About the Kent and Medway Care Record (KMCR)

The Kent and Medway Care Record (KMCR) is an electronic care record that links data held in different provider systems for the purpose of providing health and care. The KMCR also includes a number of electronic or e-forms which are populated and updated by care professionals from these organisations as part of an Integrated Care Plan.

The KMCR, which is provided by SystemC Graphnet, brings together information about citizens from different health and care organisations in a secure manner. System C Graphnet processes the data held in the KMCR on behalf of these organisations. System C Graphnet do not have any control over that data.

Benefits of such a system are:

  • Improved quality of care – information about your care will be instantly available to professionals to enable accurate diagnosis and on-going treatment. Duplication of tests will be avoided.
  • Improved patient safety – there will be greater visibility for health and social care providers about your current medications, allergies and adverse reactions. 
  • Reduced delays in care – test results will be readily available reducing waiting times.

The KMCR pulls information about individuals from several important areas of health and care including:

  • Primary care e.g. GP practices
  • Community services
  • Mental health services
  • Social care
  • Secondary care e.g. hospitals
  • Specialist services e.g. South East Coast Ambulance Service (SECAmb)
  • Hospices
  • Out of Hours providers
  • GP Federations
  • PCNs
  • Pharmacies.

The KMCR will also be used to collect data that is only held in the system, by health and care professionals. This data is held in e-forms in the KMCR. These forms are typically used for assessments and planning of care; examples include:

  • Frailty Assessment
  • Falls Assessment
  • Nutrition Assessment
  • Respiratory Assessment
  • Heart Failure Care Plan
  • End of Life Care Plan
  • Integrated Care and Support Plan.

The data we hold may also be used to shape the way we work together to plan service improvements, improve the health and wellbeing of our communities and take action to prevent illness and disease for individuals as well as wider communities.

All organisations take the duty to protect your personal information and confidentiality very seriously and are committed to taking all reasonable measures to ensure the confidentiality and security of personal information for which they are responsible. The KMCR has been built in such a way as to make sure its use can be audited at any time. This allows confidentiality to be monitored where necessary.

Information recorded about you across the NHS and care organisations

When you contact an NHS or care organisation as a patient/service user, organisations collect information about you and keep records about the care and services provided. If you contact organisations for a reason other than your direct care, they may also record information about you e.g. complaints or dealing with Freedom of Information requests.

All partner organisations listed are registered with the Information Commissioner’s Office to process your personal information in accordance with the current Data Protection Act 2018 and any subsequent revisions. The data protection notifications for all participating organisations can be found on the Information Commissioner’s Office website at www.ico.gov.uk. This guidance explains the types of information that is recorded about you, why this is necessary and the ways in which this information may be used. It also covers:

Categories of personal information

Anonymised data - data where personal identifiable identifiers have been removed. Data protection laws and the Common Law of Confidentiality to do not apply to anonymised data. 

Pseudonymised data - data where any information which could be used to identify an individual has been replaced with a fake identifier. Pseudonymised data remains personal data and as such the Common Law Duty of Confidentiality and Data Protection legislation apply and there must be a lawful reason for using such data.

Person identifiable information (or personal data) - any information about an individual from which, either on its own or together with other information, that person may be identified. The Common Law Duty of Confidentiality and Data Protection legislation apply and there must be a lawful reason for using such data.

To find out more about the data processed for each purpose, please click on the links below (The purpose(s) of sharing).

In addition to the above types of data, some information is considered protected regardless of the purpose of processing; this information does not form part of your shared care record and is not disclosed to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on such information. An example of this protected information that will be left out is fertility treatment records.

The purpose(s) of sharing

The KMCR facilitates the sharing of data for the following purposes:

Please click on the above links to find out more about exactly how we will share your data for each of the stated purposes.

What is the lawful basis for the sharing?

Each purpose of sharing has its own lawful basis and these can be found in detail on the associated links above.

Organisations we share your personal information with

Personal Data (including special category data) will only be shared between the health and social care organisations which have signed the KMCR Joint Controller or Data Processing Agreement. These currently include:

  • Dartford and Gravesham NHS Trust (DGT)
  • East Kent Hospitals University NHS Foundation Trust (EKHUFT)
  • Medway Maritime Hospital - Medway NHS Foundation Trust (MFT)
  • Maidstone and Tunbridge Wells NHS Trust (MTW)
  • Kent and Medway NHS and Social Care Partnership Trust (KMPT)
  • North East London NHS Foundation Trust (NELFT)
  • Kent Community Health NHS Foundation Trust (KCHFT)
  • HCRG Care Group Limited
  • Medway Community Healthcare (MCH)
  • General practitioners
  • South East Coast Ambulance Service (SECAmb)
  • Out of hours providers (currently IC24, Invicta Health, Channel Health Alliance, DGS Health, MCH and KCC Children’s Services)
  • NHS Kent and Medway Integrated Care Board (NHSKM ICB)
  • Kent County Council (children and adults social care departments) (KCC)
  • Medway Council (children and adults social care departments) (MC)
  • Primary Care Networks (PCNs)
  • Kent and Medway hospices (Marie Curie, Pilgrims Hospice, Demelza, Ellenor, Weald, Wisdom, Heart of Kent)
  • GP federations
  • Community Interest Companies.

In the future it is likely that the KMCR will be extended to a wider range of health and care providers. This may include:

  • Other providers of community health and care services
  • Community pharmacies (Chemists).

How will the information be made available?

The information is accessed in real time for acute trusts and within a 24-hour period following automated upload for all other providers. Access to your information depends on the user having access in their own clinical systems, so professionals can only see information regarding individuals that are being referred for care or treatment or those that are currently being treated by them.

The majority of information within KMCR is presented as a read only view; meaning that the information from a provider’s local record cannot be changed. However, KMCR also provides an e-forms function which enables additional information about health, health assessments and planning of services to be created and stored within KMCR; these are only available within the KMCR system and are not transferred to any other clinical system.

How long do we keep your record?

Your records are kept for as long as necessary by local partners in accordance with their associated purpose. The retention schedules are aligned to the best practice outlined by NHS England's Transformation Directorate. This information can be found in a document called the Records Management Code of Practice.

How we keep your personal information safe and secure?

To protect personal and special category data, we ensure the information we hold is kept in secure locations and access to information is restricted to authorised personnel only.

Our appropriate technical and security measures include:

  • ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained, on an annual basis, in maintaining the confidentiality and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.
  • robust policies and procedures e.g. password protection.
  • technical security measures to prevent unauthorised access.
  • use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the Kent Medway Care Record (KMCR) system are auditable against an individual i.e. role-based access and Smartcard use to ensure appropriate and authorised access reminding staff of their responsibilities in complying with Data Protection Legislation.
  • encrypting information transmitted between partners.
  • implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures.
  • completion of the NHS Data Security and Protection (DSP) Toolkit introduced in the National Data Guardian review of data security, consent and objections, and adhere to robust information governance management and accountability arrangements.
  • regular audit of policies and procedures to ensure adherence against these criteria.

The NHS Digital Code of Practice on Confidential Information applies to all staff who access the KMCR; they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

What are your rights?

Under the Data Protection Legislation, you have the right:

  • To be informed of the uses of your data - this enables you to be informed how your data is processed.
  • Of access - this enables you to have sight of or receive a copy of the personal information held about you and to check the lawful processing of it.
  • To rectification - this enables you to have any incomplete or inaccurate information held about you corrected.
  • To erasure - this enables you to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding lawful grounds to continue to process your data.
  • To restrict processing - this enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • To data portability - this enables you to transfer your electronic personal information to another party, where appropriate.
  • To object - this enables you to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds. For further information regarding your right to object, please click here.
  • In relation to automated decision making and profiling - this enables you to be told if your data is being processed using automated software in relation to automated decision making and profiling. Note: there is no automated decision making or profiling in KMCR.

If you wish to exercise your rights in any of the ways described above, you should in the first instance contact the IG team at the care giving organisation.

Right to complain

You can get further advice or report a concern directly to the KMCR Information Governance Team at kentchft.kmcrinformationgovernance@nhs.net

You also have the right to contact the UK’s data protection supervisory authority (Information Commissioner’s Office) by:

  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Telephone: 0303 123 1113 (local rate) or 01625 545745 (national rate)
  • Email: https://ico.org.uk/concerns/handling/ 

Further information about the way in which the NHS uses personal information and your rights is published by NHS Digital.

The NHS Constitution

The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you will receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.

NHS England

NHS England collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.

Reviews of and changes to this privacy notice

We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your information.