Our commitment to your data privacy and confidentiality

We are committed to protecting your privacy and will only process personal confidential data lawfully and in accordance with the Data Protection Act 2018 incorporating the General Data Protection Regulations (GDPR), The Privacy and Electronic Communications Regulations (PECR) the Common Law Duty of Confidentiality and the Human Rights Act 1998.

KMPT is a data controller under the terms of the Data Protection Act. We are legally responsible for ensuring that all personal information that we hold and use is done so in compliance with the law. All data controllers must ensure they are compliant with the Data Protection Act 2018, further details can be found on the Information Commissioner’s website

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee, the NHS Constitution, the Health and Social Care Information Centre Guide to Confidentiality, and the NHS Confidentiality Code of Practice provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and well being.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health. This is an important part of our processing as it ensures that the NHS keeps improving its standards and treatments.

We will not share information that identifies you unless we have a fair and lawful basis on which to do so:

  • for Direct Care purposes to ensure your safe care and treatment
  • to protect children and vulnerable adults;
  • when a formal court order has been served on us;
  • when we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • emergency Planning reasons such as for protecting the health and safety of others;
  • when permission is given by the Secretary of State for Health or the Health Research Authority (HRA) on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

We also anonymise information for indirect care so that we can:

  • review current practice to provide high quality care
  • review our planning and services so that we meet patients expectations and needs
  • prepare statistics and “performance” figures
  • safeguard the heath of the general public
  • medical research
  • auditing and statistics
  • to provide training and continuing education for our staff

Personal data we hold about you

Your information is held by the trust so we can ensure we give you the correct care and treatment. Personal data Means, any information relating to an identified or identifiable natural person (a living individual). Please see below which may be of use to you

  • directly or indirectly, in particular, by reference to an identifier such as a name
  • an identification number
  • location data
  • an online identifier e.g. including IP address and internet cookies
  • one or more factors specific to the physical, physiological, genetic e.g. DNA, mental, economic, cultural or social identity of that natural person

Special categories of personal data is defined in the Data Protection Act as information about an identifiable individual’s:

  • racial and ethnic Origin,
  • political opinions,
  • religious or philosophical beliefs
  • trade union membership,
  • the processing of genetic data,
  • biometric data for uniquely identifying an individual,
  • data concerning health,
  • data concerning an individual’s sex life or sexual orientation,

Processing in relation to personal data, means any operation or set of operations which are undertaken on personal data, whether by automated means or not:

  • collection, recording, organisation, structuring, storage
  • retrieval, consultation, use
  • adaptation or alteration
  • disclosure by transmission, dissemination or making available
  • alignment or combination
  • restriction, erasure or destruction

Personal Confidential Data is personal information about identified or identifiable individuals which is also confidential. ‘Personal’ includes the Data Protection Act definition of personal data, but it also includes deceased as well as the living. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ (e.g. health records) and is adapted to include ‘special categories’ data as defined in the Data Protection Act.

Pseudonymised information means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual without the use of additional information, provided that information is kept separately.

Anonymised Information is data that has been changed into a form which does not identify individuals and where there is little or no risk of identification.
Aggregated information is anonymised data that is grouped together so that it does not identify any individuals.

Retention Schedules

The trust ensures that Information is not kept for any longer than is necessary in line with the Data Protection Act 2018 – incorporating GDPR. The trust abides by the NHS Retention Schedules which can be found at Records Management for Health and Social Care 2016.

Purposes for using your information

Kent and Medway NHS and Social Care Partnership Trust embrace transparency as a means of building trust and confidence with our patients/staff.

Being transparent and providing accessible information to individuals about how we will use personal data is a key element of the Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation (GDPR).

We want to be clear about the purpose or purposes for which we hold personal data.

It is often argued that people’s expectations about personal data are changing. People are increasingly willing to share information on social media and to allow their data to be collected by mobile apps, but they are unwilling to read lengthy privacy notices.

These factors are sometimes used to support the view that they are relatively unconcerned that their data is being collected and processed. However, we believe that people do have concerns about how organisations handle their data and want to retain some control over its further use.

Therefore, we have separated our full privacy notice into easy to read sections, as it is of paramount importance for us to be transparent about our processing and comply with the legal requirements to provide privacy information. 

Our privacy notices can be viewed here

Your Rights

You have a right to privacy and to expect the NHS to keep your information confidential and secure.

Under the Data Protection Act 2018 it becomes a legal right to ensure that your data is processed on a fair and lawful basis and in a transparent manner.

Please see detailed rights below.

The right to be informed

You have the right to be informed about the collection and use of your personal information

We must provide you with information including: our purposes for processing your personal information, our retention periods for that personal information, and who it will be shared with. We call this ‘privacy information’.

Our privacy notices can be viewed here

The right to request access

Subject Access Requests

You can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you we will:

  • give you a description of it
  • tell you why we are holding it
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible format


We will not charge a fee for providing your information, however, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information.

The trust will endeavour to deal with your request within a 21 day time limit (NHS best practice). However, by law we have 30 days to respond, if this is likely to take longer the applicant will be warned and an explanation of the delay provided.

You can request access to your information by following this link

The right to request rectification

When should personal data be rectified?

You are entitled to have personal data rectified if it is inaccurate or incomplete.

If we have disclosed the personal data in question to others, we must contact each recipient and inform them of the rectification - unless this proves impossible or involves disproportionate effort. If asked to, we must also inform you about these recipients.

How long do we have to comply with a request for rectification?

We must respond within one month.

This can be extended by two months where the request for rectification is complex. If we decide not to take action in response to a request for rectification, we will explain to you the reasons why and explain your right to complain to the supervisory authority

For further information or to apply for a rectification please click here

Right to Erasure (to be forgotten)

The right to erasure does not provide an absolute ‘right to be forgotten’. you have a right to have personal data erased and to prevent processing in specific circumstances:

  • where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • when you withdraws consent.
  • when you object to the processing and there is no overriding legitimate interest for continuing the processing.
  • the personal data was unlawfully processed (i.e. otherwise in breach of the DPA 2018 and GDPR).
  • the personal data has to be erased in order to comply with a legal obligation.
  • the personal data is processed in relation to the offer of information society services to a child.

This right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority or public health purposes in the public interest; archiving purposes in the public interest, scientific research historical research or statistical purposes; or the exercise or defence of legal claims.

Please note that the right to be forgotten does not apply to special category data. i.e. your medical record.

For further information or to apply for an erasure please click here

The right to restrict processing

When does the right to restrict processing apply?

We will be required to restrict the processing of personal data in the following circumstances:

  • where you contest the accuracy of the personal data, we should restrict the processing until verifying the accuracy of the personal data.
  • where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether we have legitimate grounds to override your rights.
  • when processing is unlawful and you oppose erasure and request restriction instead.
  • if we no longer need the personal data but you require the data to establish, exercise or defend a legal claim.

For further information or to apply for a restriction please contact the Information Governance Team at

The right to data portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.

It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

When does the right to data portability apply?

The right to data portability only applies:

  • to personal data you have provided to the trust
  • where the processing is based on your consent or for the performance of a contract; and when processing is carried out by automated means

For further information please contact the Information Governance Team at

The right to object

You have the right to object to the following:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and
  • processing for purposes of scientific/historical research and statistics.

You must have an objection on “grounds relating to your particular situation".

We will stop processing the personal data unless:

We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.

Your right to object to the processing of personal data for direct marketing purposes.

We will stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.

Your right to object to processing personal data for research purposes

You must have “grounds relating to your particular situation” in order to exercise your right to object to processing for research purposes.

If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

For further information please contact the Information Governance Team at

Right to know if we carry out automated decision making and profiling

We do not carry out profiling and/or automated decision-making and document this in our data protection policy.

For further information please contact the Information Governance Team at