How we use your information

NHS Kent and Medway Integrated Care Board (ICB) is responsible for the planning and buying (also known as commissioning) of healthcare services in that ICS area, bringing the NHS together locally to improve population health and care.

We also monitor the performance and quality of these services. In general, we only use data that has been anonymised (identifiable details removed) or pseudonymised for these purposes. Please see our Information the ICB collects and how we use it’ section for more information about these definitions.

The ICB is a controller under the terms of the UK General Data Protection Regulations (GDPR) / Data Protection Act 2018 (the Act). This means we are legally responsible for ensuring all personal information we process, hold, obtain, record, use or share about you is carried out in compliance with data protection principles.

All controllers must register with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is ZB346663  and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

We are committed to protecting your privacy and will only process personal, confidential data in accordance with data protection legislation.

This includes ensuring the ICB complies with the UK General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018.

In addition, consideration will also be given to all applicable law concerning privacy, confidentiality, the processing and sharing of personal data including;

• the Human Rights Act 1998.
• the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a ‘duty to share’
• Privacy and Electronic Communications (EC Directive) Regulations

Further, everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidentiality. The information we do hold about you is protected from unauthorised access. Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

All information we hold about you will be held securely and confidentially. We use administrative and technical controls to do this, such as issuing encrypted secure IT equipment to all staff. We use strict controls to ensure only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going data security awareness training to make sure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

Under the General Data Protection Regulations (GDPR) and Data Protection Act 2018, the ICB as a public authority must appoint a data protection officer (DPO). All ICBs must also appoint a Caldicott Guardian and Senior Information Risk Owner (SIRO).

Data Protection Officer (DPO)

The ICB’s data protection officer is our Head of Information Governance, Dan Clement.

The DPO’s minimum tasks are defined in Article 39 of the GDPR:

• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
• To monitor compliance with GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits.
• To be the first point of contact for supervisory authorities and for individuals whose data is processed.

Caldicott Guardian

All NHS organisations are required to appoint a Caldicott Guardian to ensure compliance with patient data confidentiality. The ICB’s Caldicott Guardian is our Chief Nurse, Paul Lumsdon, who is responsible for protecting the confidentiality of patients’ and service users’ information and enabling appropriate information sharing.

The Caldicott Guardian plays a key role in ensuring the ICB satisfies the highest possible standards for handling personal information.

Acting as the conscience of an organisation, the Caldicott Guardian supports work to enable information sharing where it is appropriate and advises on options for lawful and ethical processing of information.

Senior Information Risk Owner (SIRO)

In addition to the Caldicott Guardian, the ICB also has a SIRO who owns the ICB’s overall information risk policy and risk assessment process. This involves making sure there are robust incident reporting processes for any information risks identified by the ICB. The ICB’s SIRO is Mike Gilbert, Director of Corporate Services. The Deputy SIRO is Dan Clement, Head of Information Governance.

Your doctor and other health professionals caring for you, such as nurses or physiotherapists, keep records about your health and treatment, the care they have provided, or plan to provide to you, so they are able to provide you with the best possible care.

These records are called your health care record and may be stored in paper form or on an electronic system. They may include:

• details about you, such as your address, date of birth, NHS number, and next of kin,
• details of the contacts we have had with you, such as clinical visits,
• notes and reports about your health,
• records about your treatment and care, results of x-rays, laboratory tests etc.

Your health care records are used for the following reasons:

• by healthcare professionals looking after you to have accurate and up-to-date information to help them decide on any future care you may need
• to make sure accurate and complete information is available, should you see another doctor or be referred to a specialist or another part of the NHS,
• to have a good basis for assessing the type and quality of care you have received,
• to make sure your concerns can be properly investigated if you need to complain.

The law provides some NHS bodies, such as NHS England (NHSE), the ability to collect and use unidentifiable patient data which they can then provide to help commissioners (ICBs) to design and acquire the combination of services that best suit the population they serve.

Data may be linked and anonymised by these bodies so it can be used to improve health care and development and monitor NHS performance. This is often referred to as a secondary use of data. Where data is used for these statistical purposes, rigorous measures are taken to ensure patients cannot be identified (Please see our ‘Information the ICB collects and how we use it’ section for more information regarding anonymisation).

For the majority of the ICB's work, we do not need to use personal/confidential data of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual is not covered by data protection law. There are different types of information collected and used across the ICB as follows;

Identifiable – information which contains personal details that identify individuals such as name, address, email address, NHS Number, full postcode, date of birth.

Pseudonymised – individual level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity

Anonymised – data which is about you but from which you cannot be personally identified.

Aggregated – grouped information about individuals that has been combined to show general trends or values without identifying individuals

Use of anonymised and aggregated data 

We use anonymised and aggregated data to plan health care services, including: 

• to check the quality and efficiency of the health services we commission,
• to prepare performance reports on the services we commission,
• checking NHS accounts and services,
• working out what illnesses people will have in the future so we can work with local services to make sure patients' needs are met,
• reviewing the care we commission to make sure it is of a high standard.

Use of pseudonymised (de-identified) Information

We use pseudonymised information in our role, including:

• Commissioning 

– to plan, design, purchase and pay for the best possible care available for you;

- to look at the care provided by different providers across our area to make sure that together they support the needs of the local population; performance manage contracts;

- to prepare statistics on NHS performance to understand health needs and support service redesign, modernisation and improvement;

- to help us plan future services to ensure they continue to meet our local population needs.

• Population Health Management – requires health and social care organisations to work together with communities and partner agencies. The information is used to understand and improve the overall health outcomes of a population by addressing broader health needs, identifying at-risk groups, and designing preventive and management strategies. Only de-identified information is made available to the ICB for the purposes of providing evidence-based care interventions.

Use of personal information:

As an ICB, we do not routinely hold or have any access to medical records.  The provider of your healthcare for example an Acute Trust, or GP would hold this information.  However, we may need to hold some information about you, for example:  

• If you have made a complaint to us about healthcare that you have received, and we need to investigate
• If access to specific treatments is regulated via eligibility criteria which include the Individual Funding Request process
• If you ask us to provide funding for Continuing Healthcare or Personal Health Budget services
• If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
• If you ask us to keep you regularly informed and up to date about the work of the ICB, or if you are actively involved in our engagement and consultation activities or service user participation groups
• In circumstances where our safeguarding staff are involved in the most serious cases.
• Where our Quality teams are undertaking monitoring visits, limited clinical information may be accessed in a de-identified form.
• Where information processing falls within the ICBs infection control oversight functions.
• Staff personal confidential information for employment purposes

Full details on each data flow are included in the Record of Processing Activitis(ROPA).

The GDPR / Data Protection Act 2018 provides the following rights for individuals depending on the legal basis for processing (as identified in the ROPA.):

• right to be informed
• right of access (please see our ‘Subject access requests tab for further details’
• right to rectification
• right to erasure
• right to restrict processing
• right to data portability
• right to object
• rights related to automated decision making including profiling.

Further information on these rights can be accessed here.

If you would like to exercise any of your rights, please contact the Information Governance team in the first instance kmicb.ig@nhs.net  

You should be aware that the ICB may not be able to comply with your requests in every circumstance, e.g.  where the ICB has compelling legitimate grounds for the processing which override the interests, rights and freedoms in the right to object.

lease go to the subject access requests page for more information.

Confidential information can be used for improving health, care and services including: 

• planning to improve health and care services 
• research, for example to find a cure for serious illnesses. 

However, The NHS Constitution states ‘you have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered’.

There are several forms of opt-outs available at different levels:

Type 1 opt-out

If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.  Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.

National data opt-out (NDOO)

The NDOO was introduced on 25 May 2018 and replaces the previous ‘type 2’ opt-out. 

NHS England (NHSE) collects information from a range of places where people receive care, such as hospitals and community services.  The information collected about you when you use these services can then be used and shared with other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

The NDOO out provides a facility for individuals to opt-out from the use of their data for research or planning purposes.  For anyone who had an existing type 2 opt-out, it will have been automatically converted to a national data opt-out from 25 May 2018.

Objections will be respected, except in very limited circumstances such as: 

• You have given explicit permission for a particular use of data (e.g. a research project)
•  Data is anonymised and therefore non personal data
• We are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime
• It is necessary to protect children and vulnerable adults from harm
•  A formal court order has been served upon us
• For the health and safety of others, for example to report an infectious disease like meningitis or measles

You have the right to refuse/ withdraw consent to information sharing at any time and your decision will not affect your individual care. 

All NHS organisations in England must comply with the NDOO from 30 September 2020. Essentially this means that NHS Kent and Medway ICB must always check whether any purpose for which it uses or shares patients’ personal information is one to which the NDOO applies. Where it is, the ICBs will need to identify those patients that have opted out and exclude their information from use.

For the majority of the ICB's work, we do not need to use personal/confidential data. The applicability of the NDOO is therefore limited for the data processing carried out by the ICB. However, in order to ensure we maintain compliance with the NDOO, NHS Kent and Medway ICB will continually monitor its uses of confidential patient data to ensure that any to which the NDOO is likely to apply are identified as quickly as possible. This is done via the ICB’s work on Information Asset review.

Please see our National Data Opt Out application to ICB data flows. This is a breakdown of when the ICB does use personal/confidential data and whether the NDOO is applied to that data processing.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will also:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

Whenever you use health or care services important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and shared with other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

All these uses help to provide better health and care for you, your family and future generations. However, the National Data Opt-Out (NDOO) was introduced on 25 May 2018 and allows patients to opt out of their confidential information being used beyond their direct care for certain research and planning purposes.  All NHS organisations in England must comply with the National Data Opt-Out from 30 September 2020.

Essentially this means that NHS Kent and Medway ICB must always check whether any purpose for which it uses or shares patients’ personal information is one to which the NDOO applies. Where it is, the ICBs will need to identify those patients that have opted out and exclude their information from use.

It should be noted that the NDOO does not apply in all circumstances of data sharing, e.g. where patients have explicitly consented to share their data, and the use of aggregated or anonymised data.

For the majority of the ICB's work, we do not need to use personal/confidential data. The applicability of the NDOO is therefore limited for the data processing carried out by the ICB.

Please see this National Data Opt Out application to ICB data flows. This is a breakdown of when the ICB does use personal/confidential data and whether the NDOO applied to that data processing.

Additionally, there is a type 1 opt out that prevents information being shared outside of a GP practice for purposes other than direct care. Some patients will have a type 1 opt-out registered with their GP practice, which indicates they do not want their confidential patient information leaving the practice for research and planning purposes. These existing type 1 opt-outs will continue to be respected until the Department of Health and Social Care conducts a consultation with the National Data Guardian on their removal: further information on the types of data opt out.

In order to ensure we maintain compliance with the NDOO, NHS Kent and Medway ICB will continually monitor its uses of confidential patient data to ensure that any to which the NDOO is likely to apply are identified as quickly as possible. This is done via the ICB’s work on Information Asset review.

To find out more or to register your choice to opt out, please visit nhs.uk: your data matters. On this web page you will also:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply

Retention

Any information obtained by the ICB will be retained for as long as is necessary for the purpose we collected it for.

Records are kept in accordance with Data Protection Act 2018 principles and are maintained in line with the Records Management Code of Practice for Health and Social Care retention schedule which determines the length of time records should be kept. 

Destruction

Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities to:

• ensure information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a reputable confidential waste company that complies with European Standard EN15713,
• ensure electronic storage media used to hold or process information are destroyed or overwritten to current CESG standards,
• retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract (where we have contracted with external organisations to do this for us),
• ensure any arrangement made to sub-contract secure disposal services from another provider, complies with clause GC12 of the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the Data Protection Act 2018.

This notice is not exhaustive, however, we are happy to provide any additional information or explanation needed.

Requests for this should be sent to the Data Protection Officer, Dan Clement  at kmicb.dpo@nhs.net:

Kent and Medway ICB
Gail House, 
Lower Stone Street,
Maidstone, 
Kent 
ME15 6NB

01634 335020

For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about how your data is used and processed, you can contact:

The Information Commissioner
Wycliffe House, Water Lane,
Wilmslow, Cheshire SK9 5AF
Phone: 08456 30 60 60 or 01625 545745
www.ico.org.uk

Reviews and changes to this page

We will keep our privacy notice under regular review. This privacy notice was last reviewed in June 2025 .