The NHS defines direct care as a: Clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals.
The KMCR allows authorised health and care workers easy access to information that is critical to support decision making about your care and treatment and providing integrated care; this may include preventative action.
The KMCR includes information about:
- current health or care issues
- results of any recent tests
- details on assessments and plans created for care or treatment
- information about social care or carer support
Categories of personal information
The personal data that is collected and shared for the purposes of direct care includes:
Person Identifiable Data: basic details about yourself e.g. Forename, Surname, Address, Date of Birth, Gender, Age, Postal Address, Postcode, Telephone Number, Email address, NHS Number and Hospital ID.
Special categories of Personal Data: Racial or Ethnic origin, Physical/Mental health or condition. For example, contact we have had with you such as appointments or clinic visits; notes and reports about your health, treatment and care; results of x-rays, scans and laboratory tests; relevant information from people who care for you and know you well such as health staff and relatives /carers; alerts and/or notifications for example high risk medicines.
Criminal Offence Data: summary offence data for patients being managed on inpatient units within mental health trusts, summary offence data and forensic histories of citizens accessing the criminal liaison service when in police custody.
Third Party Identifying Data: basic details about other individuals that may be involved in providing your care or support services, e.g. emergency contacts, relatives, mobility service providers, home care support.
It is essential that your details are accurate and up to date. Always check that your personal details are correct and please inform us of any changes as soon as possible. If you think any information is inaccurate or incorrect then please contact your health or care provider to discuss this further. This could be your GP practice or the health or social care staff that provided, or are currently providing, your treatment and care.
What is the lawful basis for the sharing?
The processing (accessing/sharing/amending) of personal data for direct care purposes is permitted under Articles 6(1)(c), 6(1)(d) and 6(1) (e) of the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 (DPA).
- Article 6(1)(c) Legal Obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Article 6(1)(d) Vital Interest: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Article 6(1)(e) Public Task: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The processing of special categories of personal data via the KMCR system is permitted under Article 9 (2) (b) and (h) and Article 10 (criminal convictions) of the UK GDPR and the UK Data Protection Act 2018 (DPA):
- Article 9(2)(b) Legal Obligation: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
- Article 9(2)(h) Direct Care and Administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.
The legal obligation relies on the Health and Social Care Act 2012 s251(b) (as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a statutory ‘duty to share’).
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential.
Article 10 Criminal Convictions and Offences: Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
Note: Criminal offence data is limited to that which relates to your health or care, a comprehensive register of criminal convictions will not be kept and the condition of Article 10 of the UK GDPR as well as s10(5) of the DPA 2018 has been fulfilled.