GDPR

One of the biggest changes to UK data privacy law came into effect on 25 May 2018 - the General Data Protection Regulation, also known as GDPR.

GDPR applies to all staff, patient and service users, our charity and volunteers and all organisations we work with.

As a patient and service user Dartford and Gravesham NHS Trust aims to provide you with the highest quality care. To do this, we must keep records about you and the care we provide for you. 

Health records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and available in accordance with data protection laws, the NHS Constitution and common law. 

Our staff members undertake annual training to process your information correctly and protect your privacy. We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. 

Your information is never collected for direct marketing purposes, and is not sold on to third parties. Your information is not sent outside the United Kingdom or the European Union unless the recipient has the same level of legal responsibility as we do. 

Sometimes your care may be provided by members of a care team, which might include people from other organisations such as health; social care; education; or other care organisations. We have a legal duty to share information for your care unless you tell us not to do so. We may also use sub-contractors to process your data. They will be bound by law to maintain your privacy. 

Information is held for the periods of time recommended by the Records Management Code of Practice for Health & Social Care 2016. 

The legal basis for the processing of almost all our data is that the NHS is an official authority with a public duty to care for its patients, as guided by the Department of Health and data protection law says it is appropriate to do so for health and social care treatment of patients, and the management of health or social care systems and services. 

If we need to use your personal information for any reason beyond those stated, we will discuss this with you.

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online and manually. 

Separate guidance is provided by the Healthcare Research Authority (HRA) about information to be published in relation to the role of the NHS organisation as sponsor and data controller for research projects, or data controller for research databases or tissue banks holding personal data. Please see link to the HRA webpages about research and about general use of patient information: HRA website

The changes introduced with GDPR, means that individuals have more control over how their data is used. And it ensures that organisations protect your personal data better. To reflect these changes and new obligations, we've updated our privacy notices which inform you about what we do with your personal data, how it's used and your rights as an individual under the new law. 

We have tailored our privacy notices around specific groups of individuals, with one for patient’s and service users, one for staff, volunteers and applicants, one for our occupational health services and one for charities. 

Should you have any queries on the uses of your information, wish to exercise one or more of your rights or complain about our use of your information please direct your enquiry to our Data Protection Officer – contact details held within the privacy notices (links below).

If you are unhappy with the outcome of your enquiry you can contact the regulator: The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF - Telephone: 01625 545700.

  1. Trust Summary (includes Data Protection Officer contact details)
  2. Patients and other Service Users
  3. Staff, Volunteers and Applicants
  4. Occupational Health Services
  5. Charitable Donors
  6. Privacy Notice - Children (aged 16 and under)
  7. Privacy Notice - COVID-19 Pandemic

Dartford and Gravesham NHS Trust is committed to ensuring that your privacy is protected and is compliant with GDPR with a few exceptions (none which effect the security or sharing of patient data). 

We are confident that we are compliant in most areas and have systems and processes being put in place where gaps were recently identified through an independent audit process.

The work we need to undertake will be prioritised based on risk and risks and actions monitored and reported to our Board.

We will report up to date information on progress, on this webpage. 

The current position is as follows:-

  • The Trust has robust processes in place for Incident Reporting which includes prompt reporting of data breaches to us ( in the case of suppliers and other 3rd party providers  assurance on this is currently being sought) and by us to the Information Commissioner.
  • Statement on use of Cookies available on our website.
  • Processes are in place to ensure that no patient identifiable information/personal data is shared without a lawful basis to do so.
  • Policies and procedure documents are currently being updated to reflect the changes required.
  • Right of access to information is in place.
  • Right to rectification is in place.
  • Right to erasure (right to be forgotten) where appropriate is in place.
  • Processes to ensure record retention periods are set for all data sets (and secure and permanent disposal of data where required) are being reviewed.
  • Robust audit trails of activity (including view only) are in place for clinical systems (patient information) and in most other areas, with plans to review other areas.
  • Role based access control to access data is in place and will only be accessed when required for patient care or to be able to carry out the Trust function of patient care.
  • Training and awareness programme in place for staff on data protection/security.
  • The Trust procedures to ensure GDPR compliance will apply to all organisations connected with processing our activity. 
  • All new contracts/new suppliers with the Trust will have clauses in contracts that ensure compliancy with GDPR.
  • All existing suppliers will be issued with contract variations for clauses in contracts to be added or letters to say we require GDPR compliancy, notification of data breaches etc. and an audit will take place on GDPR compliancy with suppliers.
  • Staff contracts were amended by 25th May to include a clause ensuring they are aware of GDPR and their obligations under this and all other data protection legislation and their need to comply with Trust policies in this area.

Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments.


In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.

You can choose whether your confidential patient information is used for research and planning.

To find out more visit: nhs.uk/your-nhs-data-matters

You can choose whether your confidential patient information is used for research and planning.

How your data is used

Your health and care information is used to improve your individual care. It is also used to help us research new treatments, decide where to put GP clinics and plan for the number of doctors and nurses in your local hospital. Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.

What is confidential patient information?

Confidential patient information identifies you and says something about your health, care or treatment. You would expect this information to be kept private. Information that only identifies you, like your name and address, is not considered confidential patient information and may still be used: for example, to contact you if your GP practice is merging with another.

Who can use your confidential patient information for research and planning?

It is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments. 

Making your data opt-out choice

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Will choosing this opt-out affect your care and treatment?

No, your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What should you do next?

You do not need to do anything if you are happy about how your confidential patient information is used.
If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

You can change your choice at any time.

To find out more or to make your choice visit nhs.uk/your-nhs-data-matters or call 0300 303 5678

Your choice

You can stop your confidential patient information being used for research and planning. Find out how to make your choice.

If you're happy with your confidential patient information being used for research and planning you do not need to do anything.

Any choice you make will not impact your individual care.