How we use your information

NHS Kent and Medway Integrated Care Board (ICB) is responsible for the planning and buying (also known as commissioning) of healthcare services in that ICS area, bringing the NHS together locally to improve population health and care.

We also monitor the performance and quality of these services. In general, we only use data that has been anonymised (identifiable details removed) or pseudonymised for these purposes. Please see our Information the ICB collects and how we use it section for more information about these definitions.

The ICB is a controller under the terms of the UK General Data Protection Regulations (GDPR)/Data Protection Act 2018 (the Act). This means we are legally responsible for ensuring all personal information we process, hold, obtain, record, use or share about you is carried out in compliance with data protection principles.

All controllers must register with the Information Commissioner's Office (ICO). Our ICO Data Protection Register number is ZB346663 and our entry can be found in the Data Protection Register on the Information Commissioner's Office website.

We are committed to protecting your privacy and will only process personal, confidential data in accordance with data protection legislation.

This includes ensuring the ICB complies with the UK General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.

In addition, consideration will also be given to all applicable law concerning privacy, confidentiality, the processing and sharing of personal data including:

• the Human Rights Act 1998
• the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a 'duty to share'
• Privacy and Electronic Communications (EC Directive) Regulations.

Further, everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidentiality. The information we do hold about you is protected from unauthorised access. Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

All information we hold about you will be held securely and confidentially. We use administrative and technical controls to do this, such as issuing encrypted secure IT equipment to all staff. We use strict controls to make sure only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going data security awareness training to make sure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

Under the General Data Protection Regulations (GDPR) and Data Protection Act 2018, the ICB as a public authority must appoint a data protection officer (DPO). All ICBs must also appoint a Caldicott Guardian and Senior Information Risk Owner (SIRO).

Data Protection Officer (DPO)

The ICB's data protection officer is our Head of Information Governance, Dan Clement.

The DPO's minimum tasks are defined in Article 39 of the GDPR:

• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
• To monitor compliance with GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
• To be the first point of contact for supervisory authorities and for individuals whose data is processed.

Caldicott Guardian

All NHS organisations are required to appoint a Caldicott Guardian to provide compliance with patient data confidentiality. The ICB's Caldicott Guardian is our Chief Nurse, Paul Lumsdon, who is responsible for protecting the confidentiality of patients' and service users' information and enabling appropriate information sharing.

The Caldicott Guardian plays a key role in making sure the ICB satisfies the highest possible standards for handling personal information.

Acting as the conscience of an organisation, the Caldicott Guardian supports work to enable information sharing where it is appropriate and advises on options for lawful and ethical processing of information.

Senior Information Risk Owner (SIRO)

In addition to the Caldicott Guardian, the ICB also has a SIRO who owns the ICB's overall information risk policy and risk assessment process. This involves making sure there are robust incident reporting processes for any information risks identified by the ICB. The ICB's SIRO is Mike Gilbert, Director of Corporate Services. The Deputy SIRO is Dan Clement, Head of Information Governance.

Your doctor and other health professionals caring for you, such as nurses or physiotherapists, keep records about your health and treatment, the care they have provided, or plan to provide to you, so they are able to provide you with the best possible care.

These records are called your health care record and may be stored in paper form or on an electronic system. They may include:

• details about you, such as your address, date of birth, NHS number, and next of kin,
• details of the contacts we have had with you, such as clinical visits,
• notes and reports about your health,
• records about your treatment and care, results of x-rays, laboratory tests etc.

Your health care records are used for the following reasons:

• by healthcare professionals looking after you to have accurate and up-to-date information to help them decide on any future care you may need
• to make sure accurate and complete information is available, should you see another doctor or be referred to a specialist or another part of the NHS,
• to have a good basis for assessing the type and quality of care you have received,
• to make sure your concerns can be properly investigated if you need to complain.

Visit our how the NHS uses patient data page.

The law provides some NHS bodies, such as NHS England (NHSE), the ability to collect and use unidentifiable  patient data which they can then provide to help commissioners (ICBs) to design and acquire the combination of services that best suit the population they serve.

Data may be linked and anonymised by these bodies so it can be used to improve health care and development and monitor NHS performance. This is often referred to as a secondary use of data. Where data is used for these statistical purposes, rigorous measures are taken to ensure patients cannot be identified (please see our Information the ICB collects and how we use it  section for more information regarding anonymisation).

For the majority of the ICB's work, we do not need to use personal/confidential data of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual is not covered by data protection law. There are different types of information collected and used across the ICB as follows;

Identifiable - information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.

Pseudonymised - individual level information where individuals can be distinguished by using a coded reference, which does not reveal their 'real world' identity

Anonymised - data which is about you but from which you cannot be personally identified.

Aggregated - grouped information about individuals that has been combined to show general trends or values without identifying individuals

Use of anonymised and aggregated data 

We use anonymised and aggregated data to plan health care services, including: 

• to check the quality and efficiency of the health services we commission,
• to prepare performance reports on the services we commission,
• checking NHS accounts and services,
• working out what illnesses people will have in the future so we can work with local services to make sure patients' needs are met,
• reviewing the care we commission to make sure it is of a high standard.

Use of pseudonymised (de-identified) information

We use pseudonymised information in our role, including:

• Commissioning
  • to plan, design, purchase and pay for the best possible care available for you;
  • to look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts;
  • to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement;
  • to help us plan future services to ensure they continue to meet our local population needs.
• Population Health Management - requires health and social care organisations to work together with communities and partner agencies. The information is used to understand and improve the overall health outcomes of a population by addressing broader health needs, identifying at-risk groups, and designing preventive and management strategies. Only de-identified information is made available to the ICB for the purposes of providing evidence-based care interventions.

Use of personal information

As an ICB, we do not routinely hold or have any access to medical records.  The provider of your healthcare for example an Acute Trust, or GP would hold this information.  However, we may need to hold some information about you, for example:  

• If you have made a complaint to us about healthcare that you have received, and we need to investigate
• If access to specific treatments is regulated via eligibility criteria which include the Individual Funding Request process
• If you ask us to provide funding for Continuing Healthcare or Personal Health Budget services
• If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
• If you ask us to keep you regularly informed and up to date about the work of the ICB, or if you are actively involved in our engagement and consultation activities or service user participation groups
• In circumstances where our safeguarding staff are involved in the most serious cases.
• Where our Quality teams are undertaking monitoring visits, limited clinical information may be accessed in a de-identified form.
• Where information processing falls within the ICBs infection control oversight functions.
• Staff personal confidential information for employment purposes

Full details on each data flow are included in the Record of Processing Activities (ROPA).

The GDPR/Data Protection Act 2018 provides the following rights for individuals depending on the legal basis for processing (as identified in the  ROPA.):

• right to be informed
• right of access (please see our 'Subject access requests tab' for further details)
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights related to automated decision making including profiling.

Further information on these rights can be accessed on the ICO website.

If you would like to exercise any of your rights, please contact the Information Governance team in the first instance  kmicb.ig@nhs.net   

You should be aware that the ICB may not be able to comply with your requests in every circumstance, such as where the ICB has compelling legitimate grounds for the processing which override the interests, rights and freedoms in the right to object.

Please go to the subject access requests webpage for more information.

Retention

Any information obtained by the ICB will be retained for as long as is necessary for the purpose we collected it for.

Records are kept in accordance with Data Protection Act 2018 principles and are maintained in line with the Records Management Code of Practice for Health and Social Care retention schedule which determines the length of time records should be kept. 

Destruction

Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities to:

• make sure information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a reputable confidential waste company that complies with European Standard EN15713
• make sure electronic storage media used to hold or process information are destroyed or overwritten to current CESG standards
• retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract (where we have contracted with external organisations to do this for us)
• make sure any arrangement made to sub-contract secure disposal services from another provider, complies with clause GC12 of the NHS Standard Contract and with assurance that the sub-contractor's organisational and technical security measures comply with the Data Protection Act 2018.

This notice is not exhaustive, however, we are happy to provide any additional information or explanation needed.

Requests for this should be sent to the Data Protection Officer, Dan Clement  at kmicb.dpo@nhs.net:

Kent and Medway ICB
Gail House, 
Lower Stone Street,
Maidstone, 
Kent 
ME15 6NB

Telephone: 01634 335020

For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about how your data is used and processed, you can contact:

The Information Commissioner
Wycliffe House, Water Lane,
Wilmslow, Cheshire SK9 5AF
Phone: 08456 30 60 60 or 01625 545745
ICO website

Reviews and changes to this page

We will keep our privacy notice under regular review. This privacy notice was last reviewed in June 2025 .