How we use your information 

Fair processing notice

We use information in a variety of ways but ensure patient confidentiality.

This section – known in the NHS as a Fair Processing Notice – tells you how we use your information.

This page provides information about why the NHS records information about you and how it is used; with whom we may share information; your right to see your health records; and how we keep your records confidential.

The purpose of this notice is to:

  • Inform you of the type of information (including personal and sensitive personal information) that NHS Dartford, Gravesham & Swanley Clinical Commissioning Group (CCG) holds
  • How the CCG uses the information
  • Who the CCG may share that information with
  • How we keep the information, safe, secure and confidential.

This privacy statement only covers NHS Dartford, Gravesham & Swanley CCG and does not cover any other organisations that can be linked to from this site or any organisation associated with the CCG.

Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or secret and includes dead as well as living people.

The review interpreted ‘personal’ as including the Data Protection Act 1998 (DPA) definition of personal data, but included data relating to the deceased as well as living people, and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the DPA.

According to the DPA, personal and sensitive data are defined as follows:

  • Personal data refers to information which relates to a living individual who can be identified from the data, or from the data and any other information which is, or is likely to be, in their possession and includes opinions about the individual.
  • Sensitive personal data refers to information on racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, whether someone is a member of a trade union, physical or mental health / condition, sexual life, any offences, or any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

The CCG has a duty to ensure that personal confidential data is kept confidential, secure and used appropriately and this notice sets out how the CCG meets this requirement.

Why the NHS collects information about you

The NHS aims to provide you with the highest quality health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you.

Your doctor and other health professionals caring for you, such as nurses or physiotherapists, keep records about your health and treatment so that they are able to provide you with the best possible care. These records are called your ‘health care record’ and may be stored in paper form or on computer and electronic systems and may include:

  • basic details about you, such as your address, date of birth, NHS number, and next of kin
  • details of the contacts we have had with you, such as clinical visits
  • notes and reports about your health
  • details and records about your treatment and care results of x-rays, laboratory tests etc.

Your health care records are used for the following reasons:

  • by healthcare professionals looking after you to have accurate and up-to-date information about you to help them decide on any future care you may require
  • to ensure accurate and  complete information is available, should you see another doctor or be referred to a specialist or another part of the NHS
  • to have a good basis for assessing the type and quality of care you have received
  • to ensure your concerns can be properly investigated if you need to complain

Who we are and what we do (About us)

NHS Dartford Gravesham & Swanley Clinical Commissioning Group is responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012. The CCG is a clinically-led organisation that puts the needs ofDartford Gravesham & Swanley residents at the heart of its decisions by working with partners to provide opportunities for people to access services that help them stay healthy. The CCG makes decisions regarding the health services that are available to the population ofDartford Gravesham & Swanley. It is made up of GP practices from across theDartford Gravesham & Swanley towns, responsible for planning and buying (commissioning) the majority of local NHS services for its population, for example hospital services, nursing in the community and mental health services.

The CCG also manages the performance of services that we commission (fund) to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role may include responding to any concerns from patients about these services, where it is felt to be more appropriate for the CCG to investigate the concerns than for the provider of the health service to investigate.

For further information regarding NHS Dartford Gravesham & Swanley CCG, please visit our About Us page.

The Data Protection Act 1998

Under the Data Protection Act 1998, the CCG is required to register with the Information Commissioner’s Office (ICO) and detail all purposes for which personal confidential data is collected, held and processed. The CCG’s ICO registration number is Z3589887 and further information on our registration can be found on the ICO’s Register of Data Controllers.

The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

The CCG will not pass on your details to any third party or other government department unless you consent to this or when it is necessary and we are allowed or required to by law.

Information we collect and how we use it

For the majority of our work that the CCG does we do not need to use personal confidential data and wherever possible, anonymised data is used. Anonymised data refers to the process of turning personal and/or sensitive data into a form which does not identify individuals and where identification is not likely to take place. The DPA only applies to personal identifiable information and therefore anonymised data is not covered by the act as there is slim to no chance of the information being re-identifiable.

We hold information centrally which is used for statistical purposes to allow us to plan the commissioning (funding) of healthcare services. We will only use anonymised data. Examples of this include:

  • Evaluation and review of services such as checking their quality and efficiency.
  • Checking NHS accounts and services.
  • Working out what illnesses people will have in the future so that we can work with the local services to make sure that patient needs are met.
  • Reviewing the care we commission to make sure it is of the highest standard.

As the CCG is a commissioning organisation responsible for funding services, we do not provide any healthcare services and therefore we do not routinely hold medical records or patient confidential data. There are some specific areas, however, where we do hold and use personal confidential information. In order to process that information we will have met a legal requirement, as follows:

  • The information is necessary for facilitating direct healthcare for patients, to ensure you receive the best care possible
  • We have received consent from individuals to be able to use their information for a specific purpose; either you ask us to share it or we ask you and you give us specific permission
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
  • We have special permission for health or research purposes (granted by the Health Research Authority Section 251)
  • For the health and safety of others, for example to report an infectious disease

The CCG has a limited number of functions, where personal confidentiality is required:

Individual Funding Requests (IFR)

If you (or your doctor on your behalf) make an IFR for a treatment not routinely commissioned, the CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to provide and pay for the agreed funding packages with appointed care providers.

The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and will gain your explicit consent.

NHS continuing healthcare (CHC) applications

If you make an application for NHS Continuing Healthcare (CHC) funding, the CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to provide and pay for the agreed funding packages with appointed care providers.

This process is nationally defined, we follow a standard process and the CCG uses standard information collection tools when assessing eligibility for CHC applications.

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and will gain your explicit consent.

Incident management

The CCG is accountable for effective governance and learning following all Serious Incidents (SIs) and work closely with all provider organisations as well as commissioning staff members to ensure all SIs are reported and managed appropriately. The Francis Report (February 2013) emphasised that commissioners should have a primary responsibility for ensuring quality, as well as providers.


Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we rely on a statutory basis rather than consent to process information for this use.


When we receive a complaint from a person we hold information about the complaint in our electronic files. This normally includes the identity of the complainant and any other individuals involved in the complaint. It may include sensitive personal data about individuals heath care.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

Before we proceed with handling your complaint we will obtain the explicit, written consent of the patient involved. We ensure they are aware of how and with whom their data may be shared by us, including if they have a representative they wish us to deal with on their behalf.


Prescription Ordering Direct

This is a pilot service being run by the CCG from January 2017 for 6 months, alongside two GP practices (Cedars Surgery, Swanley and the Shrubbery Surgery, Gravesend). The CCG will process your personal data (with your consent) in order review and manage your repeat prescription. This is to help us ensure that we provide the best possible service to patients. This helps us to deliver care and identify ways that we can provide you with a better service.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide.


Financial transactions

…such as payroll management, payment of Continuing Healthcare retrospective reviews, absence returns, travel claims and invoices may include personal and/or sensitive data.

Human Resources processing

…such as staff change forms, job applications, and sickness reporting will include personal and/or sensitive data.

Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

We obtain your consent for this purpose. Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.

All records are protected by safeguards to ensure the ongoing security of the records such as the requirement for allDartford Gravesham & Swanley CCG IT equipment to be encrypted, and all cupboards to be lockable.

The records may include basic personal details about you, such as your name and address. Or they may include sensitive information such as information about your health, outcomes of assessments and funding requests, and complaints or incident investigations.

All CCG staff are trained and aware of the necessity to ensure that any processing of personal confidential data is in accordance with the following legislation, guidance and best practice:

Data Protection Act 1998 

NHS Care Record Guarantee

NHS Constitution

Caldicott Principles

We also have to uphold any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information we will not do so.

How your data is used to help the NHS

The law provides some NHS bodies, such as the Health and Social Care Information Centre (also known as NHS Digital), the ability to collect and use patient data that cannot identify a person which they can then provide to help Commissioners (CCGs) to design and acquire the combination of services that best suit the population they serve.

Data may be linked and anonymised by these bodies so that it can be used to improve health care and development and monitor NHS performance. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, rigorous measures are taken to ensure individual patients cannot be identified (see information above regarding anonymisation).

Visitors to our website

When someone visits the CCG’s website information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our websites.

Whilst on the CCG’s website you may submit personal information about yourself (e.g. name and email address) in order to receive further information regarding the CCG, such as email updates and bulletins.

By entering your details in the fields requested or sending us an email, you are consenting to the CCG contacting you in relation to that specified purpose. Any information you provide will only be used by the CCG and will not be disclosed to other parties unless we are obliged to do so, or additional consent to share the data is obtained.

Invoice Validation

Your care is commissioned (funded) by the CCG as we are responsible for paying for health services within your region.  To ensure that public money is spent accurately, healthcare invoices are checked to ensure that they are accurate and genuine. To do this we need to be able to identify you so that the patient and the care provided match, but only information required to validate the invoice is used.  Once your personal details have been used to check the validity of your care invoice, your personal details are deleted from our system before the invoice is processed for payment.

As the CCG is unable to directly access your information, we use the services of Optum Health Solutions (UK) Limited to undertake this activity on our behalf. Medway Clinical Commissioning Group (CCG) has previously carried out this activity on our behalf, but as of 1 February 2018 this service is provided by Optum Health Solutions (UK) Limited.

Optum Health Solutions (UK) Limited performs invoice validation within a secure processing environment and with a restricted number of authorised staff.  All activities and personal information relating to invoice validation remain within this Controlled Environment.

This is allowed by law under Section 251 of NHS Act 2006 (CAG 7-07 (a-c)/2013) and underpinned by Section 251 of NHS Act 2006 (CAG 2-03(a)/2013) and Section 261 of the Health and Social Care Act 2012.

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital for purpose of invoice validation, you can register a type 2 opt-out with your GP practice. Should you wish to opt-out, please read the information about type 2 out-out here.

Additional information is also available from the NHS England website:

Risk Stratification

Risk stratification is a process GPs use to help them identify patients who may benefit from targeted healthcare interventions and to help prevent unplanned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.

The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.

North East London Clinical Support Unit has previously carried out this activity on our behalf, which involved processing of person identifiable data, which is allowed by law via a section 251 agreement, without the need to obtain explicit consent from the individual patient.

We have changed the way we process your data and no longer use person identifiable data for this purpose. We achieve this by de-identifying the data early in the process, which is then shared with the CCG in an encrypted form. This approach is being introduced from 1 February 2018.  The output of this risk stratification activity remains anonymised for commissioning purposes but can be re-identified for case-finding purposes by a GP who has a direct patient care responsibility.

De-identification is achieved with well-proven cryptography technology using asymmetric keys, that has been deployed in other industries including finance and commerce for many years, now adapted specifically for use in health and care.

Re-identification, where there is a sound legal basis, a legitimate relationship with the patient and an operational need to do so, is achieved with role based access control using keys managed by an independent third party who has no access to the data itself.

This approach has been reviewed by the Information Commissioner’s Office (ICO), who consider the data to be sufficiently de-identified that it falls outside the scope of the Data Protection Act, and complies with the ICO’s Anonymisation Code of Practice.  The Secretary of State for Health, having considered advice from the Confidentiality Advisory Group (CAG), determined that the MedeAnalytics approach does not require support under section 251 regulations because the way that pseudonymisation techniques have been used, and the robust controls within the MedeAnalytics system prevent the disclosure of confidential patient information.

Additional information is also available from the NHS England and NHS Digital websites:



Data Linkage

Details of patients such as demographic details, patient identifiers e.g. NHS Number and treatment details may be used to link individual data sources together.  In order to give a holistic view of care provided and also of future care needs of the population, a joined up view is needed.  This data linkage also enables us to identify patients who may benefit from additional preventative care.

This may involve linking data from GP Practices to Secondary care data from hospitals, or to data relating to care delivered in a community setting. This linkage of data from different health and social care data sources is undertaken enabling the processing of data and provision of appropriate analytical support for GPs and CCGs, whilst protecting the privacy and confidentiality of the patient(s).

Sharing Information

NHS Dartford Gravesham & Swanley CCG works with a number of other NHS and partner agencies to provide health and social care services. As part of this work we may share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas (see further information above regarding anonymisation).

We contract with other organisations to provide a range of services to us such as invoice validation, business intelligence, IT services, and Payroll and other support service. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.

We ensure that any external data processors (organisations that process data on behalf of NHS Dartford Gravesham & Swanley CCG) are legally and contractually bound to operate and have sufficient security arrangements in place to ensure the continued safety of the data.

The CCG’s current external data processors are:

  • Payroll – Kent andDartford Gravesham & Swanley NHS Payroll Services who are hosted by Kent and Dartford Gravesham & Swanley NHS and Social Care Partnership Trust on a consortium basis.
  • Occupational Health – East Kent Hospitals University NHS Foundation Trust.
  • Dartford and Gravesham NHS Trust who provide invoice validation services.
  • Risk Stratification for case finding is carried out by Maidstone and Tunbridge Wells NHS Trust on behalf of the CCG.
  • NEL Commissioning Support Unit who provide IT services and Individual Funding Request services.
  • NHS Swale CCG who provide Specialist Assessment and Placements services and Safeguarding services
  • NHS Arden & Greater East Midlands Commissioning Support Unit (AGEM CSU)
  • OPTUM Commissioning Support Services (OPTUM CSS)

The CCG will not disclose any information that identifies you to anyone outside your care team without your express permission/consent, unless there are exceptional circumstances, such as:

  • where we are required to share information by law
  • for safeguarding reasons
  • if there is an overriding public interest in the disclosure of the information
  • where there is a Section 251 exemption permitting the use of sensitive personal information under specific conditions, for example to:
    • ensure that the CCG is billed accurately for the treatment of its patients, which is known as “invoice validation”.

Generally, information will only be shared within the NHS, but there may be certain circumstances, where we are required to share it with Social Services and other providers/organisations.

National Fraud Initiative

NHS Dartford Gravesham & Swanley CCG is required, by law, to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The Cabinet Office is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified.

If a match is found there may be an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until a thorough investigation has been carried out.

NHS Dartford Gravesham & Swanley CCG participates in the Cabinet Office’s National Fraud Initiative which is a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998. However, data matching by the Cabinet Office is subject to a Code of Practice and further information regarding the Cabinet Office’s legal powers and the reasons why it matches particular information, please see the below links:

Code of Data Matching Practice

The Cabinet Office’s legal powers and information on why they match particular information

If you have any concerns about how your information may be shared, please discuss them with your health care provider, e.g. GP, nurse.

Caldicott Guardian and Senior Information Risk Owner

All NHS organisations are required to appoint a Caldicott Guardian to ensure compliance with patient data confidentiality. NHS Dartford Gravesham & Swanley CCG’s Caldicott Guardian is Chief Nurse Gail Locock,  who is responsible for protecting the confidentiality of patients’ and service-users’ information and enabling appropriate information-sharing.

The Caldicott Guardian plays a key role in ensuring that NHS, Councils with Social Services responsibilities, and partner organisations, satisfy the highest practical standards for handling patient identifiable information.

Acting as the ‘conscience’ of an organisation, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

In addition to the Caldicott Guardian, NHS trusts also have a Senior Information Risk Owner (SIRO) who owns the CCG’s overall information risk policy and risk assessment process. This involves ensuring there are robust incident reporting process for any information risks identified by the CCG.

Should you need to contact NHS Dartford Gravesham & Swanley CCG’s Caldicott Guardian or Senior Information Risk Owner, please send any correspondence to the e-mail or postal address listed in the Contact Us section.

Keeping your information secure and confidential

All Dartford Gravesham & Swanley CCG staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff receive annual training on confidentiality of information and staff who have regular access to personal confidential data will have received additional specialist training.

Relevant organisational and technical measures are taken by the CCG to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption. Any transfers of personal confidential data are carried out using secure means, such as encrypted e-mail transfers.

Retaining information

Any information obtained will be retained (kept) for as long as necessary.

Records are kept in accordance with DPA principles and are maintained in line with the Records Management Code of Practice for Health and Social Care retention schedule which determines the length of time records should be kept.

For further information regarding how your records are managed, stored and retained please see the below link:

Records Management Code of Practice for Health and Social Care

Your right to opt out

You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision. This includes situations such as to fulfil our safeguarding obligations and any areas where we have legal obligations to share your information.

If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact: The Head of Corporate Governance, NHS DGS CCG, 2nd Floor, Gravesham Civic Centre, Windmill Street, Gravesend, Kent DA12 1AU  Tel: 03000 424903

Information collected by other NHS organisations

There are two types of opt-out, detailed below. If you do wish to apply either opt-out you will need to register this with your GP practice and they will mark your choice in your medical record. Please note you can also withdraw either opt-out at any time by informing your GP practice.

Type 1 opt-out

This opt-out applies if you do not want personal confidential information that identifies you to be shared outside your GP practice for purposes beyond your direct care. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Records for patients who have registered a type 1 opt-out will be marked with a particular code which automatically stops the records from being shared outside of the GP Practice system.

Type 2 opt-out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. A type 2 opt out applies if you do not want your personal confidential information to be shared outside of NHS Digital for purposes other than for your direct care. A direction from the Secretary of State sets out the Department of Health policy as to how type 2 opt-outs must be applied and instructs NHS Digital to apply type 2 opt-outs from 29 April 2016.

When NHS Digital have collected information about your type 2 opt-out from your GP practice they use that to create a record of all current type 2 opt-outs. Then NHS Digital use that record to check against any set of data that is to be made available by NHS Digital to another organisation and remove all of your personal confidential information if it is in that data set, before that data are made available.

The direction sets out the scope of when your type 2 opt-out does not apply, such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.

There are also some limited circumstances, which are set out in the direction, when NHS Digital don’t apply your type 2 opt-out to information made available. These are cases where:

The Secretary of State for Health has identified the information flow is very important.

There are complex technical barriers that make it very difficult to apply opt-outs.

For more information on how NHS Digital collect and use opt-out information see their website

Keeping and Destroying information

Retention schedules: 

There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Records Management Code of Practice for Health and Social Care.


Destruction of data will only happen following a review of the information at the end of its retention period.

Where data has been identified for disposal we have the following responsibilities:

  • to ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a cross cut shredder or subcontracted to a reputable confidential waste company that complies with European Standard EN15713.
  • to ensure that electronic storage media used to hold or process information are destroyed or overwritten to current CESG standards.
  • to retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract (where we have contracted with external organisations to do this for us).
  • to ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with clause GC12 of the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the 7th Data Protection Act 1998 principle.

Subject Access Requests (accessing your data)

What is a subject access request and how do I make one?

Under the DPA, you have the right to make a request to see or obtain copies of the information that NHS Dartford Gravesham & Swanley CCG holds about you; this is referred to as a Subject Access Request. Under the DPA you are entitled to be told if any personal information is held about you, and if it is, to be given:

  • a copy of the information in permanent form if requested;
  • an explanation of any technical or complicated terms e.g. medical terminology or abbreviations;
  • an explanation of where we got your information from;
  • a description of the information, the purposes for processing the information and who we are sharing the information with, if anyone;
  • an explanation of the logic involved in any automated decisions (if you have specifically asked for this).

To view or access a copy of your health records please write to the following address giving as much detail as possible on the record(s) you wish to access:

NHS Dartford Gravesham & Swanley Clinical Commissioning Group, 2nd Floor, Gravesham Civic Centre, Windmill Street, Gravesend, Kent DA12 1AU 


We will ask you for proof of your identity and proof of your address. The CCG then has 40 calendar days, from receipt of the above information, to respond to the request, though the CCG aims to reply in 21 days.

As noted above, the CCG holds limited health information about you where it can use this for direct care purposes. You may also need to contact those NHS organisation(s) where you are being, or have been treated.

Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO)

Can I access the records of my children?

You may be able to access the records of your child/children.  However, if a clinician has stated that he/she believes your child/children to be competent to make their own decisions, then you will not have an automatic right of access. If this is the case, any requests for copies of your child’s records will need to be with the consent of your child

To apply for access, please use the procedure above.

How long will it take?

We are obliged to comply with our obligations promptly and within 40 days, from the date your request is received. If clarification of your request is needed, the 40 day period does not start until that is received.

How much will it cost?

Charges may be applied for requests under the Data Protection Act 1998.

Please see the following tariff

  • under the Data Protection Act 1998 a maximum of £50 for paper records
  • a maximum of £50 for a mixture of electronic and paper records
  • £10 for electronic records

Can I be refused access to my health records?

You can be refused access to your records or part of them:

  • if your healthcare provider/clinician thinks you or someone else could be harmed as a result of the disclosure
  • the information relates to, or was provided by, a third party (that is someone other than yourself) and they have not given their permission for their comments to be divulged to you

Should you be unhappy with the outcome of your request, you should in the first instance contact NHS Dartford Gravesham & Swanley CCG who will discuss your request and any ongoing concerns you may have.

You are also free to contact the Information Commissioner’s Office directly in the event you remain dissatisfied:

Information Commissioners Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Can I access the records of a deceased person?

Under the Access to Health Records Act 1990, you may request access to the records of a deceased person if you are the executor of their will or if you have a claim on them.  However, if the deceased has stated in their will that they do not wish anyone to have access, their wishes must be upheld.

To request access to a deceased person’s records please write to the following:

Primary Care Support England

Faith House, 2 St Faiths Street,

Maidstone Kent ME14 1LL

General Enquiries: 01622 655 000

Changes to this page and the Privacy Notice

If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties

Additional Guidance

For further information on why the NHS obtains personal information on its patients, how we use the information, and your rights of access, please read the NHS Care Record Guarantee, which can be found on the Health and Social Care Information Centre (HSCIC) website.

The following links may be useful in obtaining further information:

The NHS Care Record Guarantee

NHS Constitution

NHS Digital (Health and Social Care Information Centre)

NHS Digital Guide to Confidentiality

Information Commissioner’s Office

Health Research Authority

Caldicott Review and Principles

Records Management Code of Practice for Health and Social Care

NHS England – Information Governance Page

Contact us

If you have any questions, concerns or complaints regarding the information we hold about you or the use of your information, or if you would just like to speak with us about your data, please contact:

Post: NHS Dartford Gravesham & Swanley Clinical Commissioning Group, 2nd Floor, Gravesham Civic Centre, Windmill Street, Gravesend, Kent DA12 1AU


Phone: 03000 425 100

For independent advice about data protection, privacy and data-sharing issues, you can contact:

The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Phone: 08456 30 60 60 or 01625 54 57 45