Whenever you use a health or care service, such as visiting your GP or attending hospital or using care services in the community, important information about you is collected in a patient/client record for that service. This is known as data processing for direct care purposes. Collecting this information makes sure you get the best possible care and treatment. 

If this information collected about you is used for and shared with other organisations for purposes beyond your individual care, this is known as data processing for Secondary (indirect) care purposes. 

Examples include:

  • planning, implementing and evaluating population health strategy - describing population health needs, understanding where the gaps are, the levels of ill health and reasons for them, and designing and implementing services to improve health.
  • managing finances, quality and outcomes - understanding costs of services delivered, allocating budgets to invest and improve them, and using information to ensure those services are fit for purpose.
  • risk stratification for early intervention and prevention - identifying which of our residents are in greatest need and ensuring our services are delivered in a timely and effective manner to improve their health.
  • co-ordinating and optimising patient or service user flows - using service activity data and contact data to optimise health care use by citizens of hospitals and other care facilities while improving health and care outcomes.
  • carrying out research: Working with approved researchers to use the best possible methods to analyse data and give useful recommendations for planning and delivery of services.
  • public health including analysis and reduction of healthcare inequalities, making sure delivery of health and healthcare services is equal and equitable for the whole population, for example, Health Checks Equity Audit (audit of access to relevant health services, and how related outcomes are distributed across the population). 

Using information as described can only happen when there is a reason supported by the law. Confidential information about your health and care is only used when a legal purpose has been identified.  

What is the lawful basis for the sharing?

The processing (accessing/sharing/amending) of personal data for secondary use purposes is permitted under Articles 6(1)(e) and 6(1)(f) of the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 (DPA):

  • Article 6(1)(e) Public Task: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
  • Article 6(1)(f) Legitimate Interests: the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The legislation which underpins the reliance on Article 6(1)(e) will depend upon the organisation requesting the data for the purposes of carrying out its duties; in the absence of this Article 6(1)(f) will apply.

The processing of special categories of personal data via the KMCR system is permitted under Article 9(2)(h) and 9(2)(i) of the UK GDPR and the UK Data Protection Act 2018 (DPA):

  • Article 9(2)(h) Direct Care and Administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.  
  • Article 9(2)(i) Public Interest: processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential. Even though consent is not the legal basis for processing personal data for secondary purposes such as service evaluations and audit, the common law duty of confidentiality is not changing, therefore consent is still needed for people outside the care team to access and use confidential patient information for clinical audit, unless you have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales or similar arrangements elsewhere in the UK.

Health and Care Analytics

Kent and Medway Shared Health and Care Analytics Board (SHcAB), a partnership of health and social care organisations who are instructed to use citizen’s data to help prevent ill health, encourage wellbeing and join up services to better meet the needs of the population of Kent and Medway. 

The SHcAB receive requests to use data collected routinely by organisations across the Kent and Medway Integrated Care System and make sure it is allowed by law. The information from more than one source may be joined together and used.   
Details of each project, including the legal basis, can be found Projects | Kent KERNEL (kmkernel.org).

SHcAB will on occasions seek to use data from the KMCR, but the data will always be anonymised or pseudonymised to protect the identity of the individual. The research and analytics may be carried out by internal NHS or external research organisations, but both KMCR and SHcAB retain responsibility to protect the data and confidentiality of the care data.

Your NHS data matters and the national data opt-out

The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. Visit the website to find out more information or to opt-out of having your patient information being used for research and planning.  


Whenever you use a health or care service, such as attending Accident and Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to make sure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. 

Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters  

On this web page you will:

  • see what is meant by confidential patient information
  • find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • find out more about the benefits of sharing data
  • understand more about who uses the data
  • find out how your data is protected
  • be able to access the system to view, set or change your opt-out setting
  • find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • see the situations where the opt-out will not apply.

You can also find out more about how patient information is used at:
www.hra.nhs.uk/information-about-patients which covers health and care research; and understandingpatientdata.org.uk/what-you-need-know which covers how and why patient information is used, the safeguards and how decisions are made.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

KMCR is compliant with the national data opt-out policy.