Privacy policy

Medway Foundation Trust Privacy statement 2017

Medway Foundation Trust is committed to protecting your personal information. This page, together with our cookie policy, set out the basis on which we will process any personal information we collect from you or that you provide to us.


What information we keep about you and how we use it

When you are a patient of the Trust we collect and keep your health and personal information confidential. This may include:

  • basic details about you e.g. your address, date of birth or next of kin and how you want us to contact you;
  • your contact with us e.g. visits to clinics;
  • the notes of your treatment;
  • results of investigations including Xrays or laboratory tests;
  • If you contact us in writing, we will keep a record of that correspondence.

We use your information to provide you with the best of care.


Sharing information with other organisations

In the main, we will not share your personal data without consent unless we have a duty to ensure your personal health and well-being.
There are some circumstances where we may share information, for example:
  • where we have agreements with other organisations for sharing information. An example of this may be where you as a patient, move from our care to community care;
  • with local authorities and particularly Medway Council under the Child Protection-Information Sharing (CPIS) scheme to protect the safety and well-being of vulnerable and looked-after children;
  • with Virgin Care Services where they provide community care in Swale and Sheppey community hospitals;
  • under section 251 of the NHS Act 2006 to support essential medical research where it is not possible to use anonymised information and where obtaining consent is not practical. We may only share information under section 251 with bodies that are approved to receive such information. For more details please visit the Health Research Authority website;
  • where we are required by law to report information to appropriate authorities e.g.
    • when a baby is born
    • where an infectious disease may endanger the safety of others
  • we can pass on personal data without consent to the police, to prevent and detect crime; and
  • to produce anonymised statistics

Sending information abroad

The Trust sends very little information overseas. Where we do, we check to ensure that the companies that we use have excellent information security standards and practice. We will tell you if your personally identifiable information is to be stored overseas.

The Trust has recently endorsed the use of forward App as a means of facilitating clinicians’ discussion about patient care. All information stored on this App is stored on secure servers in the USA. The Trust has avoided such transmissions since the dissolution of the Safe Harbour agreement in 2015. However the new 2016 EU-US Privacy Shield arrangements now covers this data flow.

How we keep your information safe and secure

The Trust takes the protection of your personal information seriously.

All our staff are regularly trained on the steps needed to keep patient information safe and secure. Staff are only able to access patient information on a ‘need to know’ basis.

The Trust ensures that patient information is stored and accessed securely, this means that our staff use passwords and other security measures to ensure that the ‘need to know’ philosophy is maintained.

We use technical security measures (such as data encryption) in combination with strong passwords and physical measures (such as Smartcards - these are special cards similar to an “Oystercard” that are held by staff and identify who the member of staff is and what systems they can access) to prevent unauthorised access to patient information. Passwords must be changed regularly and this is enforced by the systems. 

In addition, the Trust employs other tools to guard our network and the devices on the network. Anti-Malware software is used by the Trust and the Network is monitored and managed to ensure that only devices belonging to the Trust can access the network and information. The Trust also has the benefit of two data centres such that patient information is fully protected in the event of failure of a single data centre.

Use of CCTV (including body-worn cameras) and lone-worker protection solutions

The Trust has CCTV deployed around the site in order to manage and investigate the following circumstances:
  • alleged security incidents, theft, assault or baby abduction on Trust premises
  • staff, visitor and patient safety
  • investigation of traffic incidents or congestion on the Trust site
  • supporting the management of a fire or major incident alert
  • the security of Trust premises
  • investigation of persons acting suspiciously on Trust premises

CCTV images are retained for 28 days only.

Images are only viewed by Trust personnel, but images may be shared with the police to aid the investigation or prosecution of criminal activities within Trust grounds and premises.

Body-worn cameras

Traffic enforcement officers and security personnel wear body-worn cameras that record both sound and images. Before cameras are activated staff will formally advise that they are going to do so. Images and sound will be used in the prevention and de-escalation of security incidents; patient, visitor and staff safety; traffic and parking enforcement; and the investigation of persons acting suspiciously on Trust premises.

Images and sound recording from body-worn cameras are retained for 28 days only.

Lone-worker protection solutions

The Trust values the safety and security of its staff, especially where staff may visit patients by themselves at a patient’s home. For their safety and security the Trust uses Reliance Protect lone worker solution which when triggered, will relay live conversation and the GPS location of our staff to the Reliance Customer Support Team in order to effect their safe care as quickly as possible.


How long do we keep your information for?

The time we keep information for can vary depending on treatment and the type of record. In the main we keep adult patient records for 8 years after a patient is discharged, but this time can extend up to 30 years for example where someone is diagnosed with cancer we will keep the record for 30 years from the time of diagnosis. 

The Trust follows the guidelines issued by the Information Governance Alliance Records Management Code of Practice 2016 on how long to keep records for. 

Visitors to our website

When someone visits we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Use of Cookies

You can read more about how we use cookies on our cookies page.

Search engine

Our website search function powered by Sitekit. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either the Trust or any third party.

Calling us via our switchboard

When you call the Trust switchboard on 01634 830000 the number, time and date of your call may be recorded – call content is not recorded.

People who email us

Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

People who make a complaint to us

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for ten years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.


Job applicants

If you apply to work at the Trust, we will only use the information you supply to us to process your application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure and Barring Scheme (DBS) we will not do so without informing you beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once you join the Trust as an employee, we will compile a file relating to your employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to your employment. If you subsequently leave our employ, we will retain the file in accordance with the requirements of our retention schedule and then delete it.

Access to personal information

We try to be as open as possible in terms of giving people access to their personal information. You can find out what information we may hold about you by making a ‘subject access request’ under the Data Protection Act. If we do hold information about you we will:
  • give you a description of it
  • tell you why we are holding it
  • tell you who it could be disclosed to
  • let you have a copy of the information in an intelligible form.
To make a request to the Trust for any personal information we may hold you need to put the request in writing to our Legal Services -SARs Team (by email to, or write to the address provided.
If you disagree with the content of the disclosure, you may ask that the Trust’s Senior Information Risk Officer to review the actions we’ve taken.
If, after an internal review you are still dissatisfied, you may escalate your concerns to the Information Commissioners Officer. The Information Officer is the regulatory body with responsibility for the Data Protection Act and can be contacted:

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 18 August 2017.

How to contact us

To contact the Trust’s Data Protection Officer please either email: or write to:
The Information Governance Team
Residence 15
Medway Foundation Trust
Windmill Road