Direct Care and Human Resources Privacy Notices

 Direct Care Privacy Notice

Faversham Medical Practice uses your information to provide you with healthcare.

This practice keeps medical records confidential and complies with data protection legislation.

We hold your medical record so that we can provide you with safe care and treatment.

We are required by law to provide you with the following information about how we handle your information.  Our full list of Privacy Notices can be found here

Data Controller contact details


Faversham Medical Practice

Faversham Health Centre

Bank Street



ME13 8QR

Purpose of the processing


To give direct health or social care to individual patients.

For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.

A list of Practice processing activities can be found here 

Information we collect and use

·          Special data information including racial or ethnic origin; religious or philosophical beliefs; genetic data;

       biometric data (where used for identification purposes); data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation.

·          Demographics: name, address, date of birth, postcode, and NHS number

·          Medical history

·          Adult and Children safeguarding information

·          Third party identifying data: basic details about other individuals that may be involved in providing your care and support services, e.g. emergency contacts, relatives, mobility services providers, home care support

Lawful basis for processing


These purposes are supported under the following sections of the UK General Data Protection Regulations:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”  

Schedule 1, Part 1(2) Health and Social Care Purposes, Data Protection Act 2018

The legal obligation relies on the Health and Social Care Act 2012 s251(b) (as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a statutory ‘duty to share’). 


We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential.


Recipient or categories of recipients of the processed data


Please see our main privacy notice for a full list of organisation we share information with


The Practice may also receive information about your health from these organisations who are involved in providing you with health and social care. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

NHS Summary Care Record

The Summary Care Record is an electronic record of important patient information created from GP Medical Records.  They can be seen and used by authorized staff in other areas of the health and social care system involved in a patient’s direct care.

National Screening Programmes

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. Information regarding screening programmes can be found here.

Kent and Medway Care Record (KMCR)

[Organisation Name] are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data. 


For further information about the Kent and Medway Care Record and the ways in which your data is used for this system please click here.


Population Health Management

Your information is passed, with all identifiers removed to NHS Kent and Medway for public health management.  This enables the Practice to identify the appropriate level of care and services for distinct groups of patients.  It is the process of assigning a risk status to patients, then using this information to direct care and improve overall health outcomes. 

National Data Opt-out

The National Data opt-out is a service that enables patients to opt-out of their confidential information being used for research and planning.


The National Data opt-out can be applied here.


It is worth noting that in a small number of exceptional circumstances, where senior health care professionals can decide to share information based on public interest, and in these cases the National Data Opt-out does not apply.


The Confidentiality Advisory Group (CAG) considers applications for the use of patient data without consent under the following regulations of Control of Patient Information Regulations 2002 , Section 251 of the NHS Act 2006:


Regulation 2 – for diagnosis and treatment of cancer

Regulation 5 – for general medical and research purpose


Specific exemptions to the national data opt-out policy have been made for disclosure of data for:


·         Public Health England National Disease Registers

·         Assuring Transformation

·         National patient experience surveys


There are also specific policy considerations for NHS Digital, as the national safe haven of health and care data with specific powers under the Health and Social Care Act 2012. National data opt-outs do not apply where NHS Digital indicate data should be provided to them under s259 of the Health and Social Care Act 2012.


For details on your rights and who to complain please see the main privacy notice


Human Resources Privacy Notice

This Privacy Notice describes how Faversham Medical Practice collect and use personal information about you during and after your working relationship with us.

We are required by law to provide you with the following information about how we handle your information.  The full range of Privacy Notices can be found Here

Data Controller contact details



Faversham Medical Practice

Faversham Health Centre

Bank Street



ME13 8QR


Purpose of the processing


Reasons for processing your personal data include:

  • Staff administration and management (including payroll and performance)
  • Pensions administration
  • Business management and planning
  • Accounting and Auditing
  • Accounts and records
  • Education
  • Health administration and services
  • Information and databank administration
  • Crime prevention and prosecution of offenders
  • Sharing and matching of personal information for national fraud initiative

A list of Practice processing activities can be found here 

Information we collect and use

Personal Information

  • your name, photograph, contact details including address, email address and telephone number, date of birth, National Insurance (NI) Number and driving licence (if relevant to the role), information about your nationality and entitlement to work in the UK

Job Information

  • the terms and conditions of your employment
  • details of your working arrangements (days of work and working hours) and attendance at work
  • details of your qualifications, skills, experience, and employment history, including start and end dates, and dates of continuous service
  • information about your remuneration, including entitlement to benefits such as pensions or insurance cover
  • details of periods of leave taken by you, including holiday, sickness absence, family leave and the reasons for the leave
  • details of vaccinations if relevant to your post
  • details of your bank account for pay and expenses purposes

Performance Information

  • details of any disciplinary, performance, absence, or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence
  • assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence

Information about your family

  • information about your spouse, partner or civil partner or other individuals when names as an emergency contact
  • information on dependants where required for pension purposes or childcare vouchers or benefits

Special Category Data

  • information about medical or health conditions, including whether you have a disability for which the Practice needs to make reasonable adjustments

·         equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief

·         Trade union affiliations, where applicable

·         Information about past criminal convictions (Disclosure and Barring Service), and or your fitness to practise in certain regulated professions

Lawful basis for processing


Article 6(1)(b)…‘necessary for the performance of a contract with employee’

Article 6(1)(c)…’necessary for compliance with a legal obligation’

Article 6(1)(f)…’in the Practice’s legitimate interests, which are not outweighed by the fundamental rights and freedoms of the data subject’

Article 9(2)(b) Employment, social security, and social protection

Article 9(2)(g) Reasons of substantial public interest

Schedule 1, Part 1(1) Data Protection Act 2018 - Necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the Data Subject in connection with employment, social security, or social protection.

Schedule 1, Part 2(8) Data Protection Act 2018 - necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained

Schedule 1, Part 2(14) Data Protection Act - is necessary for the purposes of preventing fraud or a particular kind of fraud

Recipient or categories of recipients of the processed data


Professional Bodies (ie GMC, RCN, etc.)

Payroll Provider Fairway Training Ltd

Pension Provider  NHS Pension Scheme

Occupational Health Provider Preventative Healthcare Company Ltd.

HM Revenue and Customs

Education Establishments

Police & Judicial Services


NHS Jobs



New Hayesbank Surgery as lead for shared Mid Kent PCN  Payroll services

Retention Data for NHS

Solicitors appointed to work in association with incident claims. Outsourced HR function From time to time we may seek advice from a third party legal advice provider.

Disclosure and Barring Service (DBS)

Your previous or prospective employer


The Practice may also receive information about you from these organisations.

Right of access

Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).

Rights in relation to inaccurate personal or incomplete data

You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable.


Rights to object to or restrict our data processing


Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.


This right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.

Right to erasure

Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.

We may not be able to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

How to exercise your rights

To exercise your rights, please contact

Retention period


Your personnel records are kept in compliance with law and national guidance.  Details on how long records are kept are set out in the NHS England, Record Management Code of Practice 2021.

Right to complain


If you are unhappy with how your personal data is processed, you have the right to complain to the Information Commissioners Office (ICO). Their helpline number is 0303 123 1113.

We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please do contact us ( in the first instance.

Data Protection Officer contact details


A. Ervine GP Data Protection Officer

NHS Kent and Medway



Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website