Privacy

Depending on why we might need your information, often referred to as the ‘purpose for processing’, different categories of data may be used within KCHFT to allow us to best meet your needs. Information can be categorised using the following terms:

Anonymised data – data where personal identifiable identifiers have been removed. Data protection laws and the Common Law of Confidentiality do not apply to anonymised data.

Pseudonymised data – data where any information which could be used to identify an individual has been replaced with a fake identifier.  Pseudonymised data remains personal data and therefore we must care for this information in the same way as identifiable data.

Person identifiable information (or personal data) – any information about an individual from which, either on its own or together with other information, that person may be identified. The Common Law Duty of Confidentiality and Data Protection legislation apply and there must be a lawful reason for using such data.

Special Category Data – This is information which requires a higher level of protection and is therefore subject to additional lawful reasoning.

We do not collect more information than we need to fulfil our stated purposes and will not retain that information for longer than is necessary.

The list below provides a general overview of the types of information we collect and why. This is not an exhaustive list but gives an indication of the types of information we collect.

In general, the information that we collect, hold and share includes:

• personal information (such as name, date of birth, NHS number, addresses, contact details);
• characteristics (such as gender, ethnicity, language, medical conditions, nationality, country of birth);
• details of the medical records and health of patients including current and previous GP practice details;
• specific information relation to child protection or safeguarding.

Further information regarding purpose specific collected data can be found by clicking on the relevant links.

By providing us with your contact details, you are agreeing for us to use these ways to communicate with you about your care, for example, by letter (address), by voice-mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).

As an NHS Trust we are a legal entity, set up by order of the Secretary of State under section 25 of, and Schedule 4 to, the National Health Service Act 2006, to provide goods and services for the purposes of the health service. We act as Health Care Providers and provide community health services.

As such our business is based upon statutory powers which underpin the legal bases that apply for the purposes of the UK GDPR.

Personal data

We collect and use your personal information in the delivery of direct care under the following primary lawful basis:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us as a Data Controller, and the task or function has a clear basis in law;

In certain circumstances, we may also process information under the following articles –

Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which we as a Data Controller are subject, for example where we have a specific legal obligation that requires the processing of personal data such as processing Subject Access or Freedom of Information requests;

Article 6(1)(d) - where processing is necessary to protect the vital interests of the data subject or another person, for example the processing is necessary to protect someone’s life.

Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Article 6(1) (a) – where you have given us consent for us to process your personal data for a specific purpose;

Special category data

As part of the Kent Community Health NHS Foundation Trust’s statutory and corporate functions, we process special category data and criminal offence data in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (‘GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’).

Where we process special category data, for example data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR. Where we are processing special category personal data for purposes related to the commissioning and provision of health services the condition is:

Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

In certain circumstances, we also process special category data under the following articles –

Article 9(2)(c) – where processing is necessary to protect the vital interests of the data subject or of another natural person. An example of our processing would be using health information about a patient in a medical emergency.

Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

Article 9(2)(f) – for the establishment, exercise or defence of legal claims. Examples of our processing include processing relating to any tribunal or other litigation. Kent Community Health NHS Foundation Trust may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights.

Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

Article 9(2)(a) – explicit consent - in circumstances where we seek consent, we make sure that the consent is unambiguous and for one or more specified purposes, is given by an affirmative action and is recorded as the condition for processing. For example, for some special projects that we may undertake.

Criminal conviction data

Article 10 UK GDPR covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data’.

We understand that sharing information about you is a sensitive topic, however on occasions it is necessary for us to allow others to see your personal data. We will never sell your information and are committed to being transparent with you about where we legally share information, the reason why and who with. The information below gives an overview of routine sharing that we undertake.

We routinely share information with internal and external health professionals directly involved with your care. We may share your personal information with other NHS organisations, or the Local Authority for health and care purposes. This may include other NHS Trusts, or other providers of NHS services including for example general practitioners (GPs), ambulance services and primary care agencies.

We may also need to share information from your health record for the purposes of evaluating the quality of care that we provide, for example with professional bodies and regulators in accordance with our statutory obligations.

KMCR

Kent Community Health Foundation Trust (KCHFT) are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data.

Further information about the Kent and Medway Care Record and the ways in which your data is used for this system.

Kent and Medway SHCAB

Your information may be passed, with all identifiers removed, to a collaborative programme called the Kent and Medway Shared Health and Care Analytics Board. It will be used for population health management purposes beyond your individual care, including, for example, planning services, managing finances, early treatment of illnesses (known as risk stratification), co-ordinating and improving patient and service user’s movement through the health and care system, research, and public health enhancement.

External organisations

We may need to share information from your health records with other non-NHS organisations, such as Social Services if you are also receiving care or support from them, to ensure that the services you receive are appropriate.

These non-NHS organisations may include, but are not restricted to:

• Social Services
• Education services
• Local authorities
• The Police
• Voluntary sector providers
• Private sector providers

All members of staff employed by these agencies are bound by the common law duty of confidentiality which means that information that you provide to us must be held in confidence and not shared with anyone else.

We may also be asked by other statutory bodies to share basic information about you, such as your name and address – but not sensitive information from your health records. When this happens, it is normally because it will assist them to carry out their statutory duties and it is lawful for us to do so.

On occasions we may be required by law to provide information about you for any of the following purposes:

• the prevention or detection of crime,
• the apprehension or prosecution of offenders, or
• the assessment or collection of any tax or duty or of any imposition of a similar nature.

We are not obliged to inform you when this happens.

Your information may be accessed and shared internally by our staff in the event of routine enquiries, complaints about us or where we are required to do so by law, for example processing subject access requests or Freedom of Information requests, financial transactions, maintaining our accounts and prevention of fraud. This may include members of different departmental admin teams and our IT staff if access to the data is necessary for performance of their roles, the nature of the enquiry or request and it is within the above lawful bases.

Kent Community Health NHS Foundation Trust has a Closed-Circuit Television (CCTV) surveillance system ("the system") in operation with images being monitored and recorded. The system is owned, operated and managed by Kent Community Health NHS Foundation Trust. It is used for maintaining public safety, the security of property and premises and for the detection, prevention and investigating of crime. Disclosure of recorded material will only be made to third parties in accordance with the purposes of the system and in compliance with Data Protection legislation.

The Trust telephone systems record incoming and outgoing calls for training and monitoring purposes. Access to recordings is restricted to system administrators for the service. Disclosure will be made in accordance with the Data Protection Act. 

Information about the use of our IT systems is shared with technical suppliers for the purposes of support and system administration. In the event that we share personal data with third parties, we will provide the minimum amount of personal data necessary to fulfil the purpose for which we are required to share the data.

KCHFT use tracking technology to monitor the location and safety of our employees while attending appointments away from our premises. Our staff are aware of when they are being used and the only people who have access to this information are those monitoring the lone worker’s safety.

The Trust does not keep records for longer than necessary and all records are destroyed securely once their retention period has been met. KCHFT has adopted the NHS England Records Management Code of Practice for Health and Social Care 2021 which sets out the appropriate length of time each type of NHS record is retained for.

CCTV images are kept for one calendar month. Access to ensure that images are deleted is restricted to key individuals.

Phone call recordings are kept for 90 days.

All personal information is stored on KCHFT IT systems on secure servers or in secure cabinets in protected areas and offices etc. The Trust has policies and procedures in place to ensure your information is kept safe and secure, including appropriate access and auditing controls and strict security measures concerning both electronic and paper records.

KCHFT use anti-virus software and firewalls to protect against cyber-attack. Unfortunately, the transmission of information via the internet isn't completely secure. Although we'll do our best to protect your personal information, we cannot guarantee the security of information you may send to us that is outside of our security arrangements, for example via your personal email accounts etc.

Please see our leaflet ‘Communicating by email Or SMS text’.

Your information is not sent outside the United Kingdom or the European Union unless the recipient has the same level of legal responsibility as we do under UK law. Any transfer of data requires a Data Protection Impact Assessments to ensure any project with risks that may affect the use of patient data, such as new systems or services have been mitigated. View list of these DPIA’s.

KCHFT has successfully passed this year’s data guardian’s security standard.

• Data Security and Protection Toolkit standards met certificate 2022/23

Organisations who access patient data and systems must complete the online self-assessment every year. This provides assurance that good data security is being followed and personal information is handled correctly. Required evidence is submitted and audited by NHS England.

The continued support of colleagues to follow trust security policies and procedures, including reporting incidents, mandatory training, data flow mapping and data privacy impact assessments help contribute to this achievement each year.

Kent Community Health NHS Foundation Trust, takes the rights of individuals very seriously and will support you in enacting any of these where they apply. You have rights relating to your personal information and can find more information about these rights on the Information Commissioner's Office website www.ico.org.uk.

Under data protection legislation, you have the right:

• to be informed of the uses of your data– this enables you to be informed how your data is processed
• of access– this enables you to have sight of or receive a copy of the personal information held about you and to check the lawful processing of it
• to rectification– this enables you to have any incomplete or inaccurate information held about you corrected
• to erasure– this enables you to request we erase personal data about you we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding lawful grounds to continue to process your data
• to restrict processing– this enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it
• to data portability– this enables you to transfer your electronic personal information to another party, where appropriate.
• to object– this enables you to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds.
• in relation to automated decision making and profiling– this enables you to be told if your data is being processed using automated software in relation to automated decision making and profiling note: There is no automated decision making or profiling in KMCR.

The trust has a responsibility to comply with any request made under an individual right as detailed in UK GDPR within one calendar month. In some circumstances this time frame may be extended by an additional two calendar months but this must be communicated to you within the first month following receipt of a valid request.

In most circumstances there will be no charge for the trust to comply with any of request relating to your rights under UK GDPR, however in certain circumstances we may charge a 'reasonable fee' for the administrative costs of complying with a request if: it is manifestly unfounded or excessive; or. an individual requests further copies of their data following a request.

If you wish to exercise any of your rights as outlined above, you should in the first instance contact the IG team:

IG SARS Team
Kent Community Health NHS Foundation Trust,
Trinity House, 110-120 Upper Pemberton
Eureka Park, Kennington
Ashford
Kent TN25 4AZ

kentchft.sar@nhs.net
0300 123 2079

If you are a current or former staff member and wish to request your records, please contact:

Employee Relations
0300 790 6835
kentchft.employeerelations@nhs.net

Kent Community Health NHS Foundation Trust strives to meet the highest possible standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to contact our Data Protection Officer if they think that our collection or use of information is unfair, misleading or inappropriate. You can do this by emailing kentchft.dataprotectionofficer@nhs.net.

We would also welcome any suggestions for improving our processes or procedures by contacting our PALS Team.

Complaints to the Information Commissioner

If you are dissatisfied with the way we have handled your complaint or request and want to make a complaint, you may write to the Information Commissioner, who is an independent regulator. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

The Information Commissioner can be contacted at:

Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire, SK9 5AF

08456 30 60 60 or 01625 54 57 45
Fax: 01625 524510
https://ico.org.uk

The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you will receive, the treatments and programmes available to you, confidentiality, information and your right to complain, if things go wrong.

NHS England

NHS England collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.

This privacy notice may change from time to time, for example if the law around privacy or personal information changes or for our own operational purposes. We encourage you to check for updates to this notice from time to time to remain informed about the way in which we use your information.