Privacy notices

A ‘privacy notice’ lets you know what happens to any personal data that you may give us or that we may collect from you or about you (as a patient, family member, carer or visitor). This notice is issued by Kent and Medway NHS and Social Care Partnership Trust as a healthcare provider, and covers the data we hold about our patients, their families and other individuals who may use our services. A separate privacy notice is available for personal data we collect about staff as part of our responsibilities as an employer.

KMPT provides a number of different mental health services to people living in Kent and Medway. Our services are more specialised than services provided by General Practitioners. Most of our mental health services are provided through:

• Community based teams
• Outpatient clinics
• Inpatient units

Community services and inpatient/outpatient units are generally split into services for working age adults and services for older adults over local areas. In addition to our community and inpatient/outpatient services, we also provide a number of specialist services across the county including mental health services for people with learning disabilities.

We currently work as a partnership organisation for mental health services, our partners include:

• Integrated Care Boards (ICBs)
• Commissioning Support Units
• General Practitioners (GPs)
• Ambulance Services
• Acute Hospital Trusts
• Mental Health Social Services
• Local Authorities

Our Trust is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the UK Data Protection Act 2018 and our registration number is Z9417133.

We are committed to being open about the data we collect about you, how we use this data, with whom we share it, and how we store and secure it. We recognise the importance of protecting personal data in all that we do, and take care to meet our legal and other duties, including compliance with relevant law, regulations and guidance.

Personal information, is information which can be used to identify you. This will include, who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to and from specialists and other healthcare providers, tests carried out both here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this organisation who are appropriately involved in your healthcare.

We may collect your information for a number of reasons, however when we collect the information we will discuss with you the specific reasons why. Reasons for collecting your information will include:

• to provide Healthcare Services
• to keep Accounts and Records relating to our activities
• to take part in appropriate research within the Health Sector
• to provide educating and training to our staff to ensure good quality services
• to enable us to audit our services and prepare statistics on NHS performance
• to assist in reviewing the care provided and ensuring services meet the needs of the users

We may supplement or add to the information we hold about you with information that is available through, or we receive from, other sources e.g. third party organisations such as local authorities and charities.

These records help us to deliver our services and manage our activities. They may be written down (manual/paper records), held on a computer in electronic form or as part of an information system.

As part of our requirements under the law, KMPT must demonstrate a clear legal reason for collecting, using, sharing and retaining personal data about you. For personal data used in the provision of health and social care our basis is outlined as ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ under 6(1)(e) of UK GDPR. This is because KMPT is a public organisation providing a healthcare service and is required to use names, addresses or other personal data to deliver this service.

Our legal basis for using sensitive personal data (called ‘special categories of personal data’ under UK GDPR) is that this is necessary for the ‘provision of health or social care or treatment or the management of health of social care systems and services’ under 9(2)(h) of UK GDPR. This is because KMPT must use health and social care information about you or your child in the delivery of their care.

Furthermore, these points cover the use of data for clinical audits, service improvement and sharing with other health or social care providers when necessary as part of our service delivery.

There may be times when KMPT uses other different legal bases for other services it provides (e.g. research). A more detailed outline of the range of legal bases for processing information and the circumstances in which they arise, are set out in Annex 1.

Under the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR), strict principles govern our use of information and our duty to ensure it is kept safe and secure. Information at KMPT may be stored within electronic or paper records, or a combination of both, for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and other government guidance. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.

Everyone working for the NHS is subject to the common law duty of confidentiality. This means that any data collected about you will only be used in connection with the purpose for which it was provided, unless we have explicit consent from you (or a person with a legal right to provide it) or there are other special circumstances covered by law.

All staff are required to undertake annual Information Governance training and, where appropriate, additional training in line with their responsibilities. Staff are reminded throughout the year of various aspects of their responsibilities.

Our IT systems are provided either in-house or by specific suppliers who are required to manage the data securely in a manner compliant with the Data Protection Act 2018 legislation.

We have perimeter and internal protection of our IT systems and monitor access and security in a proactive manner. Only individuals with legitimate reasons are allowed access to areas storing personal data.

Every NHS organisation has a senior person who is responsible for protecting the confidentiality of your personal data and enabling appropriate sharing. This person is known as the Caldicott Guardian. The Chief Medical Officer currently fulfils this role within KMPT.

We work as a partnership organisation for mental health services and may need to share some clinical information with other groups of professionals involved in the provision of care. Please be reassured, we will only use or pass on information where there is a genuine need for it.

Your treatment and care may involve a team, which includes doctors, nurses, therapists, some administrative staff and other health and social care professionals, including your GP. Information about you may be shared to assist those who have an interest in your care or treatment. Your information will only be passed on to those who have a need-to-know and be shared in a secure manner.

Your information may also be shared, subject to strict agreements describing how it will be used with:

• Social Services
• Local Authorities
• Voluntary Sector Providers
• Private Sector Providers

We will not disclose your information to any other organisation without your permission unless there are exceptional circumstances, such as when the health or safety of yourself or others is at risk or where the law requires it to be passed on.

We are required by law to report certain information to the appropriate authorities and occasions when this is the case include:

• Where we encounter infectious diseases which may endanger the safety of others such as meningitis or measles (but not HIV/ AIDS)
• Where a formal court order has been issued
• Where disclosure is necessary to protect either yourself or someone else from harm

Whatever the reason for sharing information, we will ensure it is done so securely and lawfully.

People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only have a limited access to your information, whilst your clinical treating team will be able to access the full record.  All access to your information is logged within the system and is auditable.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.

We strive to make the best use of digital technology to deliver great patient care. In 2011 we introduced a new electronic patient record (EPR) system provided by The Access Group.

We work as a partnership organisation for mental health services and may need to share some clinical information with other groups of professionals involved in the provision of care. In order to enable us to do this safety and securely, KMPT have joined together with the Integrated Care Boards, Hospital Trusts, Community Trusts and GP Practices based within the Kent and Medway area to commission the Kent and Medway Care Record. The system provided by Graphnet, brings together patient/client’s information across health and social care organisations in a secure manner, giving a summary of your information from within a number of local records.

The Kent and Medway Care Record allows authorised workers in health and social care, easy access to your information that is critical to support decision-making about your care and treatment.

It shares important information about your health and care including:

• Any current health or care issues
• Your medications
• Allergies you may have
• Results of any recent tests that you may have had
• Details on any plans created for your care or treatment
• Information on any social care or carer support you may receive

The Kent and Medway Care Record pulls your information from several important areas of health and care including:

• Primary care e.g. GP practices
• Community services
• Mental health services
• Social care
• Secondary care e.g. hospitals
• Specialist services e.g. South East Ambulance services

Please be reassured, that only those with a legitimate need to access your information for direct care purposes will be able to. Every time someone accesses your record they will leave what we call an ‘audit trail’. These ‘audit trails’ are monitored regularly and if anyone is found to have accessed your record inappropriately, then disciplinary action will be taken.

Access to your personal data for scientific or research purposes is subject to strict research and information governance frameworks and for these purposes only de-identified data is routinely used.

In limited circumstances staff employed by an external organisation will require access to KMPTs EPR in order to support the delivery of immediate and direct clinical care. Personal data within the EPR is made available to these external NHS partners under strict governance controls at both an organisation and individual access level.

Where we are relying on your explicit consent to process information about you, you have the right to refuse (or withdraw) from information sharing at any time. This is also referred to as ‘opting out’. If you choose to prevent your information from being disclosed to other authorised professionals involved in your care, it might mean the care that can be provided is limited and, in certain circumstances, it may not be possible to offer certain treatment options. The possible consequences of withholding your consent will be fully explained to you at the time should this situation occur.

You also have the right to ‘opt out’ of having your information used in any mandatory audits which KMPT is subjected to. If this is the case, you should write to our Information Governance team (using the information provided below) with your name, address and date of birth.

Within KMPT the Information Governance team can be contacted using the email address: kmpt.infoaccess@nhs.net.  

Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details set out below.

Your rights include:

The right to access personal information about you

You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

The right to rectification

We take reasonable steps to ensure that the information we hold about you is accurate and complete. At any attendance we will confirm your contact details we hold. However, if you do not believe we have correct information, you can ask us to update or amend it.

The right to erasure (also known as the right to be forgotten)

In some circumstances, you have the right to request that we delete the personal information we hold about you or your child. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to restriction of processing

In some circumstances, we must "pause" our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.

The right to data portability

In some circumstances, we must transfer to you or (if this is technically feasible) another individual/ organisation of your choice personal information that you have provided to us. The information must be transferred in an electronic format and this will be done via a secure transfer.

The right to object to marketing

KMPT does not use any personal data for marketing.

The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)

You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on either party.

If you have been subject to an automated decision and do not agree with the outcome, you can challenge the decision.

The right to withdraw consent

In some cases we need your explicit consent in order for our use of your personal information to comply with data protection legislation.

Although consent is not our legal basis for processing data for healthcare purposes, we would always encourage you to contact us using the details below if you have any concerns with regards to how personal data is used.

The right to complain to the Information Commissioner's Office

You can complain to t The right to complain to the Information Commissioner's Office he Information Commissioner's Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations. These details are below.

Making a complaint will not affect any other legal rights or remedies that you have.

We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations. A summary of the legal retention periods of NHS records can be found in the Records Management Code of Practice for Health and Social Care.

If you would like further information regarding the periods for which your personal information will be stored, please contact our DPO for further details.

Under the terms of the Data Protection Act 2018 and the UK General Data Protection Regulation, you have the right to request access to the information that we hold about you.

To support you through the process you can contact our Information Governance Team through our website where you can also submit a request: KMPT | Access to healthcare records

Or you can contact our Information Governance Team directly by emailing kmpt.infoaccess@nhs.net

If you have any queries or concerns regarding the information that we hold about you or you have a question regarding this privacy notice, please contact our Information Governance team including your name and DOB:

Email: info.access@nhs.net

You can also find details of our registration with the Information Commissioner’s Office online

Our ICO registration number is Z9417133.

You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. We would recommend contacting our Information Governance team initially to talk through any concerns that you have.

It may also be possible to resolve your concerns through a discussion with our Patient Advice and Liaison Service (PALS) before (or without the need to start) a more formal process: KMPT | Compliments and complaints

If you remain dissatisfied following the outcome of your complaint, you may then wish to contact the Information Commissioner’s Office:

Post: Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF
Web: https://ico.org.uk/concerns/
Phone: 0303 123 1113

Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly. Please see the website above for further advice.