To read how we may use your personal information during the COVID-19 pandemic, please read our supplementary privacy notice here >

Medway Community Healthcare aims to provide you with the highest quality care. To do this, we must keep records about you and the care we provide. We keep records securely on paper and computer systems in line with the General Data Protection Regulation (GDPR). Our staff are trained to handle your information correctly in order to protect your privacy.

We aim to maintain high standards; adopt best practice for record keeping; and regularly check and report on how we are doing. Your information is never collected for marketing purposes, and is not sold on to any third parties.

Sometimes your care may be provided by members of a care team, which might include people from other organisations such as social services, education, a third party working on our behalf or a third party providing us with IT services. When it could be best for your care, your information may be shared with other healthcare organisations. If you don’t agree for this to happen, we will discuss with you the possible effect this may have on your care and alternatives available to you.

If we need to use your personal information for any reason beyond your direct care, we will aim to discuss this with you. You have the right to ask us not to use your information in this way, but there may be times when we have to share your information without your permission because:

  • the public good is thought to be of greater importance for example:
    • if a serious crime has been committed
    • if there are risks to the public or our staff
    • to protect vulnerable children or adults
  • we have a legal duty, for example registering births, reporting some infectious diseases, wounding by firearms and court orders
  • we need to use the information for medical research. We have to ask permission from the Confidentiality Advisory Group (appointed by the NHS Health Research Authority)

We have a legal duty to keep records about you confidential, accurate and secure at all times.

Personal data: information relating to natural persons who: can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information. Examples include, but are not limited to, name; address; date of birth; NHS number; occupation.

Special category data: is personal data which the GDPR says is more sensitive, and so needs more protection. Examples include, but are not limited to, race; ethnicity; political opinions, religious beliefs; genetic data; biometric data eg. fingerprints or facial recognition; health data; and sexual orientation.

The data controller responsible for keeping your information confidential is:

Martin Riley - Managing Director
Medway Community Healthcare
MCH House
Bailey Drive
Gillingham Business Park


The data protection officer is responsible for ensuring MCH is compliant with the General Data Protection Regulation:

Harry Williams
Medway Community Healthcare
MCH House
Bailey Drive
Gillingham Business Park


The data protection officer is also the main contact should you have any concerns or queries, however in the first instance we would request you contact our Information Governance team on 01634 334640.

Confidentiality affects everyone: Medway Community Healthcare collects, stores and uses large amounts of personal data every day such as medical or personnel records, which may be paper-based or held on a computer.

We take our duty to protect your personal information and confidentiality very seriously and are committed to taking appropriate measures to ensure it is held securely and only accessed by those with a need to know.

At executive level, we have appointed:

A Senior Information Risk Owner (SIRO) who is accountable for the management of all our information systems and the data they hold. The SIRO also makes sure that any associated risks or incidents are documented and investigated appropriately.

A Caldicott Guardian who has particular responsibility for providing advice on protecting patient confidentiality and sharing patients’ information securely when appropriate.

A Data Protection Officer who is responsible for monitoring our compliance with the GDPR and other data protection laws. They are also a point of contact for any queries relating to your data.

Healthcare professionals caring for you keep records about your health and any treatment and care you receive from us. These records help to ensure that you receive the best possible care and may be written on paper or held on a computer. They may include:

  • Basic details about you such as name, address, date of birth, next of kin, GP practice etc.
  • Contact we have had with you such as appointments or clinic visits.
  • Notes and reports about your health, treatment and care.
  • Results of x-rays, scans and laboratory tests.
  • Relevant information from people who care for you and know you well such as health or social care professionals, relatives or carers.

We also collect and analyse details on any protected characteristics (for example your ethnicity) to ensure there are no barriers for anyone within our local community to access healthcare and improve services. Any issues are included within our annual equalities action plan.

It is essential that we have accurate and up to date information about you so that we can give you the best possible care. Please check that your personal details are correct whenever you visit us, and inform us of any changes, for example, to your contact details or GP practice as soon as possible. This minimises the risk of you not receiving important correspondence.

MCH will rely on one or more of the following lawful bases for processing your personal data, under article 6 of the GDPR:

  • 6(b) the processing is necessary to meet contractual obligations entered into by you
  • 6(c) the processing is necessary to comply with legal obligations to which we are subject
  • 6(d) the processing is necessary to protect the vital interests of you (protect your life)
  • 6(e) the processing is necessary for us to perform specific tasks in the public interest or for our official functions, and the task or function has a clear basis in law

MCH will also rely on one or more of the following lawful bases for processing special category data about you, under article 9 of the GDPR:

  • 9(2)(h) for the purposes of preventative or occupational medicine
  • 9(2)(h) for us to provide a medical diagnosis
  • 9(2)(h) for the provision of health or social care treatment or management of health or social care systems and services, carried out by, or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law. This includes us processing to receive payment for work undertaken as part of a service commissioned with public money.
  • 9(2)(c) to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

In general terms, your records are used to direct, manage and deliver your care so that:

  • The healthcare professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
  • Healthcare professionals have the information they need to assess and improve the quality and type of care you receive.
  • Appropriate information is available if you see another doctor, or are referred to a specialist or another part of the NHS or social care.
  • Your concerns can be properly investigated if a complaint or claim is raised.

Call recording

Telephone calls to or from Medway Community Healthcare may be recorded for the following purposes:

  • To prevent crime or misuse
  • To make sure that staff act in compliance with our procedures
  • To ensure quality control
  • Training, monitoring and service improvement

SMS text messaging

We will also use your telephone number(s) to send your appointment details via SMS text message.

Most of our patients appreciate these reminders and we know that it reduces the number of missed appointments, but if you do not wish to receive text messages please let us know by speaking a member of staff or email us at

Viewing a shared care record

Working with local healthcare providers, like Medway Hospital and GP practices, there may be times where we will view your local health record through a viewer to enable us to have real time clinical information about you, about your hospital visits, or about your last GP visit. Examples of this might be any allergies or sensitivities you have, or when you were last prescribed some medication from a GP or consultant.

All parties involved in this local health record project (called the Kent and Medway Care Record KMCR) have signed and must abide by a strict data sharing agreement which controls who might see your information and what happens to it.

For more information relating to the Kent and Medway Care Record (KMCR) please click here.

We share information about you with others directly involved in your care; and also share more limited information for indirect care purposes, both of which are described below:

Direct care purposes

You may be receiving care from other people as well as the NHS, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit. We will only do this when there is a genuine need for it or we have your permission. Examples of who we may share your information with are:

  • Your GP
  • Hospitals
  • Other health professionals outside of Medway Community Healthcare, including the parties under the Kent and Medway Care Record
  • Education Services
  • Local Authorities
  • Social Care Services
  • Voluntary and private sector providers working with the NHS

We will always endeavour to share the minimum amount of personal information required, anonymising where necessary. However, there will be some instances where personal information will need to be shared with other organisations for the purposes of caring for our patients, or where there is a legal requirement for us to do so (for example a court order).

Indirect care purposes

We also use information we hold about you to:

  • Review the care we provide to ensure it is of the highest standard and quality
  • Be inspected by statutory bodies, such as the Care Quality Commission (CQC), to ensure our services are regulated and meeting statutory requirements
  • Ensure our services can meet patient needs in the future
  • Investigate patient queries, complaints and legal claims, including defending legal claims. This also applies if a patient makes a complaint to an independent body, for example NHS England, the Care quality commission (CQC) or the Ombudsman and MCH are requested to investigate the complaint by the independent body
  • Ensure we receive payment for the care you receive
  • Prepare statistics on NHS performance
  • Audit NHS accounts and services
  • Undertake health research and development (with your consent – you may choose whether or not to be involved)
  • Help train and educate healthcare professionals
  • Understand if there are any under represented groups of the community who are not accessing healthcare services

Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be anonymised first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as

secondary uses, on the NHS England and Health and Social Care Information Centre’s websites: and


The UK GDPR and Data Protection Act 2018 grants you rights to enable you to have a better understanding and more control over your personal information:

The right to be informed

MCH has a duty to let you know how we are using your information. You are informed of this via our privacy notice, our staff, website, posters and leaflets.

The right to access

When requested, MCH must provide you with a copy of your personal data, the purposes for processing your data, the categories of data being processed and who the data will be shared with. Find more information on how to request this, via the “How can you access your records” tab.  

The right to rectification

You can request data found to be factually inaccurate or incorrect be corrected. You can exercise this right in the same way as you exercise your right to access (above).

The right to erasure

Whilst this right does not apply to health or care records, you can check that data we hold about you will not be kept for longer than necessary.

The right to restriction of some processing

You have the right to restrict the processing of your data if:

  • You are contesting the accuracy of the data – processing will be restricted to allow us to verify the accuracy
  • Where you request us to retain your information outside of the normal destruction date e.g. if you are pursuing a claim
  • If you object to us processing your data. This right is not absolute, as it is necessary for us to process your data to provide health or social care. You can request that your data is not shared outside of MCH for purposes beyond your direct care; your request will be reviewed on a case by case basis, as we still have a legal obligation to share data in certain circumstances and to allow for MCH to receive payment for care provided.  

If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable. Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.

The right to data portability

This right does not apply to publicly funded patients (an NHS funded service). If you are seen as a privately funded patient, you have the right to ask us to copy or transfer your information that you have provided us from one IT system to another in a safe and secure way, without impacting the quality of information. 

The right to object

You have the right to object to processing for direct marketing and for scientific/historical research/statistical purposes.  You must be able to demonstrate grounds relating to your situation for the processing to stop, however if the processing is necessary performance of a task carried out for reasons of public interest, we will be unable to comply with your request.

Rights in relation to automated decision making and profiling

You have the right not to be subject to solely automated decisions, including profiling, which have a legal or similarly significant effect on you. This right does not explicitly apply to this organisation as no decision would be made on our employees without human intervention (a solely automated decision). 

Guidance issued in relation to the GDPR has stated that consent should only be relied on as the legal basis for processing where it is freely given, specific, informed and unambiguous.  We will not, generally, rely on consent as a legal basis for processing your personal data but in certain circumstances it may be deemed appropriate.  Where you provide consent to the processing of your data, you will be asked at the time the data is processed and you should be aware that you will be able to withdraw your consent at any time.

The Department of Health requires that health care providers retain patient records for a specific period of time after the end of care.  For adults this will normally be 8 years after the date we last treated you and for child health records until the child’s 25th birthday. There are exceptions to this, and we follow the NHSX Records Management Code of Practice 2021. Further information can be found at​​​​​​​

The General Data Protection Regulation gives you a right to access the information we hold about you (unless an exemption applies). Though we recommend that requests are made in writing, requests can be made in writing or verbally to the Information Governance Team at MCH House, or via email (, with an indication of what information you are requesting to enable us to locate it in an efficient manner and be accompanied by evidence of your identity.  

In most cases this service is free of charge and once we have confirmed your identity, we will aim to respond within one calendar month unless it is extremely complex or there are factors outside of our control. If we need longer we will let you know that this is the case as soon as we become aware. There is more information about this and an application form that you may wish to use on our website:


The National Data Opt-out has been introduced to give you (patients) a choice on how your confidential patient information is used for purposes beyond your individual care e.g. for research projects.

The information that the opt-out applies to is special category data as it includes information about your health care and/or treatment that has been collected as part of the care we provide for you.

You can set or change your national data opt-out choice using the online service ( or by phone by calling 0300 303 5678. When you set a national data opt-out, it is in held in a repository on the NHS Spine against your NHS number.

In accordance with our patient’s wishes and the National data opt-out policy, as an organisation providing health and care services located in England, we are required to apply National data opt-outs when applicable to a use or disclosure of confidential patient information for purposes other than the patient’s care or treatment.

Applying the opt-out to a data use/disclosure requires that we check, by using the NHS numbers of patients, whether a patient has registered an opt-out before the data is used/disclosed.

If you have given us explicit consent for us to process or share your information, for example if you have signed up to one of our research projects, then the opt-out will not apply. There may be occasions where other exemptions apply; we may respond to a clinical audit or provide a piece of information, because we are legally required to do so by an organisation such as NHS Digital; in these instances your opt-out will not apply. 

For further information, or if you would like to register an opt-out, please visit 


Medway Community Healthcare is registered with the Information Commissioner’s Office (ICO) for the purpose of processing personal information.

You have the right to make direct complaints to the ICO; however we would request that in the first instance you talk to us or our Data Protection Officer, at or ring 01634 334640.

Information Commissioner’s Office
Wycliffe House
Water Lane
Telephone: 0303 123 1113

Details of our registration with the ICO’s data protection register can be found here: 

Data Protection Register



This privacy notice is reviewed yearly or sooner where new guidance or legislation is introduced.  If we plan to use personal data for a new purpose we will update our privacy notice.

Last reviewed: April 2024