KMCR, a robust engagement exercise was commissioned by the KMCR team to get the views of a wide-ranging cross-section of Kent and Medway residents on the proposals to create the care record.

What did our community say about the KMCR?

Between October 2018 and January 2019, we spoke to more than 200 people across Kent and Medway about the KMCR. They key themes that were identified from these conversations were:

  • Vast majority of people supported the concept of joining up health and social care records. The majority of people assumed it was already in place
  • A belief that the KMCR will improve the experience of patients
  • A belief that it will improve care
  • A belief that it will improve efficiency and speed of healthcare access
  • Concerns about confidentiality and levels of permissions to data
  • Concerns about security of the system
  • Concerns about its affordability and deliverability
  • Support for patients being able to access their records

Their views were incorporated into the tender specification to ensure that the KMCR not only delivers a wide range of benefits, but is also safe, secure and affordable.

You can read the full report here.

Where are we now?

Everyone has been working hard since April 2021 to deliver the KMCR. Some GPs, acute hospital trusts, community health providers, mental health trusts and South East Coast Ambulance Service are already starting to use the KMCR, with the roll out set to continue during the summer of 2021, which will see both Kent County Council and Medway Council’s adult and children’s social care departments, and hospices in Kent and Medway also using the KMCR.

Citizen access

In the future, people living in Kent and Medway will be able to access their own care records through the KMCR patient portal, called My Care Record. Work to deliver this is scheduled to commence from mid-2021, with the voice of local citizens being central to its development.

Frequently Asked Questions

1. What sort of health and care information will be shared?

The personal data that is shared in the KMCR includes:

  • identifying data: Forename, surname, address, date of birth, gender, age, postal address, postcode, phone number and NHS number.

Other categories of personal data: This includes:

  • a list of diagnosed conditions – to make sure your clinical and care staff have an accurate record of your care
  • medication – so everyone treating you can see what medicines you have been prescribed
  • allergies – to make sure you’re not prescribed or given any medicines you can have an adverse reaction to
  • test results – to speed up treatment and care and to make sure tests are not repeated
  • referrals, clinical letters and discharge information – to make sure the people caring for you have all the information they need about other care and treatment you are having elsewhere
  • care plans (where available) – for health and care workers involved in your care to view a joined-up plan of care and the wishes you’ve asked for in relation to your care
  • relevant information about people that care for you and know you well
  • basic details about associated people, such as children, partners, carers, relatives etc.


2. Why do you want to share the information in my care record?

By bringing health and social care information together in one place for every authorised professional involved in your care, we can improve the safety, accuracy, speed and quality of your care.

3. Doesn’t everyone involved in my health and care already have access to my information?

Your records are kept by individual organisations involved in your care. For example, your GP will have a record and if you go to hospital, there will be a separate record. If you use a local council’s adult and children’s services, they will also create a record. At the moment, these are unlikely to be shared, meaning they can be inaccurate or incomplete. Bringing these electronic records together in one place will provide a fuller picture about your health.

4. Who will be able to access my health records?

Personal data will only be shared between the health and social care organisations that are signed up to the KMCR Joint Controllers Agreement. These include:

  • primary care, for example your GP practice
  • community services
  • mental health services
  • local council social care departments
  • secondary care, such as hospitals
  • specialist services, including ambulances.

Your information in the KMCR can only be seen by care professionals from the organisations directly involved in providing care to patients and service users. The KMCR operates under a strict role-based access controls. These controls make certain that only  individuals with a legitimate reason to access your data can do so. Only people involved in your direct care will be able to access information that identifies you.

5. What are the main uses of data in the KMCR?

The data within the KMCR will be used for the following purposes:

Individual patient and service-user care, to:

  • protect the vital interests of patients and service-users and those of their associated carer(s)
  • support the provision of health or social care treatment or services to individuals, including their diagnosis and treatment, and the management of their care and support
  • identify those at risk of illness and disease and to provide preventive care
  • activate and empower individuals in their own care by providing a personal health record
  • coordinate, improve and optimise patient flows
  • help management of health or social care services
  • provision of a personal health record
  • grant access to treatment escalation plans
  • allow use of KMCR analytics to guide care, improve allocation of resource and prevent harm to patients.

6. How long is the data kept?

The KMCR holds a set of information about you from  health and social care organisations that provide care for you locally. 

The records of those health and social care organisations are subject to retention periods set out in documents, such as the IGA (Information Governance Alliance) Records Management Code of Practice for Health and Social Care.

As the information about you on the KMCR comes from local organisational systems, the data will be kept for the same amount of time that it is kept on those local systems.

7. What is the legal basis for processing data within the KMCR?

Health and social care organisations have a duty to share personal data under s251B of the Health and Social Care Act 2012, where it is:

(a) likely to facilitate the provision to the individual of health services or social care in England

(b) in the individual’s best interests.

The legal basis for processing data within the KMCR is ‘the provision of health or social care services’ GDPR Article 9(2)(h) and GDPR Article 6(1)(e) for a ‘task carried out in the public interest’. 

8. Who is the data controller?

The KMCR is not a data controller. The organisations providing your care locally are  controllers of the data they hold about you and are working in partnership to make sure it is available for sharing within the KMCR, when needed, to benefit your care. 

If you have any concerns about data sharing, please speak to the local care organisations which hold your records. As there will be more than one organisation involved in the provision and processing of information about your care across the partnership,  various system leads will act as joint data controllers in accordance with the General Data Protection Regulation (EU GDPR 2016) and UK Data Protection Act 2018.

9. How can I access the information held in my record? (subject access request)

You have a right to request information that is held about you. The KMCR is a collection of information from organisations across Kent and Medway that provide you with care services. Please note it is not all the information held on you by each organisation that has cared for you, as each organisation involved in your care keeps  specific local records.

To access care records, you must contact the organisation(s) that have been or are providing your care, as they will have the full record of the care they have provided to you. This is called a subject access request (SAR).

10. How is the data stored?

A record of care is held on each organisation’s secure electronic system (local record), for example  a GP practice will have its  own system for recording patient information. Graphnet, a supplier of healthcare systems, has designed a secure system that integrates data from  multiple electronic health and social care systems to provide a live and read-only summary of that data to a health or social care worker, when required, for direct care.

11. Is it secure?

Yes, the data held in the KMCR will be securely stored  in a resilient UK cloud-based platform hosted by Microsoft. The KMCR is subject to stringent cyber-security assessments to make sure there is strong protection to maintain the health and care data’s safety.

Appropriate technical and security measures in place to protect the KMCR include:

  • complying with data protection legislation
  • encrypting personal data transmitted between partners
  • implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
  • a requirement for organisations to complete the data security and protection (DSP) toolkit introduced in the National Data Guardian review of data security, consent and objections and adhere to robust information governance management and accountability arrangements
  • use of ‘user access authentication’ mechanisms to make sure  all instances of access to any personal data under the KMCR are auditable against an individual accessing the KMCR
  • making sure   all employees and contractors involved in  processing  personal data are suitably trained in maintaining the privacy and security of  personal data and are under contractual or statutory obligations of confidentiality concerning it.

The NHS digital code of practice on confidential information applies to all NHS and care staff. They are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared. All staff with access to personal data are trained to make sure information is kept confidential and is only shared with other professionals in a  patient’s best interests.

12. What are my rights around information about me contained in the KMCR?

Under the data protection legislation, you have the right to:

  • be informed of our uses of your data - the purpose of this privacy notice
  • request copies of your personal information, commonly referred to as a subject access request (SAR)
  • have any factual inaccuracies corrected
  • request the restriction or suppression of your personal data. This is not an absolute right and only applies in certain circumstances
  • not be subject to automated decision making or profiling. There is no automated decision-making or profiling in the KMCR
  • complain about the handling of your data to an organisation’s data protection officer or to the regulator
  • have the right to object to processing of your personal data in certain circumstances.

13. How can I object to my data being shared via the KMCR?

You have a legal right to object to your data being shared. Your objection will be considered on a case-by-case basis. When looking at your objection, we will consider whether you can still be provided with safe individual care. Please contact your health and care provider to discuss this further. This could be your GP practice or the health or social care staff that provided or are providing your treatment and care.

We ask you to think carefully before making this decision. Sharing your health and social care information will make it easier for services to provide the best treatment and care for you, when you most need it.

Health and social care staff use your confidential patient information to help with your treatment and care. For example, when you visit a hospital your consultant may need to know the medicines you take.

Your health or social care provider can tell you how you can use the NHS national opt-out for secondary use of your data, for example . for statistical analysis.

14. Will my data be sold to third parties?

No, your data will not be sold to third parties.

15. Can I opt out of my data being shared with the KMCR?

You can choose to stop your confidential patient information being used for purposes other than for your own treatment and care, such as research. Where you choose to do this, your data will not be shared with the KMCR. Your GP will put this opt out on for you, on your request.

You cannot opt out of your information being shared when it relates to delivery of treatment or care to you. Health and care organisations are legally required to share and process data to make sure health and care professionals have access to vital information to make quicker, safer decisions about your treatment and care.

In response to the COVID-19 pandemic, the law allows confidential patient information to be used and shared ’appropriately and lawfully’ in response to the public health emergency. This means councils, health organisations and GPs can share confidential patient information to respond to the COVID-19 outbreak.

This directive is in place until 30 September 2021 and may be subject to further review. Changes to opt out during the COVID-19 pandemic mean that even if you previously opted out of sharing your health and care record, it is now visible to organisations providing treatment and care to patients.

Where a patient opts out of electronic record sharing, information will continue to be shared, as it is now, by email, phone and paper.

16. I have opted-out via the NHS national data opt-out. Does this opt-out also apply to the KMCR?

You are able to opt-out of having your confidential patient information being used for research and planning via the NHS national data opt-out. Visit the website below to find out more information or to opt out of having your patient information being used for research and planning.

Whenever you use a health or care service, such as attending accident and emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to make sure you have the best possible care and treatment.

If you  choose to opt out of the NHS national data for research and planning, your confidential patient information will still be included and used within the KMCR to support your individual care and will still be shared among  organisations involved in your direct care. 

17. If I have opted out of the summary care record, does this opt-out also cover the KMCR?

No, an opt-out of the summary care record does not also apply to the KMCR.

The KMCR provides a more detailed view of your health, care and treatment records and is a summary of the treatment and care provided to you by local health and social care organisations in Kent and Medway.

The summary care record is used nationally and contains important information from the record held by your GP practice. It includes details of any medicines you are taking,  allergies you have and bad reactions to medicines you have previously experienced. The summary care record also includes your name, address, date of birth and your unique NHS number to help correctly identify you. If you have opted out of the summary care record, you will not automatically be opted out from the KMCR.

Text Size: