General notice to cover adult social care and health
We keep this privacy notice under regular review and was last updated on 13 November 2024.
Kent County Council respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.
Who we are
Kent County Council (KCC) collects, uses and is responsible for certain personal information about you. When we do so we are regulated under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are responsible as ‘controller’ of that personal information. Our Data Protection Officer is Benjamin Watts.
Kent Adult Social Care and Health will work with you to promote your health and wellbeing, designing services together that both suit you and meet your needs. Kent aims to be a county of opportunity, where aspiration rather than dependency is supported and quality of life is high for everyone. We will work to understand and break down the barriers that stop this from happening.
Personal information we collect and use
Information collected by us
In the course of working with you, we may collect the following personal information when you provide it to us:
Personal data
- personal information such as your name, address, telephone number, date of birth, NHS number, gender, unique identifier
- contact details for members of your family and support network
- information about your finances, such as bank details, income, benefits
- photographs, to help inform an Occupational Therapy Assessment
Special categories of personal data
We also collect the following ‘special category data’ (personal data which is more sensitive and is treated with extra care and protection) when you provide it to us:
- Information about your racial or ethnic origin, religious or philosophical belief and your sexual orientation.
- Information about health conditions such as relevant information on medical records, disabilities or carers responsibilities that may apply to you.
- Information about you and your circumstances.
- Information about relevant health and safety concerns.
- Information about your needs and wishes.
We will obtain personally identifiable data from other sources in order to identify people who are vulnerable to the coronavirus, may require support as a result of the coronavirus or meet eligibility to be prioritised for vaccination based on the priority groups set by the Joint Committee on Vaccination and Immunisation. This includes personal information about individuals who do not meet our normal support criteria but have had their normal support from family or friends reduced or interrupted.
We will obtain information from the Government Digital Service (this may include data from the NHS and other departments), and we will also obtain it from providers of care homes, nursing homes, and domiciliary care services. We will additionally receive information from district and borough councils, voluntary and carer organisations.
We will obtain medical record information and information on allergens or dietary requirements from the NHS Summary Care Records to ensure we provide the right care and support for overnight stays at any of the Adult Short Breaks Service and ensure you are kept safe from harm. This may include relevant medical history. The NHS Summary Care Record is an electronic record that is made up of patient information from GP medical records.
We will share and obtain personal and special category data with other local authorities for out of area placements, to ensure care and support is provided where required.
Kent County Council are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. The KMCR can also be used for secondary purposes. This includes using the KMCR information for planning e.g. population health management, audit e.g. business intelligence and research e.g. academia etc.
In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data. Read further information about the Kent and Medway Care Record or read the Kent and Medway Care Record privacy notice for information about the ways in which your data is used for this system.
We also work with other Kent Local Authorities to deliver services, in particular, identifying people at risk of financial exclusion and homelessness. To help deliver such services, we are piloting the use of Xantura’s ‘OneView’ data sharing platform. This will provide Kent Local Authorities with the ability to provide tailored prevention and support and enable Council Officers, who work with you, to understand more about your circumstances to help provide the right care and support. Read the Xantura Project Privacy Notice for information about the ways in which your data is used for this system.
We will share and obtain personal and special category data from citizens (yourself or your relative/representative) and professionals (such as your GP, care home) via the Mosaic Citizen Portal. This is an internet portal which will allow you or a representative to notify us of changes in circumstances relating to your social care via an online form (such as care package changes, referrals).
We may also be required to provide access to or share your personal and special category information with Care Quality Commission (CQC) to allow them to provide a meaningful and independent assessment of care on Local Authorities under the Health and Care Act 2022. This will enable CQC to understand the quality of care provided by a Local Authority and to provide assurance to the public of the quality of care in their area.
We may share information to telecare providers as part of the Digital Switchover which will help to ensure that telecare providers can identify individuals who have ancillary services (e.g., assistive technology, auto diallers etc) to help minimise the effect that the Digital Switchover will have.
We may work with service improvement consultants to ensure that Adult Social Care can deliver sustainable care and support at the right time, and help to identify service improvements and help to identify best practice and standards.
Collecting and sharing your personal information
In the course of working with you, we may collect information from, or share it, with some of the following third parties (non exhaustive list):
- Advocates, deputies, legal power of attorney
- Borough councils, housing associations and landlords
- Other local authorities
- Cabinet members
- Care Quality Commission (CQC)
- Central government
- County councillors
- Department for Work and Pensions (DWP)
- external providers such as the Money and Pensions Service (MaPS) to access the Money Adviser Network (MAN) (this is a service to refer you to debt agencies so that you can obtain free financial advice)
- Family members and carers
- Internal teams, such as case management and finance
- Kent and Medway Safeguarding Adults Board (KMSAB)
- Kent Safeguarding Children Board (KSCB)
- Legal representatives, such as solicitors
- Local government ombudsman
- MPs
- 'Nearest Relative'
- NHS providers, such as GPs, hospitals, NHS Care Summary Records, NHS Digital and England, NHS Arden & Gem Commissioning Support Unit
- Other professionals
- Partner agencies, such as volunteer organisations and statutory organisations
- Schools
- Kent and Medway Care Record Partner Organisations
- Telecare providers
- Service improvement consultants.
Each organisation listed above will ensure they have the relevant agreements in place to be able to process your personal information.
The Kent and Medway Safeguarding Adults Board (KMSAB) is a statutory service which exists to make sure that all member agencies are working together to help keep Kent and Medway's adults safe from harm and protect their rights.
This data sharing enables us to personalise your care and ensure that you are receiving the best support possible.
We will share your personal data with the National Fraud Initiative, which is administered by the Cabinet Office, for the purposes of assisting the prevention and detection of fraud.
We will share your personal data with the Kent Intelligence Network (KIN) to detect, prevent and deter fraud and corruption affecting Kent authorities’ public services. View the KIN privacy notice for more information.
We will share personal information with law enforcement or other authorities if required by applicable law or in connection with legal proceedings.
We will share personal information with our legal and professional advisers in the event of a dispute, complaint or claim. We rely on Article 9(2)(f) where the processing of special category data is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
How we use your personal information
We use your personal information to:
- create a secure and comprehensive record of all of the work that we do with and for you:
- your name, address, telephone number, date of birth
- contact details for members of your family and support network
- fully understand your needs:
- information about you and your circumstances
- information about your needs and wishes
- information such as racial or ethnic origin, religious or philosophical beliefs, your sexual orientation
- your photograph
- promote your health and wellbeing in partnership where applicable with the Kent and Medway Partnership Trust (KMPT), the NHS and North East London Foundation Trust (NELFT):
- information about any health conditions or disabilities that may apply to you, including your mental health
- arrange short and long term care solutions:
- details contained in your care records and conversations held
- manage your financial affairs, if you are unable to do so yourself and do not have someone to manage them for you
- liaise with agencies, companies and charities on your behalf:
- relevant personal information held on our systems
- keep you safe from harm:
- information about health conditions such as relevant information on medical record
- information about any health and safety concerns that may be relevant
- process complaints and compliments regarding the services we have provided
- details contained in your care records and correspondence received
- process feedback regarding the services we have provided:
- details contained in the feedback you provide. We will use personal information we already hold about you to contact you to request feedback or invite you to attend events to tell us about your experiences of adult social care, for example name, telephone number, email address and postal address.
- request and arrange installation of specialist equipment for you:
- information about any health conditions or disabilities that may apply to you
- information about your needs and wishes
- your name, address, telephone number, date of birth
- contact details for members of your family and support network
- your photograph
- assess your financial contribution to your care:
- information about your finances - bank details, income, benefits
- a means tested financial assessment will be completed. This will calculate the contribution of cost to your care. Automated decision making may be used as part of this process. A financial assessment will be reviewed annually and an uplift in the calculation contribution is made. This will reflect expected changes in allowances benefits, capital and income. Automated decision making is used as part of this process
- help you to register with the Vulnerability Registration Service. This service will help you to list financial circumstances as a flag to creditors or lenders to ensure they can provide you with the right support on your finances.
- work with you or your representative to create a Care and Support Plan:
- details contained in your care records and conversations held
- liaise and share information with other local authorities for out of area placements
- details contained in our records and details shared to us by other local authorities
- analyse the service that we are providing:
- statistical reports output by our computer systems
- gather key themes, trends, patterns, factors and so on, that influence outcomes, for example, from your personal and special category information that we hold or we collect and share with other organisations involved in your care and support, or, who provide consultancy services on service improvements
- support the delivery of the COVID-19 vaccination programme
- support the delivery of the Kent and Medway Care Record
- information identified in the specific KMCR privacy notice
- provide better outcomes to improve your health and social care requirements and to improve your health and social care journey
- Ensure integration with health and social care providers to provide a person-centred approach for you
- Ensure you are in receipt of the right care and support throughout your social care journey
- Support the delivery of the Xantura Project
- information identified in the specific Xantura Project privacy notice
- support the submission of the Client Level Dataset, which is a mandated national dataset collection, to:
- deliver comprehensive data about adult social care services
- enable key aspects of adult social care service provision to be analysed at a national level. For example, monitoring service and integrated care outcomes, understanding current and future population needs and resource utilisation
- support the function of CQC to inspect Local Authority care in their area.
The sharing of information facilitates a joined up approach with partner agencies, to provide you with the best possible care and support.
How long your personal data will be kept
We will only hold your personal information for as long as necessary. To work out how long we need to keep your information for we use our retention schedule (See sections AS1 – 6 (excluding AS2.1, AS2.2, AS4.4, AS4.5, AS4.9, AS4.10, AS4.11, AS4.12.15, AS4.12.16, AS4.13, AS5.2, AS6.1) which provides a breakdown of the retention periods relied on by Adult Services). The criteria for determining retention periods are statutory or other industry requirements, legal liability or other legal requirements and best business practice. You will be informed in the service specific privacy notice of how long your data will need to be kept prior to secure disposal.
For the purpose of referring you to MaPS for the MAN service, a consent log will be retained for no longer than 1+ current financial year from the date of application before the records and all data we have in it is permanently deleted from its secure storage (as per KCC's retention schedule record AS4.12.17).
For the purpose of registering you to the Vulnerability Registration Service, a consent log will be retained for no longer than 6+ current financial year after last contact if being registered by Client Financial services (as per KCC’s retention schedule record AS4.12.05). As per the retention period, data collected will be securely disposed of at the end of retention.
When information is received by NHS England and NHS Digital for the purpose of the client level dataset, this will be kept for a maximum 20 years. This will be subject to appraisal if there is a justifiable reason to extend.
Reasons we can collect and use your personal information
When we collect your personal data, we rely on the following legal bases:
- Article 6(1)(a) - the individual has given clear consent for you to process their personal data for a specific purpose
- Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject
- Article 6(1)(d) - processing is necessary to protect someone’s life (vital interests)
- Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
When we collect your ‘special categories of personal data’, (such as health, race, ethnicity, sexual orientation) we rely on the following legal bases:
- Article (9)(2)(a) - the individual has given explicit consent to the processing of those personal data for one or more specified purposes
- Article (9)(2)(c) - it is necessary for the protection of vital interests
- Article (9)(2)(g) - processing is necessary for reasons of substantial public interest (safeguarding of children and of individuals at risk and statutory and government purposes)
- Article (9)(2)(h) - processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services
- Article 9(2)(i) - Necessary for reasons of public interest in the area of public health (subject to a DPA 18 condition.
- Article 9(2)(j) - Necessary for archiving purposes in the public interest, scientific, or historical research purposes in accordance with Article 89(1) (subject to a DPA 18 condition) which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
We rely on the public interest, health or social care purpose and research conditions from Schedule 1 of the Data Protection Act 2018 when relying on Article(9)(2)(h) to process your special category data.
We take the following appropriate safeguards in respect of your special category data when relying on the conditions above:
- We have an Appropriate Policy for Lawful Processing which explains how the data protection principles are secured when using special category information. This policy is retained throughout the time we use your data and for six months after we cease to use it.
- We have a retention schedule which explains how long data is retained.
- We maintain a record of our processing in our ‘Record of Processing Activities’ and record for any reasons deviating from the periods in our Retention Schedule.
As we have a statutory basis for collecting your personal data, we do not need to ask for your permission to collect and share it, however we will only ever share your data on a basis of need, in line with legislation and will work transparently with you at all times.
If you do not provide your data, it will limit the effectiveness of the services and support that we are able to offer you.
When asking for your feedback, your reply will be treated confidentially and will not be passed on to anyone providing you with services. You will not be personally identified, and your answers will not affect the services you receive. A reference number has been included that will only be used to contact you if your answers lead us to be very concerned about your safety or wellbeing. This is the only circumstance under which this reference will be used to identify you.
When asking for your consent to obtain medical record information and allergen information from the NHS Summary Care Record, you can withdraw your consent at any time. You can do this by contacting the service direct by phone, email or in person.
When you provide your consent for us to help you to register to the Vulnerability Registration Service, you can withdraw your consent at any time. You can do this by emailing referkent@kent.gov.uk.
NHS and care services
We have processes in place for considering requests for data disclosures for purposes beyond direct care which is consistent with national data opt-out policy. Our organisation is compliant with the national data opt-out policy.
To find out more about the NHS’ wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, visit the NHS website. If you do choose to opt out you can still consent to your data being used for specific purposes.
Your rights
Under the UK GDPR you have rights which you can exercise free of charge which allow you to:
- know what we are doing with your information and why we are doing it
- ask to see what information we hold about you (subject access request)
- ask us to correct any mistakes in the information we hold about you
- object to direct marketing
- make a complaint to the Information Commissioner's Office
Depending on our reason for using your information you may also be entitled to:
- ask us to delete information we hold about you
- have your information transferred electronically to yourself or to another organisation
- object to decisions being made that significantly affect you
- object to how we are using your information
- stop us using your information in certain ways
We will always seek to comply with your request however we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you.
For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the United Kingdom General Data Protection Regulation.
Objecting to data sharing via KMCR
You have the right to object of sharing personal data via the Kent and Medway Care Record. You should therefore contact the organisation(s) involved in your care. An objection to sharing your information will mean that your data will not be shared for any kind of direct care, including extended hours GP access and emergencies. We ask you to think carefully before making this decision as sharing your health and social care information will make it easier for services to provide the best treatment and care for you.
If you chose to object, the right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.
To register your choice to opt out of your confidential personal information being used for secondary purposes, please visit the NHS website.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Contact
Please contact the Information Resilience and Transparency Team at data.protection@kent.gov.uk to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
You can contact our Data Protection Officer, Benjamin Watts, at dpo@kent.gov.uk.
The United Kingdom General Data Protection Regulation also gives you the right to lodge a complaint with the Information Commissioner who may be contacted online or by telephone 0303 123 111.
For further information read our privacy statement.