Privacy notice
Last updated: 1 April 2026
This page explains how East Kent Hospitals University NHS Foundation Trust (EKHUFT) looks after your personal information. This includes data we use for your care and our online services.
We follow the law and NHS rules, including:
UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018
NHS Constitution and the Common Law Duty of Confidentiality
This notice is designed to help you find everything you may wish to know about we process your health information in one place.
See also: Easy Read version - You and Your Personal Information patient leaflet
Jump to section:
Your personal data privacy notice
1 Who we are
We are East Kent Hospitals University NHS Foundation Trust (EKHUFT). We care for people in hospitals and in the community across east Kent. To care for you safely, we must keep some information about you. This is your health record.
2 Why we keep information about you
We keep your information because it helps us:
Give you safe care
Know what treatment you need
Make sure your appointments and tests are correct
Plan and improve NHS services
Learn from complaints, incidents and feedback
Support research (only with the right approvals and safeguards)
We never sell your data or use it for marketing.
To learn more about what the NHS keeps, why, and for how long, read the NHS Records Management Code of Practice. It explains retention rules and how we safely destroy records we no longer need.
3 What information we collect
We only collect what we need to look after you.
Basic information
Your name
Your address and contact details
Your date of birth
Details of your parent/carer (where relevant).
Health information
Notes about your illness or injury
Test, scan and X ray results
Medicines you take
Treatment plans and referrals
Appointments and letters.
Special category information (extra protected by law)
Your physical or mental health
Race or ethnicity
Religion or beliefs
Sexual orientation (usually relevant only for older teens)
Genetic or DNA information (if needed for care)
Biometric data used to identify you (rare)
Information about crime only if needed to keep you safe.
4 Where your information comes from
We get information from you, your parent/carer, your GP, other hospitals, and services that help with your care (like school nursing or social care).
5 Who we share information with
We only share your information when it is necessary and only with people who must see it. We may share with:
Your GP
Other hospitals and clinics
Ambulance services
Social care
School nursing teams
People who plan NHS services
Approved NHS IT system suppliers (who help run our secure systems).
Sometimes the law says we must share information, for example to report certain diseases, prevent serious harm, or when a court tells us to. We always share the minimum amount needed.
6 Lawful reasons we use your information
We must have a legal reason (“lawful basis”) to use your information.
For most of your care we rely on: UK GDPR Article 6(1)(e) (public task) and Article 9(2)(h) (health or social care).
Sometimes we also rely on: Article 6(1)(c) (legal obligation), Article 6(1)(a) (consent – for things like photos or some research), Article 9(2)(i) (public health), Article 9(2)(j) (research and statistics with safeguards).
Under the Common Law Duty of Confidentiality, we only share when you agree, when it is needed for your care, when the law allows it, or to prevent serious harm.
7 Keeping your information safe
We work hard to keep your information safe and protected at all times. We use a mixture of technology, training, and strong security rules to do this.
To keep your information safe, we use:
Secure, certified and regulated computer systems
Our systems follow NHS security standards and are checked regularly.Multi‑factor authentication (MFA)
This means staff must use more than one way to prove who they are before accessing information.Role‑Based Access Control (RBAC)
Only staff who need to see your information to do their job are allowed to access it.Identity and access checks
Staff must use approved NHS smartcards, NHS login, or secure access tools.Mandatory Data Security and Protection training
All staff must complete this training every year so they understand how to keep your information safe.NHS rules and national guidance
We follow NHS security guidance at all times.
We only keep your information for as long as the NHS Records Management Code of Practice says we must, and then we delete or destroy it securely in line with national rules.
8 Your rights
You have important rights over your personal information. These rights help you understand how your data is used and give you control over it.
Timescales and how we respond are set by law and national guidance – see the national NHS subject access request guidance, the Information Commissioners Office guide to subject access and NHS Digital Upholding the Rights of Individuals.
You can ask to see what EKHUFT holds about you (e.g., hospital notes, letters, test results, imaging reports).
How to request
For requests specifically for copies of your medical or health records, please see our Access to Health Records page for further guidance.
For any other requests relating to your personal information or to exercise any of your data protection rights, please email the Data Protection Officer at:
ekhuft.dataprotectionofficer@nhs.net
You can also view your GP record using the NHS App (for age 13+), including GP test results, medicines and vaccinations.
We normally respond within one month. If your request is very large or complex, we may need up to two more months, and we will tell you within the first month if we need extra time.
You can update your name, address and contact details yourself, by going to correct your contact details on your NHS record on the NHS website or NHS App.
For anything else, if something is wrong or incomplete, you can ask us to review it.
NHS Amending Patient Records guidance explains when corrections can be applied to entries within your in health records.
This is limited in healthcare because we must keep certain records for safety and by law. We’ll explain if we cannot delete something and why.
In some situations, you can ask us to pause or restrict use of your data. We may still keep basic details for safety or legal reasons.
You can tell us if you disagree with certain ways in which we use your personal information. We will review your request carefully and explain what we can and cannot do in response.
You also have the right to object to your confidential patient information being used for research and planning under the National Data Opt-Out (NDOO).
You can find more information about the National Data Opt‑Out and how to manage your choice on the NHS website.
Where possible, we can share information directly with another service or organisation either as part of direct care or on your request.
9 Opting out of data being used for planning or research
You can choose whether your confidential patient information is used for research and planning. If you’re happy for it to be used in this way, you don’t need to do anything. If you choose to opt out, your information will still be used to support your individual care.
This site explains what confidential patient information is, how it’s used, the benefits of sharing data, who uses it, how it’s protected, situations where the opt-out does not apply, and how to set or change your opt‑out online or by phone.
You can also learn more about how patient information is used at:
You can change your opt‑out choice at any time. The opt-out does not allow sharing with insurance companies or for marketing; this would only occur with your explicit consent.
Our organisation is currently compliant with the National Data Opt‑Out policy.
You can choose whether your confidential patient information is used for planning NHS services or research. This does not affect your own care.
Learn more and manage your choice on Your NHS Data Matters (or via the NHS App under “Your health”).
10 Do we send your information outside the UK?
EKHUFT aims to keep your information in the UK. If information must be sent outside the UK, we will use legal safeguards to keep it safe and protect your rights (for example, standard contractual clauses and risk assessments). This reflects our current practice as set out in EKHUFT’s central notice.
11 How long we keep your information
We follow the NHS Records Management Code of Practice for how long to keep records and how to dispose of them safely when they are no longer needed. Different records have different time periods.
Supplementary privacy information
See below for specific privacy information related to our services.
East Kent Hospitals services
Tools that support clinicians (AI is not used to and does not replace clinical decisions made by a trained medical professional).
Used in some areas to keep patients, visitors and staff safe.
Helps providers and commissioners understand what maternity care is delivered and with what outcomes, informing planning and decision making.
Helps connect you with the right support services.
How we use data to improve care (most research uses de identified data).
How supporter/donor information is used (not your patient record).
Services we work with
Shared record used by health and social care to give you joined up care.
The senior governance group for the analyst community across Kent and Medway.
NHS England Federated Data Platform (FDP) privacy information
East Kent Hospitals is participating in the NHS FDP to support improved patient care and service planning. Find out more about the FDP and how your data is protected.
Kent and Medway Pathology Network (KMPN)
Manages lab samples and results across the region.
Kent and Medway Data Warehouse
Secure system for planning services.
Secure Data Environments (SDE)
Protected research spaces with strong access controls.
Our online services
How we use your data as a user of our public website (www.ekhuft.nhs.uk).
This privacy notice relates to logging into our Patient Portal.
This privacy notice relates to the viewing, cancelling and rebooking appointments on our Patient Portal.
This privacy notice relates to the appointment booking area of our Patient Portal. It is used to book a selection of our services, including X-ray and blood tests.
This privacy notice relates to the Patient Preferencing area of our Patient Portal, where you choose your communication preferences.
Contact us
If you have questions or want to use your rights:
Data Protection Officer (DPO)
Telephone: 01227 783142
Address: Kent & Canterbury Hospital, Ethelbert Road, Canterbury, CT1 3NG
Get advice
If you are unhappy with how we have used your information, you can contact the Information Commissioner’s Office (ICO) for advice:
Information Commissioner’s Office
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
The Trust is registered with the Information Commissioner’s Office - registration number Z9093025.
Download our registration certificate from the Information Commissioner's Office website
Changes to this notice
We may update this notice to keep it accurate and clear. The latest version will always be available on our website.