Menu

Joy app privacy notice

We keep this privacy notice under regular review and it was last updated on 4 June 2026.

We respect your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

View an easy read version of the Joy App privacy notice (PDF, 511.0 KB).

Who we are

We collect, use and are responsible for certain personal information about you. When we do so we are regulated under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are responsible as ‘controller’ of that personal information for the purposes of those laws. Our Data Protection Officer is Benjamin Watts.

The Joy App is a suite of applications that have been developed to improve the care pathway. The Joy App is primarily used in GP surgeries that will help to improve the volume of referrals to the voluntary community sector. This includes helping referrals for social prescribing.

Social prescribing is an approach that connects you to activities, groups and services in your communities to meet your practical, social and emotional needs. Your GP will help you to make a referral at your appointment.

Social prescribing helps health and social care organisations ensure the right level of support is provided at the right time and contributes towards strategic priorities such as our Making a Difference Everyday Strategy and the Kent and Medway Social Prescribing and Care Navigation Strategy. It also helps to support legal and statutory obligations, such as promoting individual wellbeing and undertaking safeguarding obligations under The Care Act 2014.

We will support the Joy App delivery by analysing the service that it has provided and determining the impact it has had on Kent and Medway residents.

Personal information we collect and use

Information collected by us

In the course of your GP using the Joy App to make a social prescribing referral, your GP will collect or use the following personal information at your appointment:

  • Personal information, for example, name, address, postcode, date of birth, sex, NHS number.
  • Contact information, for example, telephone number, email address, contact details for next of kin, support network or advocate.

Your GP will also collect or use ‘special category data’ (personal data which is more sensitive and is treated with extra care and protection) at your appointment:

  • Your racial or ethnic origin.
  • Your physical or mental health information, for example, disabilities, health conditions, carer responsibilities.
  • Your circumstances, your health and safety concern and your needs and wishes.

Your GP will also use information from your social care record (for example, the information listed above) to help assist with their social prescribing referral for you. Once a referral has been made, your social care record will be updated to ensure robust record keeping and to ensure the continuity of care and support.

We will collect anonmyised information about service usage on the Joy App to help understand how the Joy App is being used, the benefits it provides to yourself and to your GP surgery, and if there are any improvements to make. This enables our commissioning teams and Adult Social Care to gain insights for a local area to advise on future procurement opportunities.

How we use your personal information

We use your personal information to:

  • support the delivery of the Joy App to GP Surgeries, who will use the Joy App to support the volume of referrals to the voluntary community sector and streamline the process
  • improve the efficiency of social prescribing and care navigation within the community by analysing the service that is being provided.

Reasons we can collect and use your personal information

When we collect your personal data, we rely on the following legal bases:

  • Article 6(1)(a) - the individual has given clear consent for you to process their personal data for a specific purpose.
  • Article 6(1)(b) - the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

When we collect your ‘special categories of personal data’, (such as, ethnicity, health, beliefs etc) we rely on the following legal bases:

  • Article (9)(2)(h) - processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services.

We rely on the health or social care purpose condition from Schedule 1 of the Data Protection Act 2018 when relying on Article(9)(2)(h) to process your special category data.

We take the following appropriate safeguards in respect of your special category data when relying on the conditions above:

  • We have an Appropriate Policy for Lawful Processing which explains how the data protection principles are secured when using special category information. This policy is retained throughout the time we use your data and for six months after we cease to use it.
  • We have a retention schedule which explains how long data is retained.
  • We maintain a record of our processing in our ‘Record of Processing Activities’ and record for any reasons deviating from the periods in our retention schedule.

As we have a statutory basis for collecting your personal data, we do not need to ask for your permission to collect and share it, however we will only ever share your data on a basis of need, in line with legislation and will work transparently with you at all times.

If you do not provide your data, it will limit the effectiveness of the services and support that we are able to offer you.

How long your personal data will be kept

Your GP surgery will retain information relating to your voluntary community sector referral (e.g., social prescribing) for eight years, after you have either been discharged or last seen by a service. Your information will be held on your GP case management system. This is in-keeping with the NHS Retention Schedule.

Your GP has the discretion to remove your information directly from the Joy App itself. This will delete your personal and special category information as detailed above, however, your GP will still have a record of this on their case management system.

Any information that is added to your social care record will follow Adult Social Care retention periods AS1-6 in the retention schedule (excluding AS2.1, AS2.2, AS4.4, AS4.5, AS4.11, AS4.12.14 to AS.12.16, AS4.13, AS5.2, AS6.1, AS6.4 to AS6.6).

Any updates or changes or new entries to our retention schedule are updated on a quarterly basis, and therefore, the current version linked above, may not list the most up to date retention periods until the next publication.

We will collect anonmyised information about service usage on the Joy App which means you will not be able to be identified from the information.

Who we share your personal information with

Your GP Surgery will collect, use and share your personal information to the relevant voluntary community sector (for example, social prescribing service) via a referral using the Joy App.

Your anonmyised information will be collected, used and shared with our commissioning and adult social care teams to help analyse the service that the Joy App is providing.

The sharing of information facilitates a joined up approach with partner agencies, to provide you with the best possible care and support.

Each organisation involved in your care and support or access to services will ensure they have the relevant agreements in place to be able to process your personal information.

We will share personal information with law enforcement or other authorities if required by applicable law or in connection with legal proceedings.

We will share personal information with our legal and professional advisers in the event of a dispute, complaint or claim. We rely on Article 9(2)(f) where the processing of special category data is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

NHS and care services

We have processes in place for considering requests for data disclosures for purposes beyond direct care which is consistent with national data opt-out policy. Our organisation is compliant with the national data opt-out policy.

To find out more about the NHS’ wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the NHS website. If you do choose to opt out you can still consent to your data being used for specific purposes.

Your rights

Under GDPR you have rights which you can exercise free of charge which allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (subject access request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioner's Office

Depending on your GP’s reason for using your information you may also be entitled to:

  • object to how your GP is using your information
  • ask your GP to delete information they hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • stop your GP using your information in certain ways.

Your GP will always seek to comply with your request however they may be required to hold or use your information to comply with legal duties. Please note: your request may delay or prevent a GP delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the United Kingdom General Data Protection Regulation.

Your right to withdraw your consent

Where your GP Surgery relies on your consent to process your personal information, you can withdraw your consent to their use of your data at any time.

You can do this by contacting your GP Surgery directly to advise that you wish to withdraw your consent.

In some circumstances your GP will not rely on your consent to process your personal information. for example, where there is a concern to your wellbeing, mental health or if there is a safeguarding concern. Legal and statutory bases will be relied on to still collect, use and share your information.

Keeping your personal information secure

We, and your GP surgery, have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We, and your GP surgery, also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Who to contact

Contact your GP Surgery to exercise any of your rights. Your GP Surgery will be able to advise what process you need to follow to exercise any of your rights.

To exercise a right or make a complaint to us about why your information has been collected, how it has been used or how long it has been kept for, contact our Information Governance Team at data.protection@kent.gov.uk .

Email our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk .

UK GDPR also gives you right to lodge a complaint with Information Commissioner, who may be contacted via the Information Commissioner's website or call 03031 231113.

Read our corporate privacy statement.