Kent and Medway Care Record privacy notice

We keep this privacy notice under regular review and was last updated on 24 April 2024.

Kent County Council respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you. You can view an easy read version of this privacy notice (PDF, 924.7 KB).

Who we are

Kent County Council (KCC) collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). We are responsible as ‘controller’ of that personal information. Our Data Protection Officer is Benjamin Watts.

Kent Adult Social Care and Health will work with you to promote your health and wellbeing, designing services together that both suit you and meet your needs. Kent aims to be a county of opportunity, where aspiration rather than dependency is supported, and quality of life is high for everyone. We will work to understand and break down the barriers that stop this from happening.

Under the Children, Young People & Education (CYPE) directorate, children’s social care is provided by Integrated Children's Services and comprises a range of services that offer specialist support to children, young people and families. Support is provided by children’s social work teams, Fostering and Adoption services, the Family Drug and Alcohol Court, the Leaving Care service, and Virtual School Kent. Our services may be provided face-to-face or virtually. We work in an integrated way with other children’s services teams in KCC and with partner organisations to ensure we deliver the best possible outcomes for children, young people and families in Kent.

Kent County Council are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data. Read further information about the Kent and Medway Care Record and the ways in which your data is used for this system.

The KMCR can also be used for secondary purposes. This includes using the KMCR information for planning, population health management, audit, business intelligence and research and academia.

Personal information we collect and use

Information collected by us

In the course of working with you, the following personal information may be used for the KMCR. This may include other organisations using your information.

  • Personal information e.g. your name, address, telephone number, date of birth, sex, age, NHS number, hospital ID
  • Contact details for members of your family and support networks e.g. GP.

We also collect the following ‘special category data’ (personal data which is more sensitive and is treated with extra care and protection) when you provide it to us:

  • Information about your racial or ethnic origin, religious or philosophical belief and your sexual orientation
  • Information about health conditions or disabilities that may apply to you
  • Information about you and your circumstances
  • Information about relevant health and safety concerns
  • Information about your needs and wishes.

In the course of providing specialist support for a child, young person and their family, the following personal information may be used for the KMCR:

  • details of family relationships, including those of extended family
  • the type of support or intervention being provided
  • mental health assessment details, for example, the assessment date, contact details for social care professional who completed assessment.

In the course of working with you, we may collect information from, or share it, with health and social care organisations which have signed up to the KMCR or process data for the KMCR. Please see the ‘who we share your personal information with’ section for a list of health and social care organisations. E-forms may also be used. These provide a read-write function, meaning information can be entered directly onto the platform (KMCR), creating a single source of the truth within the shared care record. We may also use your information for testing purposes (including live testing) to validate accuracy and completeness of records for the KMCR. Information used for this purpose will be minimised to only what is relevant, proportionate to testing purposes and will be deleted immediately after testing has been completed.

How we use your personal information

The sharing of personal and special category information via the KMCR allows health and social care professionals to provide you with the best possible care and support. It will support decision-making about your care and treatment.

We may use your personal and special category data to:

  • provide better outcomes to improve your health and social care requirements and to improve your social care journey
  • ensure integration with health and social care providers to provide a person-centred approach for you
  • ensure you are in receipt of the right care and support throughout your social care journey.

We may also use your personal and special category data for secondary purposes, including:

  • planning, implementing, and evaluating population health strategy, understanding the population needs, understanding where the gaps are, implementing services to improve health
  • managing finances, quality, and outcomes, understanding costs of services delivered, ensuring services are fit for purpose
  • risk stratification for early intervention and prevention, identifying needs, ensuring services are delivered in an effective and timely manner
  • co-ordinating and optimising patient or service user flow, improving health and care outcomes
  • carrying out research, working with approved researchers to use the best possible methods to analyse data and give useful recommendation for planning and delivery of services
  • public health, ensuring the delivery of health and healthcare services is equal and equitable.

Reasons we can collect and use your personal data

When we collect or share your personal data, we rely on the following legal bases:

  • Article(6)(1)(c) - legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Article (6)(1)(d) – vital interests: the processing is necessary to protect someone’s life.
  • Article (6)(1)(e) – public interests: the processing is necessary  to perform a task in the public interest or for official functions (task or function has a clear basis in law).

When we collect or share your ‘special categories of personal data’, (such as health, race, ethnicity, sexual orientation) we reply on the following legal bases:

  • Article (9)(2)(h) - Health or social care (with a basis in law): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.
  • Article 9(2)(i) - Necessary for reasons of public interest in the area of public health (subject to a DPA 18 condition.
  • Article 9(2)(j) - Necessary for archiving purposes in the public interest, scientific, or historical research purposes in accordance with Article 89(1) (subject to a DPA 18 condition) which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

We rely on the public interest, health or social care purpose and research conditions from Schedule 1 of the Data Protection Act 2018 when relying on Article(9)(2)(h) to process your special category data.

We take the following appropriate safeguards in respect of your special category data when relying on the condition above:

  • We have an Appropriate Policy for Lawful Processing which explains how the data protection principles are secured when using special category information. This policy is retained throughout the time we use your data and for six months after we cease to use it.
  • We have a retention schedule which explains how long data is retained.
  • We maintain a record of our processing in our ‘Record of Processing Activities’ and record for any reasons deviating from the periods in our Retention Schedule.

As we have a statutory basis for collecting your personal data, we do not need to ask for your permission to collect and share it, however we will only ever share your data on a basis of need, in line with legislation and will work transparently with you at all times.

If you do not provide your data, it will limit the effectiveness of the services and support that we are able to offer you.

We will also recognise your rights established under UK case law collectively known as the Common Law Duty of Confidentiality. The duty of confidentiality is not a written Act of Parliament, it is “common” law. This means that it has been established over a period of time through the Courts. It recognises that some information has a quality of confidence, which means that the individual or organisation that provided the information has an expectation that it will not be shared with or disclosed to others. NHS England had confirmed approval of the Section 251 application to the Confidentiality Advisory Group (CAG).

How long your personal data will be kept

As the KMCR is only used to share, rather than store, data contained within a local record. The retention of data is set by individual partners who follow the NHS Records Management Code of Practice for Health and Social Care 2020. To work out how long we need to keep your information for we use our retention schedule (See sections AS1 – 6 (excluding AS2.1, AS2.2, AS4.4, AS4.5, AS4.9, AS4.10, AS4.11, AS4.12.15, AS4.12.16, AS4.13, AS5.2, AS6.1) which provides a breakdown of the retention periods relied on by Adult Services).

For Children’s services, KCC keep your information securely in line with the retention periods shown below, after which time it is made inaccessible to system users or securely destroyed, unless we are required by legal reasons to retain records for longer than the stated retention period.

CategoryRetention Period
Children and young people with a Child Protection PlanDate of birth +40 years
Children and young people who have been in the care of the local authority (Looked After Children and Care Leavers)Date of birth +75 years

If the child/young person dies before the age of 18 records will be retained for 15 years from their date of death

Who we share your personal information with

We will routinely share your personal information listed in the ‘personal information we collect and use’ section with the following health and social care organisations:

  • Dartford and Gravesham NHS Trust (D&G)
  • East Kent Hospitals University NHS Foundation Trust (EKHUFT)
  • Medway Maritime Hospital - Medway NHS Foundation Trust (MFT)
  • Maidstone and Tunbridge Wells NHS Trust (MTW)
  • Kent and Medway Partnership NHS and Social Care Partnership Trust (KMPT)
  • North East London Foundation Trust (NELFT)
  • Kent Community Health NHS Foundation Trust (KCHFT)
  • Virgin Care Services
  • Medway Community Healthcare (MCH)
  • Kent and Medway General Practitioners (including federations (DGS Health, Channel Health Alliance and Invicta Health))
  • South East Coast Ambulance Service (SECAmb)
  • Integrated Care 24 (IC24)
  • Out of Hours providers (currently IC24, SECAmb and MCH)
  • Kent and Medway Integrated Care Board (K&M ICB)
  • Kent County Council (children and adults services) (KCC)
  • Medway Council (children and adults services) (MWC)
  • Kent and Medway hospices (Demelza, Ellenor, Wisdom Hospice, Marie Curie, Heart of Kent hospice, Hospice in the Weald, Pilgrims Hospice East Kent).

We will also routinely share your data with Graphnet. They are responsible for processing data so this can be made available on the Kent and Medway Care Record.

Other external organisations e.g., universities, may also be recipients of data if a secondary purpose request has been approved. Where possible, data will be anonymised or pseudonymised.

Each health and social care organisation listed above will ensure they have the relevant agreements in place to be able to process your personal information.

We will share personal information with law enforcement or other authorities if required by applicable law or in connection with legal proceedings. We will share personal information with our legal and professional advisers in the event of a dispute, complaint, or claim. We rely on Article 9(2)(f) where the processing of special category data is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.

NHS and care services

We have processes in place for considering requests for data disclosures for purposes beyond direct care which is consistent with national data opt-out policy. Our organisation is compliant with the national data opt-out policy.

To find out more about the NHS’ wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the NHS website. If you do choose to opt out, you can still consent to your data being used for specific purposes.

Your rights

Under UK GDPR you have rights which you can exercise free of charge which allow you to:

  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (subject access request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioner's Office

Depending on our reason for using your information you may also be entitled to:

  • ask us to delete information we hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways

There is no automated decision making or profiling in KMCR.

We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.

For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under UK GDPR.

Objecting to data sharing via KMCR

You have the right to object of sharing personal data via the KMCR. You should therefore contact the organisation(s) involved in your care. An objection to sharing your information will mean that your data will not be shared for any kind of direct care, including extended hours GP access and emergencies. We ask you to think carefully before making this decision as sharing your health and social care information will make it easier for services to provide the best treatment and care for you.

If you chose to object, the right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.

To register your choice to opt out of your confidential personal information being used for secondary purposes, please visit the NHS website.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.


Please contact the Information Resilience and Transparency Team at to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.

You can contact our Data Protection Officer, Benjamin Watts, at

The UK GDPR also gives you right to lodge a complaint with the Information Commissioner who may be contacted on 03031 231113.

Read our corporate privacy statement.