[Skip to content]

Our values: Care with compassion, Respect and dignity, Striving to excel, Professional standards, Working together
GDPR / Data Protection

GDPR and Data Protection

One of the biggest changes to UK data privacy law came into effect on 25 May 2018 - the General Data Protection Regulation, also known as GDPR.

GDPR applies to all staff, patient and service users, our charity and volunteers and all organisations we work with.

As a patient and service user Dartford and Gravesham NHS Trust aims to provide you with the highest quality care. To do this, we must keep records about you and the care we provide for you. 

Health records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and available in accordance with data protection laws, the NHS Constitution and common law. 

Our staff members undertake annual training to process your information correctly and protect your privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. 

Your information is never collected for direct marketing purposes, and is not sold on to third parties. Your information is not sent outside the United Kingdom or the European Union unless the recipient has the same level of legal responsibility as we do. 

Sometimes your care may be provided by members of a care team, which might include people from other organisations such as health; social care; education; or other care organisations. We have a legal duty to share information for your care unless you tell us not to do so. We may also use sub-contractors to process your data. They will be bound by law to maintain your privacy. 

Information is held for the periods of time recommended by the Records Management Code of Practice for Health & Social Care 2016. 

The legal basis for the processing of almost all our data is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health and data protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services. 

If we need to use your personal information for any reason beyond those stated, we will discuss this with you.

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online and manually. 

Separate guidance is provided by the Healthcare Research Authority (HRA) about information to be published in relation to the role of the NHS organisation as sponsor and data controller for research projects, or data controller for research databases or tissue banks holding personal data. Please see link to the HRA webpages about research and about general use of patient information: HRA website

The changes introduced with GDPR, means that individuals have more control over how their data is used. And it ensures that organisations protect your personal data better. To reflect these changes and new obligations, we've updated our privacy notices which inform you about what we do with your personal data, how it's used and your rights as an individual under the new law. 

We have tailored our privacy notices around specific groups of individuals, with one for patient’s and service users, one for staff, volunteers and applicants, one for our occupational health services and one for charities. The new privacy notices are available on our website at www.dvh.nhs.uk or you can contact us and we will send you a copy.

Should you have any queries on the uses of your information, wish to exercise one or more of your rights or complain about our use of your information please direct your enquiry to our Data Protection Officer – contact details held within the privacy notices (links below).


If you are unhappy with the outcome of your enquiry you can contact the regulator: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone: 01625 545700.

Privacy Notices:

  1. Trust Summary (includes Data Protection Officer contact details)
  2. Patients and other Service Users
  3. Staff, Volunteers and Applicants
  4. Occupational Health Services
  5. Charitable Donors
  6. Privacy Notice - Children (aged 16 and under)

Dartford and Gravesham NHS Trust - GDPR Compliance Statement

Dartford and Gravesham NHS Trust is committed to ensuring that your privacy is protected and is compliant with GDPR with a few exceptions (none which effect the security or sharing of patient data). 

We are confident that we are compliant in most areas and have systems and processes being put in place where gaps were recently identified through an independent audit process.

The work we need to undertake will be prioritised based on risk and risks and actions monitored and reported to our Board.

We will report up to date information on progress, on this webpage. 

The current position is as follows:-

  • The Trust has robust processes in place for Incident Reporting which includes prompt reporting of data breaches to us ( in the case of suppliers and other 3rd party providers  assurance on this is currently being sought) and by us to the Information Commissioner.
  • Statement on use of Cookies available on our website.
  • Processes are in place to ensure that no patient identifiable information/personal data is shared without a lawful basis to do so.
  • Policies and procedure documents are currently being updated to reflect the changes required.
  • Right of access to information is in place.
  • Right to rectification is in place.
  • Right to erasure (right to be forgotten) where appropriate is in place.
  • Processes to ensure record retention periods are set for all data sets (and secure and permanent disposal of data where required) are being reviewed.
  • Robust audit trails of activity (including view only) are in place for clinical systems (patient information) and in most other areas, with plans to review other areas.
  • Role based access control to access data is in place and will only be accessed when required for patient care or to be able to carry out the Trust function of patient care.
  • Training and awareness programme in place for staff on data protection/security.
  • The Trust procedures to ensure GDPR compliance will apply to all organisations connected with processing our activity. 
  • All new contracts/new suppliers with the Trust will have clauses in contracts that ensure compliancy with GDPR.
  • All existing suppliers will be issued with contract variations for clauses in contracts to be added or letters to say we require GDPR compliancy, notification of data breaches etc. and an audit will take place on GDPR compliancy with suppliers.
  • Staff contracts were amended by 25th May to include a clause ensuring they are aware of GDPR and their obligations under this and all other data protection legislation and their need to comply with Trust policies in this area.


Data Protection

What does the Data Protection Act mean to me?

The Data Protection Act 2018 (DPA) provides principles under which all organisations, including the NHS, operate when handling personal data.


It also gives members of the public the statutory right of access to personal data related to themselves. In particular, there is provision for you to see your own health records. It is also important to note that the use and sharing of patient data, is defined and enshrined, by Trust policies and procedures, and personal information on patients will not be divulged unless there is clear legislation allowing this.

What information do we keep about you?

Like all hospitals, we keep accurate and up to date information about our patients, including details of all their treatments. This means health professionals have the information they require in order to give you the best possible treatment.


We take great care to look after your records properly, and anyone who has access to them is obliged to respect their confidentiality. 


If you would like to know more about this, please write to:


Data Protection Officer, Darent Valley Hospital, Darenth Wood Road, Dartford, Kent, DA2 8DA.

Why do we need your information?

  • We ask you for information about yourself so that you can receive proper care and treatment.

  • We keep this information, together with details of your care, because it may be needed if we see you again.

  • We may use some of this information for other specified reasons:

The main reasons, for which your information may be required and shared with others, on a need to know basis, are:

Giving you health care and treatment

  • You may be receiving care from other people in the NHS.  

  • So that we can all work together for your benefit we may need to share some information about you. We only ever use or pass on information about you if people have a genuine need for it in your and everyone’s interests. 

  •  Whenever we can, we shall remove details that identify you i.e. anonymised data is used. The sharing of some types of very sensitive personal information is strictly controlled by law.

Looking after the health of the general public, for example:

  • Data is submitted to support national monitoring of conditions such as cancers (anonymised).

Managing and planning the NHS, for example:

  • Making sure that our services can meet patients’ needs in the future (anonymised).

  • Paying your doctor, nurse, dentist, or other staff, and the hospital which treats you for the care they provide.

  • Auditing accounts and preparing statistics on NHS performance and activity (anonymised).

  • Investigating complaints or legal claims.

Clinical Audit

  • Helping staff to review the care they provide to make sure it is of the highest standard.

Training and educating staff

  • Helping staff to improve their knowledge.


  • Approved by the the Health Research Authority (HRA). HRA approval brings together the HRA's assessment of governance and legal compliance with the independent ethical opinion by a Research Ethics Committee (REC).

  • The Confidentiality Advisory Group (CAG) makes recommendations on projects that require identifiable patient information where it is not always practicable to obtain consent.

Fraud prevention

  • Ensuring that our NHS is used only by those who are entitled to it.


Sometimes the law requires us to pass on information: for example to notify a birth. Everyone working within the NHS has a legal duty to keep information about you confidential. Where services are undertaken by non-NHS staff, agreements are in place to ensure confidentiality. It is a criminal offence to misuse personal information and the Trust (as Controller) has taken appropriate steps to ensure there is no such misuse of the information and that the Data Protection Act 2018 and GDPR legislation is upheld. In the event of a transfer to another health care provider, your medical records will be shared, in order to facilitate continuing care.


Anyone who receives information from us is also under a legal duty to keep it confidential.

You have the right of access to your health records in accordance with Data Protection Legislation. 

SMS Text Messaging:

  • Mobile telephone numbers can be used by the Trust to send SMS text reminders for appointments.

  • Please note that a mobile number used by multiple users or by more than one family member could lead to confusion as the text message includes an NHS number rather than a name.

  • If you would prefer NOT to receive SMS text reminders, please inform a member of staff or complete the online form.

Next of Kin:

  • If you agree, your relatives, friends and carers will be kept up to date with the progress of your treatment.

  • If you have to come into hospital at any time, the person you have designated as ‘Next of Kin’ should be the main liaison contact for this.

  • As this person may be contacted, please ensure that they are aware that you have supplied us with their details.

Non UK Residents:

  • Regulations made under section 121 of the National Health Service Act 1977 (as amended by sections 7(12) and (14) of the Health and Medicines Act 1988) place a legal obligation on Dartford and Gravesham NHS Trust to identify those patients not ordinarily resident in the UK. 

  • Persons not ordinarily resident in the UK may be charged for NHS services provided. 

  • The Trust is entitled to ask for documentary evidence in support of a patient’s claim to free treatment.

Advance Directive (Living Will)

  • If you have an advance directive, it is your responsibility to inform the Health Care Professional in charge of your care and to provide a copy of your advance directive to the Trust at your earliest convenience.

  • An advance directive only takes effect if you become unable to communicate to people your wishes about your medical treatment or are unable to take part in decisions about your treatment.


The Trust’s Data Protection Registration can be viewed at: www.ico.org.uk  (follow the link for Register of data controllers). Registration Number: Z4828025 


If at any time you have any questions about how we use your information, you can speak to the person in charge of your care or alternatively write to the Data Protection Officer, address above.