GDPR – Practice Privacy Notice
Please click the link below to view, alternatively the same information is available by scrolling down this page.
NHS England has commissioned a provider, Xyla Health and Wellbeing, to provide the ‘Your local Healthier You: NHS Diabetes Prevention Programme’ for patients at risk of type 2 diabetes. Once a patient is referred, they will be contacted for a motivational interview with the provider (Xyla) to help them enrol onto the course and to have an opportunity to ask any questions they have at this time, including if you don’t want to enrol in the programme. Xyla Health and Wellbeing is part of the Acacium Group and sometimes, if required and legally allowed, Xyla may share some of your basic details such as your name and contact details with providers who have been identified as suitable to contact you to provide support for you during this programme. Any sharing of your data is done as little as possible, under due diligence and in compliance with applicable laws. For full details on how Xyla would use your data for the diabetes prevention programme, see their privacy notice at: https://preventing-diabetes.co.uk/diabetes-prevention-privacy-policy/ For general information on the national diabetes prevention programme, please visit the NHS England website on this at: https://preventing-diabetes.co.uk/
MMC Patient Privacy Notice
How we use your Information
Memorial Medical centre – Patient Privacy Notice
How we use your personal information
Memorial Medical Centre collects personal information about you in order to provide your
health care. When doing this the Memorial Medical Centre must respect your confidentiality
and comply with all applicable Data Protection legislations.
Our Lawful bases for processing your personal information
We must, among other things, ensure personal information held about you is only used for
specific purposes allowed by law. The Memorial Medical Centre collects and processes your
personal information as it is necessary for the purposes of preventative or occupational
medicine, medical diagnosis, and the provision of health or social care or treatment. This
leaflet answers questions you might ask about what personal information we hold, why, and
to whom it may be passed to.
What personal information do we collect?
The personal information we collect, store and use about you can includes:
Personal details e.g. name, date of birth, nationality, gender and NHS number.
Contact details e.g. phone number, email address and address.
Equality and diversity information about you. This may include special category
personal data like details of your ethnicity, sexual orientation, religious beliefs or
opinion, biometric data, criminal convictions and offences.
Information about next of kin or carers (including their contact details and their
relevant medical history if required).
Notes and reports relevant to your health, including any information you have told us
about your health.
Details of your treatment and care, including the professional opinion of the staff
caring for you.
Results of investigations, such as laboratory tests, scans and x-rays.
Relevant information from health and social care professionals, relatives or those
who care for you.
Communications, for example letters and emails between an NHS Trust providing
your treatment and you.
A full list of all of the people we share with can be found via the Memorial Medical Centres
privacy notice which is on our website at www.memorialmedicalcentre.co.uk and displayed
in our waiting room.
What we can use your personal information for?
We can use your personal information to:
Provide you with health or social care.
Help other organisations provide you with health or social care.
If you agree, to help other organisations provide you with other public services.
Communicate with you and if appropriate your next of kin, about your care.
Carry out internal audits and monitor the care we provide to ensure it is of the highest
Monitor equality and diversity.
We may use anonymised data to help train and educate our staff. Should we use
identifiable personal data we would always obtain your consent.
Respond to complaints.
Respond to queries from regulators like NHS Digital, the Care Quality Commission,
the General Medical Council, the Audit Commission, the Nursing & Midwifery Council
and the Health Service Ombudsman.
Conduct legal claims or seek legal advice.
Provide information to national registries that systematically collect data about
particular conditions to help research which is only undertaken when consent is
How do you store my records?
Personal information may be stored electronically on a computer system and/or manually in
a paper record form. When you arrive for an appointment, staff may check your details with
you to ensure that our records are accurate. To assist with this, we ask that you notify us
promptly of any changes to your personal details e.g. contact address, contact phone
number, email address, next of kin etc.
Sharing your personal data
Your personal data will only be disclosed to those who have a genuine need to know and
who agree to keep your information confidential. For your direct care we often share
GP federations and out of hours providers.
NHS hospitals e.g. NHS Trusts and NHS Foundation Trusts.
Organisations that deliver NHS services outside of hospital e.g. NHS Community
Health Trusts, Social Care Partnership Trust, and the Mental Health providers for
Private sector organisations that deliver NHS care in your area such as Virgin e.g.
private hospitals, dentists, opticians, pharmacists.
Voluntary sector organisations that deliver NHS care e.g. charities such as Wisdom
Hospice and Demelza.
Local authorities such as Kent County Council e.g. if social workers are part of the
Care Team, education services, children’s services, housing or benefit offices.
Organisations that provide diagnostic tests.
Solicitors for claims etc. but we will always obtain your written consent first.
The police for legal purposes.
Organisations that provide support health services such as running vaccination and
awareness clinics at our practices.
Organisations that provide ambulance services e.g. NHS Ambulance Trusts and
Do you share my personal information with third parties or non NHS agencies?
We may need to share your personal information with organisations that provide back office
support to the Practice in its delivery of services. These organisations are known as data
processors. These organisations are only able to use your personal information in
accordance with the Practices’ instructions and applicable laws:
Telephone services suppliers.
Suppliers of web hosting services.
Suppliers that we use to develop and improve the technology we use, including our
website and electronic patient records.
Can my personal information be shared without my consent?
Your personal information may not be shared without your consent except in a number of
limited circumstances when we are legally bound to do so to provide health and social care,
Where there is a danger of harm to a child or vulnerable adult.
As a result of a court order.
When it is absolutely necessary for the prevention or detection of crime or the
apprehension or prosecution of offenders.
Reporting notifiable infection diseases.
Where there are serious risks to the public or staff.
The above may only take place when there is a clear legal basis to use your personal
information. All these uses help to provide better health and social care for you, your family
and future generations. Confidential patient information about your health and care is only
used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be
identified in which case your confidential patient information isn’t needed.
The Memorial Medical Centre is also working with NHS Digital to ensure compliance with the
National Opt-out programme on the use of NHS data from 2020. You have a choice about
whether you want your confidential patient information to be used in this way. If you are
happy with this use of information you do not need to do anything.
If you do choose to opt out your confidential patient information will still be used to support
your individual care. To find out more or to register your choice to opt out, please visit
www.nhs.uk/your-nhs-data-matters or call 0300 303 5678; there you will:
See what is meant by confidential patient information.
Find examples of when confidential patient information is used for individual care and
examples of when it is used for purposes beyond individual care.
Find out more about the benefits of sharing data.
Understand more about who uses the data.
Find out how your data is protected.
Be able to access the system to view, set or change your opt-out setting.
Find the contact telephone number if you want to know any more or to set/change your
opt-out by phone.
See the situations where the opt-out will not apply.
You can change your mind about your choice at any time.
Personal information being used or shared for purposes beyond individual care does not
include your personal information being shared with insurance companies or used for
marketing purposes as any of these would only be used in this way with your explicit
What if I change my mind after giving my consent for sharing or use of my
You have the right to restrict the use of your personal information in instances where your
consent is needed for us to share your personal information; unless it is in relation to
providing you with direct health and social care services or where the exceptional conditions
You can refuse or change your mind at any time about your consent; however this may
affect the healthcare that is available to you. You can change your mind, but please inform
us, so we can update our records.
Risk stratification is a mechanism used to identify and subsequently manage those patients
deemed as being at high risk of requiring urgent or emergency care. Usually this includes
patients with long-term conditions, e.g. cancer. Your information is collected by a number of
sources, including the Memorial Medical Centre; this information is processed electronically
and given a risk score which is relayed to your GP who can then decide on any necessary
actions to ensure that you receive the most appropriate care.
Your information may be shared if you have received treatment to determine which Clinical
Commissioning Group (CCG) is responsible for paying for your treatment. This information
may include your name, address and treatment date. All of this information is held securely
and confidentially; it will not be used for any other purpose or shared with any third parties.
In accordance with the NHS Codes of Practice for Records Management, your healthcare
records will be retained for 10 years after death, or if a patient emigrates, for 10 years after
the date of emigration.
How do you keep my records confidential?
Everyone working within the Memorial Medical Centre has a legal duty to keep information
about you confidential. There are strict codes of conduct in place to ensure your personal
information is safe, whether it is on paper or computer. Staff must abide by:
All applicable data protection legislations such as the EU General Data Protection
Regulation 2016 and Data Protection Act 2018.
Common Law Duty of Confidence.
NHS Code of Confidentiality
Can I get a copy of my records?
You have a right under the Data Protection legislations to access your medical records or
authorise a representative to do so. Personal information may be withheld if we believe it
could harm your physical or mental health. We would prefer your request in writing if
possible but will accept verbal requests if necessary: please contact us via our email at
email@example.com or by writing into the surgery at the below address:
Memorial Medical Centre, Bell Road, Sittingbourne, Kent ME10 4XX
What other rights do I have?
You have the right to request that personal information about you that is factually incorrect
be rectified by being amended or supplemented with additional information. Any information
you do not agree with (but is not factually incorrect), we will make a note on your records of
the point which you have drawn to our attention.
How can I complain about the way the Memorial Medical Centre handles my personal
If you are unhappy with the way we have dealt with your personal information please contact
the Practice in the first instance and then the Kent and Medway Clinical Commissioning
Group Data Protection Officers’ team at firstname.lastname@example.org or via
the Practice name at the address at the end of this leaflet. You also have the right to
complain directly to the Information Commissioner in relation to data protection. The contact
details are also at the end of this leaflet.
It is important to note that the General Practitioner (GP) record, usually held at the General
Practice, is the primary record of care and that the majority of other services must inform the
GP through a discharge note or a clinical correspondence that a patient has received care.
This record is to be retained for the life of the patient plus at least ten years after death. The
GP record transfers with the individual as they change GP throughout their lifetime.
Where can I find further information?
If you would like to know more about how we use your personal information or if you do not
wish to have your information to be used in any of the ways described above, please contact
the Memorial Medical Centre at the address at the end of this leaflet. You can also read
more about how we use your personal information on our website at
General information can be obtained from the Information Commissioner’s Office.
Information Commissioner’s Office: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
t: 0303 123 1113 www.ico.gov.uk
Who to contact
Practice details: Administration Team, Memorial Medical centre, Bell Road, Sittingbourne,
Kent ME10 4XX
Name of Data Protection Officer for the Practice: Mrs Rebecca Unwin
Tel: 01795 477764
Helen Foreman – CCG Data Protection Officer
NHS Medway Clinical Commissioning Group,
Unit A, Compass Centre North, Pembroke Road,
Chatham Maritime, Kent, ME4 4YG
Tel: 03000 425100
our newsletter and on posters to reflect the changes.
Version: Review date: Edited by: Approved by: Comments:
1 23.05.2018 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
2 29.08.2019 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
3 11.03.2020 Rebecca Unwin Valerie Gibson To be reviewed in 1 year
Practice Privacy Notice (England)
|Version:||Review date:||Edited by:||Approved by:||Comments:|
|1||23.05.2018||Rebecca Unwin||Valerie Gibson||To be reviewed in 1 year|
|2||29.08.2019||Rebecca Unwin||Valerie Gibson||To be reviewed in 1 year|
|3||19.05.2021||Fiona Willis||Valerie Gibson||To be reviewed in 1 year|
|4||25.04.2022||Rebecca Unwin||Valerie Gibson||To be reviewed in 1 year|
Table of contents
NHS Digital collects information with the purpose of improving health and care for everyone. The information collected is used to:
- Run the health service
- Manage epidemics
- Plan for the future
- Research health conditions, diseases and treatments
NHS Digital is a data controller and has a legal duty, in line with the General Data Protection Regulation (GDPR), to explain why it is using patient data and what data is being used. Similarly, the Memorial Medical Centre has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed.
The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.
This document and any procedures contained within it are contractual and therefore form part of your contract of employment. Employees will be consulted on any modifications or change to the document’s status.
The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.
This document applies to all employees, partners and directors of the practice. Other individuals performing functions in relation to the practice, such as agency workers, locums and contractors, are encouraged to use it.
Everyone should be aware of the practice privacy notice and be able to advise patients, their relatives and carers what information is collected, how that information may be used and with whom the practice will share that information.
The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the General Data Protection Regulation.
A statement that discloses some or all of the ways in which the practice gathers, uses, discloses and manages a patient’s data. It fulfils a legal requirement to protect a patient’s privacy.
The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The GPDR comes into effect on 25 May 2018.
The entity that determines the purposes, conditions and means of the processing of personal data.
A natural person whose personal data is processed by a controller or processor.
In accordance with the GDPR, this practice will ensure that information provided to subjects about how their data is processed will be:
- Concise, transparent, intelligible and easily accessible;
- Written in clear and plain language, particularly if addressed to a child; and
- Free of charge
In accordance with Article 5 of the GDPR, this practice will ensure that any personal data is:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
At the Memorial Medical Centre, the practice privacy notice is displayed on our website, through signage in the waiting room, and in writing during patient registration. We will:
- Inform patients how their data will be used and for what purpose
- Allow patients to opt out of sharing their data, should they so wish
At the Memorial Medical Centre, the following data will be collected:
- Patient details (name, date of birth, NHS number)
- Address and NOK information
- Medical notes (paper and electronic)
- Details of treatment and care, including medications
- Results of tests (pathology, X-ray, etc.)
- Any other pertinent information
The ICO has provided a privacy notice checklist which can be used to support the writing of the practice privacy notice. The checklist can be found by following this link.
A privacy notice template can be found at Annex A.
It is the responsibility of all staff at the Memorial Medical Centre to ensure that patients understand what information is held about them and how this information may be used. Furthermore, the practice must adhere to the DPA18 and the GDPR, to ensure compliance with extant legal rules and legislative acts.
The Memorial Medical centre has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.
What information do we collect about you?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.
How we will use your information
Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law allows.
In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
Third Party Processors
In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
- GP Data for Planning and Research Programme: GP data has a crucial role to play in research and planning which can improve public health, but it is important for patients and the public that this data is made available for appropriate purposes in a secure and trusted manner. This programme is a planned replacement for the GP Extraction Service (GPES) currently used to collect data for planning and research from general practices in England.It is a legal obligation for the practice to comply with the Data Provision Notice ‘DPN’ for this programme as a result of a new direction from the secretary of state for health and social care as part of the Health and Care Act 2012. Once fully established, this new collection will replace multiple other data collections from general practices including the GPES in due course.
It is important to state that this new GPDPR programme is not a new processing of GP data in any way; what it does is to carry out an ongoing processing i.e. extraction of patients’ data by NHS Digital for planning and research purposes via a more efficient means. NHS Digital has set out that, whilst general practice will still retain data controllership over patient records within their practice, once data has been extracted from patient records and shared with NHS Digital, NHS Digital will be the responsible and accountable data controller under the UK GDPR for data access and dissemination for planning and research. Full details on the processing of patients’ data for this programme can be found in the NHS Digital’ privacy notice here: https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/transparency-notice
Maintaining confidentiality and accessing your records
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies; you have a right to have the inaccurate data corrected.
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including the Memorial Medical Centre; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.
In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.
What to do if you have any questions
- Contact the practice’s data controller via email at email@example.com. GP practices are data controllers for the data they hold about their patients
- Write to the data controller at Memorial Medical Centre, Bell Road, Sittingbourne, Kent ME10 4XX
- Ask to speak to the Data Protection Officer (DPO) for Memorial Medical Centre who is Rebecca Unwin or the Practice Manager Mrs Adrienne Adams.
In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’.
National COVID-19 and Flu Vaccination Programmes
The National Immunisation Management Service
|Covid-19 – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 |
This process has been produced in the response to Covid 19 pandemic and will ensure that patients all patients across Kent and Medway will receive the Seasonal Flu Vaccine and Covid 19 Vaccine.
Purposes for processing
With the availability of a vaccine for COVID-19, there is a need to coordinate vaccination for the population of England.
The seasonal flu programme is a long-established and successful vaccination programme. The service is offered to patients who are particularly susceptible to the flu for example because of their health condition, age or because they are pregnant.
NHS England has established a centralised service for the management of both the COVID-19 and seasonal flu vaccination programmes. This service is supported by a central system, the Immunisation Management System.
The key functions of this system are to enable identification of priority groups, to send invitations to book appointments for vaccination, to manage and monitor the progress of the programme.
There may be instances due to allocation of resources and supply of the vaccination where there will be a need for patients to be seen in a GP practice/Vaccination centre outside of their PCN or local area to receive their vaccination. The patient will be informed by their own practice by way of letter or email or by telephone. The practices will strive to ensure patients are seen by a practice as close to their home as reasonably practicable.
In summary, the system works as follows:
Loading personal information about people in England
The demographic details of everyone resident in England or registered with a GP in England are imported into the system from the Primary Care Registration Management Service operated by NHS Digital on behalf of NHS England. After an initial load from NHS Digital, the data is kept up to date overnight.
Information about patients who are particularly susceptible to the flu because of their health condition or because they are pregnant is also uploaded into the system from data held by NHS Digital.
Further data such as lists of shielded patients, NHS staff and social care workers and ethnic category information are also uploaded. This data can then be used for prioritising invitation for flu or COVID-19 vaccination, and for reporting purposes.
Selecting people to invite for immunisation
The system has an interactive dashboard which will allows us to select groups of people to invite for immunisation. Factors such as age, ethnic origin, gender and underlying health conditions can be applied. We can also select NHS staff and social care workers.
The system shows how many people will be invited if the selected criteria are used. The analysis will include a full geographical breakdown so users can ensure there are sufficient vaccinations and delivery capacity to meet demand. People already vaccinated will be excluded automatically so they are not invited again.
The system sends invitation letters to the people selected.
Sending invitations for vaccination
The list of people to be invited to book an appointment is sent to the mailing service and the National Booking System. The mailing service prints the invitation letters, which explain how to book an appointment for vaccination.
The system keeps a record of everyone who has been invited and sends reminders via text or letter to anyone who has not been vaccinated, or who has not booked an appointment through the National Booking System.
The system sends daily updates to GP systems to allow them to update their local record and monitor progress for their patients.
The system includes a business intelligence tool which provides comprehensive analysis of how the vaccination programmes are progressing, nationally and locally.
Data collection and reporting
To provide centralised data collection and reporting services for the National Immunisation Service, NHS England has implemented a centralised data capture tool for clinical teams delivering COVID-19 and seasonal flu vaccinations. The system collects data about vaccinations administered to NHS staff for COVID19 and flu, in schools and by maternity teams for the flu vaccine only.
Categories of personal data and sources
The IMS obtains names, addresses telephone numbers, other personal details, and GP registration information from the Primary Care Registration Management service that NHS Digital manages as a processor for NHS England.
It receives information about health conditions and other factors that can make people vulnerable to the flu from NHS Digital who collect it from GP Practices, acting under directions from the Secretary of State for Health and Social Care. We also obtain information about ethnic category from NHS Digital.
It receives information about vaccinations given from GP Practices, pharmacies and other vaccination centres. This is so that we can send out reminder letters, inform GPs for them to update their records, and monitor the progress of the vaccination programme.
The data collection and reporting system receives information about vaccination decisions – given or not given. It also includes demographic data about NHS staff from the NHS Electronic Staff Record, obtains NHS Numbers traced from the Primary Care Registration Management service
Categories of recipients
The system sends lists of people to be invited for vaccination to the mailing service and the National Booking Service managed by NHS Digital.
The system sends information to GP Practices so that they can update their records about vaccinations that their patients have received at pharmacies or other vaccination centres.
The system sends personal data to the NHS England COVID-19 datastore, and to Public Health England.
Legal basis for processing
For GDPR purposes NHS England’s lawful basis for processing is Article 6(1)(e) – ‘…exercise of official authority…’; and
For the processing of special categories (health) data the conditions are 9(2)(h) – ‘…health or social care…’, and 9(2)(i) – ‘…public health purposes…’.
For processing special categories (ethnicity) data the conditions are
9(2)(h) – ‘…health or social care…’, and 9(2)(b) – ‘…social protection law…’ (for monitoring equality of access)
Covid-19 and your information – Version 1 updated on 8th April 2020 version 1
Supplementary privacy note on Covid-19 for patients using GP Surgeries based in
Kent and Medway
This notice describes how we may use your information to protect you and others during the
Covid-19 outbreak. It supplements our main Privacy Notice which is available
The health and social care system is facing significant pressures due to the Covid-19
outbreak. Health and care information is essential to deliver care to individuals, to support
health and social care services and to protect public health. Information will also be vital in
researching, monitoring, tracking and managing the outbreak. In the current emergency it
has become even more important to share health and care information across relevant
Existing law which allows confidential patient information to be used and shared
appropriately and lawfully in a public health emergency is being used during this outbreak.
Using this law the Secretary of State has required NHS Digital; NHS England and
Improvement; Arms Length Bodies (such as Public Health England); local authorities; health
organisations and GPs to share confidential patient information to respond to the Covid-19
outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the
period of the outbreak unless there is another legal basis to use the data. Further
information is available on gov.uk here and some FAQs on this law are available here.
During this period of emergency, opt-outs will not generally apply to the data used to support
the Covid-19 outbreak, due to the public interest in sharing information. This includes
National Data Opt-outs. However in relation to the Summary Care Record, existing choices
will be respected. Where data is used and shared under these laws your right to have
personal data erased will also not apply. It may also take us longer to respond to Subject
Access requests, Freedom of Information requests and new opt-out requests whilst we focus
our efforts on responding to the outbreak.
In order to look after your health and care needs we may share your confidential patient
information including health and care records with clinical and non clinical staff in other
health and care providers, for example neighbouring GP practices, hospitals and NHS 111.
We may also use the details we have to send public health messages to you, either by
phone, text or email.
During this period of emergency we may offer you a consultation via telephone or videoconferencing with in Kent and Medway CCG we are using AccuRx. By accepting the
invitation and entering the consultation you are consenting to this. Your personal/confidential
patient information will be safeguarded in the same way it would with any other consultation.
We will also be required to share personal/confidential patient information with health and
care organisations and other bodies engaged in disease surveillance for the purposes of
protecting public health, providing healthcare services to the public and monitoring and
managing the outbreak. Further information about how health and care data is being used
and shared by other NHS and social care organisations in a variety of ways to support the
Covid-19 response is here.
NHS England and Improvement and NHSX have developed a single, secure store to gather
data from across the health and care system to inform the Covid-19 response. This includes
data already collected by NHS England, NHS Improvement, Public Health England and NHS
Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity
data as well as data provided by patients themselves. All the data held in the platform is
subject to strict controls that meet the requirements of data protection legislation.
In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may
need to collect specific health data about you. Where we need to do so, we will not collect
more information than we require and we will ensure that any information collected is treated
with the appropriate safeguards.
General Practice Transparency Notice for GPES Data for
Pandemic Planning and Research (COVID-19)
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing
your data with NHS Digital.
The health and social care system is facing significant pressures due to the coronavirus
(COVID-19) outbreak. Health and care information is essential to deliver care to individuals,
to support health, social care and other public services and to protect public health.
Information will also be vital in researching, monitoring, tracking and managing the
coronavirus outbreak. In the current emergency it has become even more important to share
health and care information across relevant organisations. This practice is supporting vital
coronavirus planning and research by sharing your data with NHS Digital, the national safe
haven for health and social care data in England.
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP
practices in England to support the coronavirus response for the duration of the outbreak.
NHS Digital will become the controller under the General Data Protection Regulation 2016
(GDPR) of the personal data collected and analysed jointly with the Secretary of State for
Health and Social Care, who has directed NHS Digital to collect and analyse this data under
the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this
purpose under the Health and Social Care Act 2012 (2012 Act). More information about this
requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c)
– legal obligation. Our legal basis for sharing personal data relating to health, is Article
9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory
functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are
currently registered with a GP practice or who have a date of death on or after 1 November
2019 whose record contains coded information relevant to coronavirus planning and
research. The data contains NHS Number, postcode, address, surname, forename, sex,
ethnicity, date of birth and date of death for those patients. It will also include coded
health data which is held in your GP record such as details of:
diagnoses and findings
medications and other prescribed items
investigations, tests and results
treatments and outcomes
vaccinations and immunisations
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other
appropriate organisations, including health and care organisations, bodies engaged in
disease surveillance and research organisations for coronavirus response purposes only.
These purposes include protecting public health, planning and providing health, social care
and public services, identifying coronavirus trends and risks to public health, monitoring and
managing the outbreak and carrying out of vital coronavirus research and clinical trials. The
British Medical Association, the Royal College of General Practitioners and the National
Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus
response. It is also required to share data in certain circumstances set out in the COVID-19
Direction and to share confidential patient information to support the response under a legal
notice issued to it by the Secretary of State under the Health Service (Control of Patient
Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social
care organisations requiring those organisations to process and share confidential patient
information to respond to the coronavirus outbreak. Any information used or shared during
the outbreak under these legal notices or the COPI Regulations will be limited to the period
of the outbreak unless there is another legal basis for organisations to continue to use the
Data which is shared by NHS Digital will be subject to robust rules relating to privacy,
security and confidentiality and only the minimum amount of data necessary to achieve the
coronavirus purpose will be shared. Organisations using your data will also need to have a
clear legal basis to do so and will enter into a data sharing agreement with NHS
Digital. Information about the data that NHS Digital shares, including who with and for what
purpose will be published in the NHS Digital data release register.
For more information about how NHS Digital will use your data please see the NHS Digital
Transparency Notice for GP Data for Pandemic Planning and Research (COVID-19).
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be
considered on a case by case basis and may or may not apply depending on the specific
purposes for which the data is to be used. This is because during this period of emergency,
the National Data Opt-Out will not generally apply where data is used to support the
coronavirus outbreak, due to the public interest and legal requirements to share information.
Your rights over your personal data
To read more about the health and care information NHS Digital collects, its legal basis for
collecting this information and what choices and rights you have in relation to the processing
by NHS Digital of your personal data, see:
the NHS Digital GPES Data for Pandemic Planning and Research (COVID-19)
the NHS Digital Coronavirus (COVID-19) Response Transparency Notice
the NHS Digital General Transparency Notice
how NHS Digital looks after your health and care information
We may amend this privacy notice at any time so please review it frequently. The date at the
top of this page will be amended each time this notice is updated.
A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you accesses certain websites.
Cookies allow a website to recognise a user’s device.
Some cookies help websites to remember choices you make (e.g. which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to a website. The two types we use are ‘Session’ and ‘Persistent’ cookies. Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time.
We do not knowingly collect or intend to collect any personal information about you using cookies. We do not share your personal information with anyone.
What can I do to manage cookies on my devices?
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
If you are concerned about cookies and would like to ask further questions please do not hesitate to write to our website developers – firstname.lastname@example.org
Data Protection Privacy Notice for the Kent & Medway Care Record (KM Care Record) Service
About the KM Care Record
Welcome. The KMCR is a secure virtual health and social care record used only by health and care organisations across the Kent and Medway areas including:
- GP practices currently registered with Kent and Medway Clinical Commissioning Groups (CCG)
- NHS Kent and Medway CCG
- 4 NHS Trusts and 2 Mental Health Trusts
- 3 Community Providers ;
- South East Coast Ambulance Service
- Kent County Council and Medway Council Social Care Teams;
- Out of Hours providers
A full list of current and proposed providers can be found in the section: “Organisations we share your personal information with” below.
What is the Kent & Medway Care Record (KM Care Record)?
The Kent & Medway Care Record is an Electronic Health Record linking system that provides a read-only summary of that data (information) to a health or social care professional when required for the purpose of providing your health and social care. The system, provided by Graphnet, brings together patient/client’s information across health and social care systems in a secure manner, giving a summary of your information from within a number of local records.
Benefits of such a system are:
- Improved quality of care – information about your care will be instantly available to professionals to enable accurate diagnosis and on-going treatment. Duplication of tests will be avoided.
- Improved patient safety – there will be greater visibility for health and social care providers about your current medications, allergies and adverse reactions.
- Reduced delays in care – test results will be readily available reducing waiting times.
The KM Care Record pulls your information from several important areas of health and care including:
- Primary care e.g. GP practices
- Community services
- Mental health services
- Social care
- Secondary care e.g. hospitals
- Specialist services e.g. South East Ambulance services
Additional data may also be collected online within KM Care Record Forms for both direct patient care and social care. These are typically use for patient assessments and planning of services, e.g.
- Frailty record
- Falls assessment
- Nutrition assessment
- Respiratory assessment
- Heart failure care plan
- Integrated care and support plan
All organisations take the duty to protect your personal information and confidentiality very seriously and are committed to taking all reasonable measures to ensure the confidentiality and security of personal information for which they are responsible. The KM Care Record system has been built in such a way as to ensure its use can be audited at any time. This allows confidentiality to be monitored where necessary
The purpose(s) of the sharing:
The KM Care Record allows authorised workers in health or social care, easy access to your information that is critical to support decision-making about your care and treatment.
It shares important information about your health and care including:
- Any current health or care issues
- Your medications
- Allergies you may have
- Results of any recent tests that you may have had
- Details on any plans created for your care or treatment
- Information on any social care or carer support you may receive
Information recorded about you across the NHS and care organisations
When you contact an NHS or care organisation as a patient / service user, organisations collect information about you and keep records about the care and services provided. If you contact organisations for any other reason they may also record information about you e.g. complaints or dealing with Freedom of Information requests.
All partner organisations listed are registered with the Information Commissioner’s Office to process your personal information in accordance with the current Data Protection Act 2018 and any subsequent revisions. The data protection notifications for all participating organisations can be found on the Information Commissioner’s website at www.ico.gov.uk. This guidance explains the types of information that is recorded about you, why this is necessary and the ways in which this information may be used. It also covers:
- What the Kent & Medway Care Record (KMCR) is
- The purpose(s) of the sharing
- The categories of information we share,
- Our legal reason for sharing
- The full list of organisations we share your information with
- How the information will be made available
- How long we keep your record
- How we keep your personal information safe and secure
- Your rights
- How you can access the information we keep about you
- Correcting inaccurate information
- How you can object to your information sharing via KMCR
- Your right to complain:
- Your NHS Data Matters and the National Data Opt-Out
- The NHS Constitution
- NHS Digital
The categories of personal information we share:
Personal identifiable information (or personal data) means any information about an individual from which, on its own or together with other information, that person may be identified. It does not include information where the identity has been removed (anonymous data). The personal data that is collected and shared includes:
- Identifying Data:basic details about yourself e.g. Forename, Surname, Address, Date of Birth, Gender, Age, Postal Address, Postcode, Telephone Number, Email address, NHS Number and Hospital ID
- Special categoriesof Personal Data: Racial or ethnic origin, Physical/mental health or condition. For example, contact we have had with you such as appointments or clinic visits; notes and reports about your health, treatment and care; results of x-rays, scans and laboratory tests; relevant information from people who care for you and know you well such as health staff and relatives /carers; alerts and/or notifications for example high risk medicines.
- Identifying Data: basic details about other individuals that may be involved in providing your care or support services, e.g. emergency contacts, relatives, mobility service providers, home care support.
However, not every element of personal data is part of the joint record. Your information is not disclosed to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on such information. An example of the sensitive information that will be left out is fertility treatment records.
It is essential that your details are accurate and up to date. Always check that your personal details are correct and please inform us of any changes as soon as possible. If you think any information is inaccurate or incorrect then please contact your health or care provider to discuss this further. This could be your GP practice or the health or social care staff that provided or are currently providing your treatment and care.
What is the lawful basis for the sharing?
The processing (sharing) of personal data for these purposes is permitted under Articles 6(1) (d) and 6(1) (e) of the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 (DPA):
- Vital Interest: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public Task: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The processing (sharing) of special categories of personal data via the KM Care Record system is permitted under Article 9 (2) (b) and (h) and Article 10 of the UK GDPR and the UK Data Protection Act 2018 (DPA):
- Direct Care and Administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.
KM Care Record testing is required to validate accuracy and completeness of patient records within the system. This is a clinical safety issue and supported under UK GDPR Article 6(1)(e) official authority, and Article 9(2)(b) where information technology staff (who are not healthcare professionals) will be appraising the data. The data used for testing will be anonymised wherever possible, minimised where live patient data is necessary, and only used in a proportionate manner to meet the test criteria. All such data will be deleted from the test system immediately upon completion of the tests.
- Criminal Offence: Criminal offence data is limited to that which relates to your health or care, a comprehensive register of criminal convictions will not be kept and the condition of Article 10 of the UK GDPR as well as s10(5) of the DPA 2018 has been fulfilled.
The legal obligation relies on the Health and Social Care Act 2012 s251(b) (as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a statutory ‘duty to share’).
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential.
Organisations we share your personal information with:
Personal Data (including special category data) will only be shared between the health and social care organisations which have signed the KM Care Record Joint Controller or Data Sharing Agreement, and authorised data processors for the purposes of providing health and social care. These currently include:
- Dartford and Gravesham NHS Trust (D&G)
- East Kent Hospitals University NHS Foundation Trust (EKHUFT)
- Medway Maritime Hospital – Medway NHS Foundation Trust (MFT)
- Maidstone and Tunbridge Wells NHS Trust (MTW)
- Kent and Medway Partnership NHS and Social Care Partnership Trust (KMPT)
- North East London Foundation Trust (NELFT)
- Kent Community Health NHS Foundation Trust (KCHFT)
- Virgin Care Services
- Medway Community Healthcare (MCH)
- General Practitioners
- South East Coast Ambulance Service (SECAmb)
- Integrated Care 24 (IC24)
- Out of Hours providers (currently IC24, SECAmb and MCH)
- Kent and Medway Clinical Commissioning Group (KM CCG)
- Kent County Council (children and adults services) (KCC)
- Medway Council (children and adults services) (MWC)
In the future it is likely that the KM Care Record will be extended to a wider range of health and care providers. This may include:
- Other Providers of community health services
- Community Pharmacies (Chemists)
How will the information be made available?
The information is accessed in real time and on-demand and presented as a read only view; meaning that the information from a provider’s local record is not changed. Access to your information depends on the user having access in their own clinical systems, so professionals can only see information regarding individuals that are being referred for care or treatment or are being treated by them.
E-Forms containing additional information about health and health assessments and planning of services may be created directly and stored within KM Care Record. Also, where relevant, KMCR e-Forms used for assessments of care service planning will be copied to the patient and this may contain historical background health information about the patient.
How long do we keep your record?
The KM Care Record is only primarily used to share, rather than store, data contained within a local record, although some data may be created and stored within KM Care Record forms regarding health assessments and planning of care services. Your records are kept for as long as necessary by local partners in accordance with your care. The retention schedules are aligned to the best practice outlined by NHS Digital. This information can be found in a document called “NHS Records Management Code of Practice for Health and Social Care 2020” and can be found on the following link – NHS Records Management Code of Practice for Health and Social Care 2020
How we keep your personal information safe and secure?
To protect personal and special category information we ensure the information we hold is kept in secure locations and restrict access to information to authorised personnel only.
Our appropriate technical and security measures include:
- annual staff training
- robust policies and procedures e.g. password protection
- technical security measures to prevent unauthorised access
- complying with Data Protection Legislation;
- encrypting information transmitted between partners;
- implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
- completion of the NHS Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements;
- use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the Kent Medway Care Record (KM Care Record) system are auditable against an individual; i.e. role-based access and smartcard use to ensure appropriate and authorised access
- ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained, on an annual basis, in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.
- Regular audit of practices to ensure adherence against these criteria
The NHS Digital Code of Practice on Confidential Information applies to all staff who access the KM Care Record, they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
All staff with access to Personal Data are trained to ensure information is kept confidential.
What are your rights?
Under the Data Protection Legislation, you have the right:
- To be informed of the uses of your data- this enables you to be informed how your data is processed. (the purpose of this document)
- Of access – this enables you to receive a copy of the personal information held about you and to check the lawful processing of it.
- To rectification – this enables you to have any incomplete or inaccurate information held about you corrected
- To erasure – this enables you to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding lawful grounds to continue to process your data.
- To restrict processing – this enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- To data portability – this enables you to transfer your electronic personal information to another party.
- To object – You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds.
- In relation to automated decision making & profiling – this enables you to be told if your data is being processed using automated software note: there is no automated decision making or profiling in KMCR).
If you wish to exercise your rights in any of the ways described above you should contact the Data Protection Officer at the care giving organisation.
How can I access the information you keep about me?
To access your Personal Data you should contact your health or care provider in the first instance, to discuss this further. This could be your GP practice or the health or social care staff that provided or are currently providing your treatment and care.
You have a right to see or obtain a copy of personal information that we hold about you in accordance with UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018 (DPA).
All requests for access to personal information must be submitted verbally or in writing. Please note proof of identity will be required for us to be able to assist you.
Correcting inaccurate information
If you believe that we hold inaccurate information in your health or care record you should contact your health or care provider in the first instance, to discuss this further. This could be your GP practice or the health or social care staff that provided or are currently providing your treatment and care.
How can I object to my data being shared via KM Care Record?
You have the right to object to your information being shared on the KM Care Record on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds. When considering your objection, we will consider whether you can still be provided with safe individual care.
We ask you to think carefully before making this decision. Sharing your health and social care information will make it easier for services to provide the best treatment and care for you when you most need it.
Health and social care staff use your confidential information to help with your treatment and care. For example, when you visit a hospital your consultant may need to know the medicines you take.
If you do wish to object, you should contact your health or social care provider involved in your care, and understand what it means for you.
If you choose to object:
- You may have to answer questions repeatedly because your full history may not be available to the care professional assessing you.
- Decisions about your care may take longer, even in emergency situations, as history needs to be confirmed.
- Some medical tests may get repeated unnecessarily e.g. if you had a blood test with your hospital consultant, your GP may not be able to see this.
Right to complain:
You can get further advice or report a concern directly to the KCHFT Data Protection Officer at email@example.com.
You also have the right to contact the UK’s data protection supervisory authority (Information Commissioner’s Office) by:
- Post:Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Telephone:0303 123 1113 (local rate) or 01625 545745 (national rate)
Further information about the way in which the NHS uses personal information and your rights is published by NHS Digital:
Your NHS Data Matters and the National Data Opt-Out
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. Visit the website below to find out more information or to opt-out of having your patient information being used for research and planning.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
- Monitoring safety
- Planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations.
Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit https://www.nhs.uk/your-nhs-data-matters On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients which covers health and care research); andhttps://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
KM Care Record is compliant with the national data opt-out policy.
The NHS Constitution
The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you will receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.
NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.
Reviews of and Changes to this Privacy Notice
We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your information.
This version was last updated by the KM Care Record on the 04/08/2021