Live testing
Ahead of any partner organisation flowing information into the live Kent and Medway Care Record (KMCR) system, it is essential that the feed of data is tested to make sure it meets the data field requirements and allows a smooth flow of data into the platform.
Where possible, Graphnet will request dummy or fictional data from the controller organisation to use within the test environment, however, this sample may not provide adequate variations to meet and test all data feed specifications sufficiently.
In these circumstances, a sample of live patients from the controller’s source system may be used to meet the test criteria. All such data will be deleted from the test system immediately upon completion of the tests, and in any event no later than two weeks following completion of the test process. The information governance lead for the controlling organisation will maintain responsibility for assessing and approving the case for using live test data.
Categories of personal information
The personal data that is collected and shared for the purposes of live testing includes:
- person identifiable data include basic details about yourself such as forename, surname, address, date of birth, gender, age, postal address, postcode, telephone number, email address, NHS number and hospital ID
- special categories of personal data include racial or ethnic origin, physical/mental health or condition. For example, contact we have had with you such as appointments or clinic visits; notes and reports about your health, treatment and care; results of x-rays, scans and laboratory tests; relevant information from people who care for you and know you well such as health staff and relatives /carers; alerts and/or notifications for example high risk medicines.
What is the lawful basis for processing?
The processing of personal data for the purposes of live testing is permitted under UK GDPR Article 6(1)(f) of the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 (DPA):
- Article 6(1)(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.
The processing of special categories of personal data for live testing should be avoided at all times. However, if this is considered an absolute necessity it will be processed under the following Article 9 condition:
- Article 9(2)(h) Direct care and administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.