Privacy policy
The Kent Integrated Dataset
The KID is a unique and rich pseudonymised dataset available to researchers who are investigating a broad range of public health questions. It provides system-level insight into patient journeys and care utilisation and supports commissioning based on patient needs.
All of the organisations listed below are data controllers for the data they provided to the KID, with the CCG acting as the information asset owner and the ‘lead controller’ for management of the governance arrangements. Maidstone Tunbridge Wells NHS Trust HISbi operates the data warehouse where the KID is held. Further information about the Shared Healthcare and Analytics Board (SHcAB) can be found at the www.kmkernel.org
You may contact the Data Protection Officer at: kmccg.kmccg.ig@nhs.net
Why do we hold and process health data?
The KID was developed to understand health and social care costs for patients with multiple morbidities and help design a funding model that would incentivise integrated care. The KID has demonstrated significant value in analysing risks to public health and evaluating health and social care service reconfigurations and supporting the Joint Strategic Needs Assessment (JSNA) development process which is a Kent County Council statutory requirement www.kpho.org.uk/jsna
What patient data do we hold and process?
The KID comprises individual-level linked Electronic Health Records from the following services located in Kent and Medway:
Primary care providers (including general practices, out-of-hours providers and walk-in centres).
Community health providers.
Mental health services
Acute hospitals (including accident and emergency, inpatient and outpatient episodes).
Adult social care.
Palliative care hospices
Kent Fire & Rescue household data on home safety checks
Segmentation tools like Index of Multiple Deprivation, Electronic Frailty Index
The dataset includes records of interactions between residents of Kent and Medway and these services.
Across the NHS and many social care providers, individuals are given a unique identifier in the form of a 10 digit ‘NHS number'. An encrypted version of this identifier was used to link individuals across the constituent datasets. Names are excluded and other potentially identifiable information is coarsened to prevent re-identification of individuals. For example, dates of birth are replaced by single-year-of-age and postcodes are replaced by Lower Super Output Areas (a geographical area covering approximately 1500 residents).
Each service provider/data owner securely uploaded data monthly from 1 April 2014 until the 31 March 2019. Since this date, the KID has been maintained as a ‘static’ data set for the SHcAB purposes outlined above.
The legal bases for processing this information
We rely on Article 6 1 (e) of the GDPR as the lawful basis on which we collect and use your pseudonymised personal data. That is, processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
We rely on Article 9 (2) (h) and (i) of the GDPR as the lawful basis on which we collect and use your special categories of personal data.
In accordance with GDPR Art. 89(1), pseudonymisation techniques are used to fulfil the Public Health purposes without identifying data subjects and appropriate steps taken to minimise data. As data has been pseudonymised at source it is non-identifiable and the Common law duty of confidentiality does not apply.
Who can access KID data?
KID data can only be used by bona fide researchers / analyst teams to benefit patient and public health. Researchers and their affiliated organisations seeking access to KID data must undergo a rigorous approvals process. Routine access to the KID is only available to Kent and Medway Public Health Intelligence teams for Public Health purposes.
You can find out more about which studies and research organisations have been approved to carry out research using KID data Kent KERNEL Kent KERNEL (kmkernel.org)
Maidstone Tunbridge Wells NHS Trust HISbi operates a data warehouse that complies with the Data Security and Protection Toolkit under standard NHS contract terms and conditions, and operate an ISO27002 compliant Information Security Management System. All processing is performed within a controlled environment (i.e. appropriate technical and organisational controls).
How long is the data held?
Being able to reproduce the findings of a scientific study is very important to confirm that the evidence from this research is valid. In some cases, there is a requirement for researchers to be able to access the original data used for a specific study, so that this data can be inspected by regulators at a later date. To enable reproducibility of research, HISBi maintains the original pseudonymised patient data used for these research studies. This data may be held indefinitely.
There is, however, a requirement for individual researchers who receive KID data to only hold this pseudonymised patient data for 12 months, or subject to approval, for a longer defined period. After this time, researchers must destroy the pseudonymised data, but they are permitted to retain the processed analysis dataset in line with their institutional data retention policies for research audit purposes.
What GDPR data subject rights do I have?
GDPR data subject rights enable individuals to understand and make choices about how their data is used. KID patient data has been pseudonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice. Because the patient data is pseudonymised, it is not possible for any individuals to be identified from the KID data. Therefore, it is not possible for the SHcAB to directly support an individual’s GDPR data subject rights.
You have the right to make a complaint to the Information Commissioner’s Office through their website or their helpline 0303 123 1113.
The KID was set up in compliance with the National Data Opt-out Policy for patients in England and those individuals who had type 1 opt outs in place did not have their data shared into the KID.