Ahead of any partner organisation flowing information into the live KMCR system, it is essential the feed of data is tested to make sure it meets the data field requirements and allows a smooth flow of data into the platform.

Where possible Graphnet will request dummy or fictional data from the controller organisation to use within the test environment, however, this sample may not provide adequate variations to meet and test all data feed specifications sufficiently. 

In these circumstances, a sample of live patients from the controller’s source system may be used to meet the test criteria. All such data will be deleted from the test system immediately upon completion of the tests, and in any event no later than two weeks following completion of the test process. The information governance lead for the controlling organisation will maintain responsibility for assessing and approving the case for using live test data.

Categories of personal information

The personal data that is collected and shared for the purposes of live testing includes:

  • person identifiable data including basic details about yourself such as forename, surname, address, date of birth, gender, age, postal address, postcode, telephone number, email address, NHS number and hospital ID
  • special categories of personal data include racial or ethnic origin, physical/mental health or condition. For example, contact we have had with you such as appointments or clinic visits; notes and reports about your health, treatment and care; results of x-rays, scans and laboratory tests; relevant information from people who care for you and know you well such as health staff and relatives /carers; alerts and/or notifications for example high risk medicines. 


What is the lawful basis for processing?

The processing of personal data for the purposes of live testing is permitted under UK GDPR Article 6(1)(e) of the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 (DPA).

  • Article 6(1)(e) Public Task: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
  • The processing of special categories of personal data for live testing is permitted under Article 9 (2) (b) of the UK GDPR where information technology staff (who are not healthcare professionals) will be appraising the data and the UK Data Protection Act 2018 (DPA).
  • Article 9(2)(b) Legal Obligation: Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by union or member state law or a collective agreement pursuant to member state law providing for appropriate safeguards for the fundamental.