Privacy Notice

In the National Health Service (NHS), we aim to provide you with the highest quality healthcare. To do this Kettering General Hospital Foundation Trust (KGH or Trust) must keep information about you, your health and the care we have provided to you or plan to provide to you.
As an employer, the Trust keeps information about its employees in order to meet its contractual, statutory and administrative obligations.
This privacy statement provides a summary of how we use the information we collect from our data subjects.
The Data Protection Act and UK General Data Protection Regulation (UK GDPR) 2018 controls how your personal information is used by organisations, businesses, or the government. Under the Act, Kettering General Hospital NHS Foundation Trust is defined as a ‘data controller’ of your personal information. The Trust is registered with the Information Commissioners Office.
Our Registration number is Z4936855


Personal Data: ‘Personal Data’ is information relating to a natural (living) person which can be used to identify the person, for example:
  • Name
  • Address
  • Telephone number
  • Employee number
  • Gender
  • National Insurance (NI) Number
  • NHS Number
Sensitive personal data (Special Category): ‘Special Category’ data is information, which is classed as more sensitive personal data, for example:
  • Religious beliefs
  • Ethnic Origin
  • Sexual Orientation
  • Criminal convictions
  • Disabilities 
  • Trade Union Membership
Data controller: ‘Data controller’ means the organisation that determines or decides the purposes, conditions, and means of the processing of personal data.
Processing: ‘Processing’ includes the collection, recording, storage, use, disclosure, or destruction of personal data.

What is Data protection law?

The Trust is required to comply with the laws and regulations that apply to protecting your data and how it is used. They are the Data Protection Act 2018 and the UK General Data Protection Regulation 2016 (UK GDPR). Together, they are referred to as Data Protection Law in this privacy statement.
Under Data Protection Law, organisations must be able to demonstrate compliance with the 6 Principles governing the protection of personal data. Below is a summary of the 6 Principles and how the Trust complies with them.

UK GDPR Principles (Article 5) require that personal data must be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Purpose limitation: Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving in the public interest, scientific or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Data Minimisation: Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Data Accuracy: Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay.
  5. Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the UK GDPR in order to safeguard the rights and freedoms of individuals.
  6. Integrity and confidentiality: Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
Article 5, Clause 2 states “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
This means that under the UK GDPR, organisations must be able to demonstrate and prove that they are compliant with the 6 Principles.

How will we meet the principles of UK GDPR?

We will process your personal information fairly and lawfully by:

a) Only using it if we have a lawful reason to do so and when we do, we make sure we inform you about how we intend to use it and tell you about your rights

Whilst we do not rely on consent as a legal basis for processing your information, we are obliged to inform you of how and when we use it. We do however rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.'

This allows us to use your personal information to provide you with your care. However, you do have the right to say ‘NO’ to our use of your information, but this is likely to impact on our ability to provide you with care.

b) Only collecting and using your information to provide you with your care and treatment and not using it for anything else that is not considered by law to be for this purpose

We would never share your information for marketing or insurance purposes.
c) Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks for the delivery of your care
d) Keeping your information accurate and up to date when using it and if it is found to be wrong, we will correct it, where appropriate, as soon as we can
e) Only keeping your information in a way that it will identify you for as long as we are legally required to, whilst ensuring your rights
f) Having secure processes in place to keep your personal information safe when it is being used, shared, and stored