Kent and Medway Care Record privacy notice
We keep this privacy notice under regular review and was last updated on 9 September 2022.
Kent County Council respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you. You can view an easy read version of this privacy notice (PDF, 574.7 KB).
Who we are
Kent County Council (KCC) collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). We are responsible as ‘controller’ of that personal information. Our Data Protection Officer is Benjamin Watts.
Kent Adult Social Care and Health will work with you to promote your health and wellbeing, designing services together that both suit you and meet your needs. Kent aims to be a county of opportunity, where aspiration rather than dependency is supported, and quality of life is high for everyone. We will work to understand and break down the barriers that stop this from happening.
Under the Children, Young People & Education (CYPE) directorate, children’s social care is provided by Integrated Children's Services and comprises a range of services that offer specialist support to children, young people and families. Support is provided by children’s social work teams, Fostering and Adoption services, the Family Drug and Alcohol Court, the Leaving Care service, and Virtual School Kent. Our services may be provided face-to-face or virtually. We work in an integrated way with other children’s services teams in KCC and with partner organisations to ensure we deliver the best possible outcomes for children, young people and families in Kent.
Kent County Council are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data. Read further information about the Kent and Medway Care Record and the ways in which your data is used for this system.
Personal information we collect and use
Information collected by us
In the course of working with you, the following personal information may be used for the KMCR. This may include other organisations using your information.
- Personal information e.g. your name, address, telephone number, date of birth, sex, age, NHS number, hospital ID
- Contact details for members of your family and support networks e.g. GP.
We also collect the following ‘special category data’ (personal data which is more sensitive and is treated with extra care and protection) when you provide it to us:
- Information about your racial or ethnic origin, religious or philosophical belief and your sexual orientation
- Information about health conditions or disabilities that may apply to you
- Information about you and your circumstances
- Information about relevant health and safety concerns
- Information about your needs and wishes.
In the course of providing specialist support for a child, young person and their family, the following personal information may be used for the KMCR:
- details of family relationships, including those of extended family
- the type of support or intervention being provided
In the course of working with you, we may collect information from, or share it, with health and social care organisations which have signed up to the KMCR or process data for the KMCR. Please see the ‘who we share your personal information with’ section for a list of health and social care organisations. We may also use your information for testing purposes (including live testing) to validate accuracy and completeness of records for the KMCR. Information used for this purpose will be minimised to only what is relevant, proportionate to testing purposes and will be deleted immediately after testing has been completed.
How we use your personal information
The sharing of personal and special category information via the KMCR allows health and social care professionals to provide you with the best possible care and support. It will support decision-making about your care and treatment.
We may use your personal and special category data to:
- provide better outcomes to improve your health and social care requirements and to improve your social care journey
- ensure integration with health and social care providers to provide a person-centred approach for you
- ensure you are in receipt of the right care and support throughout your social care journey.
Reasons we can collect and use your personal data
When we collect or share your personal data, we rely on the following legal bases:
- Article(6)(1)(c) - legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Article (6)(1)(d) – vital interests: the processing is necessary to protect someone’s life.
- Article (6)(1)(e) – public interests: the processing is necessary to perform a task in the public interest or for official functions (task or function has a clear basis in law).
When we collect or share your ‘special categories of personal data’, (such as health, race, ethnicity, sexual orientation) we reply on the following legal bases:
- Article (9)(2)(h) - Health or social care (with a basis in law): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.
We rely on the health or social care purpose condition from Schedule 1 of the Data Protection Act 2018 when relying on Article(9)(2)(h) to process your special category data.
We take the following appropriate safeguards in respect of your special category data when relying on the condition above:
- We have an Appropriate Policy for Lawful Processing which explains how the data protection principles are secured when using special category information. This policy is retained throughout the time we use your data and for six months after we cease to use it.
- We have a retention schedule which explains how long data is retained.
- We maintain a record of our processing in our ‘Record of Processing Activities’ and record for any reasons deviating from the periods in our Retention Schedule.
As we have a statutory basis for collecting your personal data, we do not need to ask for your permission to collect and share it, however we will only ever share your data on a basis of need, in line with legislation and will work transparently with you at all times.
If you do not provide your data, it will limit the effectiveness of the services and support that we are able to offer you.
We will also recognise your rights established under UK case law collectively known as the Common Law Duty of Confidentiality. The duty of confidentiality is not a written Act of Parliament, it is “common” law. This means that it has been established over a period of time through the Courts. It recognises that some information has a quality of confidence, which means that the individual or organisation that provided the information has an expectation that it will not be shared with or disclosed to others.
How long your personal data will be kept
As the KMCR is only used to share, rather than store, data contained within a local record. The retention of data is set by individual partners who follow the NHS Records Management Code of Practice for Health and Social Care 2020. To work out how long we need to keep your information for we use our retention schedule (See sections AS1 – 6 (excluding AS2.1, AS2.2, AS4.4, AS4.5, AS4.9, AS4.10, AS4.11, AS4.12.15, AS4.12.16, AS4.13, AS5.2, AS6.1) which provides a breakdown of the retention periods relied on by Adult Services).
For Children’s services, KCC keep your information securely in line with the retention periods shown below, after which time it is made inaccessible to system users or securely destroyed, unless we are required by legal reasons to retain records for longer than the stated retention period.
|Children and young people with a Child Protection Plan||Date of birth +40 years|
|Children and young people who have been in the care of the local authority (Looked After Children and Care Leavers)||Date of birth +75 years|
If the child/young person dies before the age of 18 records will be retained for 15 years from their date of death
Who we share your personal information with
We will routinely share your personal information listed in the ‘personal information we collect and use’ section with the following health and social care organisations:
- Dartford and Gravesham NHS Trust (D&G)
- East Kent Hospitals University NHS Foundation Trust (EKHUFT)
- Medway Maritime Hospital - Medway NHS Foundation Trust (MFT)
- Maidstone and Tunbridge Wells NHS Trust (MTW)
- Kent and Medway Partnership NHS and Social Care Partnership Trust (KMPT)
- North East London Foundation Trust (NELFT)
- Kent Community Health NHS Foundation Trust (KCHFT)
- Virgin Care Services
- Medway Community Healthcare (MCH)
- General Practitioners
- South East Coast Ambulance Service (SECAmb)
- Integrated Care 24 (IC24)
- Out of Hours providers (currently IC24, SECAmb and MCH)
- Kent and Medway Clinical Commissioning Group (KM CCG)
- Kent County Council (children and adults services) (KCC)
- Medway Council (children and adults services) (MWC).
We will also routinely share your data with Graphnet. They are responsible for processing data so this can be made available on the Kent and Medway Care Record.
Each health and social care organisation listed above will ensure they have the relevant agreements in place to be able to process your personal information.
We will share personal information with law enforcement or other authorities if required by applicable law or in connection with legal proceedings. We will share personal information with our legal and professional advisers in the event of a dispute, complaint, or claim. We rely on Article 9(2)(f) where the processing of special category data is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.
NHS and care services
We have processes in place for considering requests for data disclosures for purposes beyond direct care which is consistent with national data opt-out policy. Our organisation is compliant with the national data opt-out policy.
To find out more about the NHS’ wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the NHS website. If you do choose to opt out, you can still consent to your data being used for specific purposes.
Under UK GDPR you have rights which you can exercise free of charge which allow you to:
- know what we are doing with your information and why we are doing it
- ask to see what information we hold about you (subject access request)
- ask us to correct any mistakes in the information we hold about you
- object to direct marketing
- make a complaint to the Information Commissioner's Office
Depending on our reason for using your information you may also be entitled to:
- ask us to delete information we hold about you
- have your information transferred electronically to yourself or to another organisation
- object to decisions being made that significantly affect you
- object to how we are using your information
- stop us using your information in certain ways
There is no automated decision making or profiling in KMCR.
We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individuals’ rights under UK GDPR.
Objecting to data sharing via KMCR
You have the right to object of sharing personal data via the KMCR. You should therefore contact the organisation(s) involved in your care. An objection to sharing your information will mean that your data will not be shared for any kind of direct care, including extended hours GP access and emergencies. We ask you to think carefully before making this decision as sharing your health and social care information will make it easier for services to provide the best treatment and care for you.
If you chose to object, the right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Please contact the Information Resilience and Transparency Team at email@example.com to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
You can contact our Data Protection Officer, Benjamin Watts, at firstname.lastname@example.org.
Read our corporate privacy statement.