Planning and Research Privacy Notice


< Back to policies & procedures

The Kingswood Surgery uses data insightfully for Research, auditing and healthcare planning (population health management).

We are required by law to provide you with the following information about how we handle your information. Our full list of Privacy Notices can be found on our website.


Data Controller contact details

The Kingswood Surgery
Kingswood Road
Tunbridge Wells


Purpose of the processing

If data from many patients are linked up or pooled, Researchers and Doctors can look for patterns in the data, helping them to develop new ways of predicting illness, and identify ways to improve clinical care. This information can be used to help:

  • Understand more about disease risk and causes
  • Improve diagnosis
  • Develop new treatments and prevent diseases
  • Plan NHS and GP Services
  • Improve patient safety
  • Evaluate Government and NHS Policy 

A list of practice processing activities can be requested via our secure online form


Information we collect and use

  • Pseudonymised data: information about individuals but with identifying details (such as name or NHS number) replaced with a unique code
  • Anonymised data: information about individuals but with identifying details removed
  • Aggregated data: anonymised information grouped together so that it does not identify individuals 

In certain circumstances, where we have a lawful basis it may be necessary to use:

  • Demographics: name, address, date of birth, postcode, and NHS number
  • Medical history

Lawful basis for processing

These purposes are supported under the following sections of the UK General Data Protection Regulations:

Article 6(1)(c) … ‘necessary for compliance with a legal obligation to which the controller is subject

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and 

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

Article 9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;’

Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of domestic law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy’

Article (9)(2)(j) ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) based on domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Schedule 1, Part 1(2) Health and Social Care Purposes, Data Protection Act 2018 

Schedule 1, Part1(3) Public Health, Data Protection Act 2018

Schedule 1, Part 1(4) Research etc, Data Protection Act 2018

Schedule 1 Part 2(6) Statutory etc and government purposes, Data Protection Act 2018

The Practice recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential. Even though consent is not the legal basis for processing personal data for secondary purposes such as service evaluations and audit, the common law duty of confidentiality is not changing, therefore consent is still needed for people outside the care team to access and use confidential patient information for clinical audit, unless you have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales or similar arrangements elsewhere in the UK.


Strategic Health and Care Board (SHcAB)

Your information will be passed, with all identifiers removed, to a collaborative programme called the Kent & Medway Shared Health and Care Analytics Board. It will be used for population health management purposes beyond your individual care, including, for example, planning services, managing finances, early treatment of illnesses (known as risk stratification), coordinating and improving patient and service user’s movement through the health and care system, research, and public health enhancement.


Kent and Medway Care Record (KMCR)

Kingswood Surgery are one of the partner organisations to the Kent and Medway Care Record (KMCR). The KMCR is an electronic care record which links your health and social care information held in different provider systems, to one platform. This allows health and social care professionals who have signed up to the KMCR to access the most up to date information to ensure you receive the best possible care and support by those supporting you. In order to enable this sharing of information, organisations who use the KMCR have agreements in place that allow the sharing of personal and special category data.

For further information about the Kent and Medway Care Record and the ways in which your data is used for this system please visit their website


General Practice Extract Service (GPES)

NHS Digital, collects data from Practices to support vital health and care planning and research. This information is used insightfully to better understand what causes ill health and, importantly, what we can do to prevent or treat it and provide better care.


Health Service (Control of Patient Information) Regulations 2002 (COPI)

The Secretary of State for Health and Social Care has issued Notices under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) which required organisations to share confidential patient information with organisations entitled to process this under COPI for COVID-19 purposes (COPI Notices).

Further guidance on processing personal data, when the COPI Notice expires can be found here.


Population Health Management

Your information is passed, with all identifiers removed to NHS Kent and Medway for public health management.This enables the Practice to identify the appropriate level of care and services for distinct groups of patients. It is the process of assigning a risk status to patients, then using this information to direct care and improve overall health outcomes.


National Data Opt-out

The National Data opt-out is a service that enables patients to opt-out of their confidential information being used for research and planning.

The National Data opt-out can be applied here.

It is worth noting that in a small number of exceptional circumstances, where senior health care professionals can decide to share information based on public interest, and in these cases the National Data Ot-out does not apply.

The Confidentiality Advisory Group (CAG) considers applications for the use of patient data without consent under the following regulations of Control of Patient Information Regulations 2002 , Section 251 of the NHS Act 2006:
Regulation 2 – for diagnosis and treatment of cancer
Regulation 5 – for general medical and research purpose

Specific exemptions to the national data opt-out policy have been made for disclosure of data for:

  • Public Health England National Disease Registers
  • Assuring Transformation
  • National patient experience surveys

There are also specific policy considerations for NHS Digital, as the national safe haven of health and care data with specific powers under the Health and Social Care Act 2012. National data opt-outs do not apply where NHS Digital indicate data should be provided to them under s259 of the Health and Social Care Act 2012.