This policy explains how Kent Medical Secretarial Services Ltd uses the personal information collected from you for the operation of the company business.  It also describes how long that information is kept for and the limited circumstances in which we might disclose it to third parties. 

The organisation has appointed a Data Protection Officer (DPO) with responsibility for data protection compliance within the organisation. Questions about this policy, or requests for further information, should be directed to the Data Controller in the first instance. 

Email: Gillian Rolfe 

Contact: 01634 393070 

Who we are

Our website address is:

What information to we collect?

This section tells you what personal data we may collect from you when you use our Services. 

When you register as a client of Kent Medical Secretarial Services Ltd we will collect: 

  • Your personal details, including name and address, email addresses, phone number, gender and possibly an image. 
  • Details of your NHS practice and contact details. 
  • The names and address of next of kin. 
  • Bank and financial details. 
  • CCTV images of you may be captured on our premises.  

How to access your data?

As a data subject, individuals have several rights in relation to their personal data. 

Subject Access Requests (SAR) 

Individuals have the right to make a Subject Access Request. If an individual makes a subject access request, then Kent Medical Secretarial Services Ltd will respond to the request within Thirty (30) days and will produce the request in line with the Information Commissioners Office (ICO) guidelines. The data subject will need to prove themselves by a form of identification which will be deemed adequate by the DPO.  An SAR should be submitted to: 

Email: The Data Protection Officer (DPO)  at 

If a Subject Access Request is manifestly unfounded or excessive, the organisation is not obliged to comply with the request. Alternatively, the organisation can agree to respond but, the data subject may be charged a fee if extra costs are incurred to retrieve data, which will be based on the administrative cost of responding to the request. A Subject Access Request is likely to be manifestly unfounded or excessive where it repeats a request to which the organisation has already responded. If an individual submits a request that is unfounded or excessive, the organisation will notify him/her that this is the case and whether or not it will respond to it. Furthermore, if the organisation cannot facilitate a request based on limitations with its IT functionality the organisation will notify the individual accordingly stating what aspect of the request they can respond to. We will respond to the request within the Thirty (30) day period however, if this request takes longer than the regulation timeline, then the data subject will be notified and will be updated, and the request provided at the earliest opportunity. It should be noted that due to the business practices and the pure nature of the business model of Kent Medical Secretarial Services Ltd, some data may not be requested under a Subject Access Request for legal and medical reasons. If it is felt that a request may not be granted or fulfilled, then the data subject will be informed, and a representing consultant will be sought for guidance relating to such a request.  

The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise. 

A data subject has the right to the following regarding the processing of their data: 

  • Whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual; 
  • To whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers; 
  • For how long his/her personal data is stored (or how that period is decided); 
  • His/her rights to rectification or erasure of data, or to restrict or object to processing; 
  • His/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and 
  • Whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making. 

Data processing

Personal data will be retained for the shortest time necessary however, some medical material will require Kent Medical Secretarial Services Ltd to hold your data after a consultation or medical treatment. Under GDPR you have the following rights to request information from the company: 

  • Right of access to the data (Subject Access Request) 
  • Right for the rectification of errors 
  • Right to erasure of personal data (please note, this is not an absolute right 
  • Right to restrict of processing or to object to processing 
  • Right to portability 

Due to medical notes requiring data to be held for a specific time, the erasure of data may not be possible for legal obligations.  Direction will be sought from the representing consultant regarding the erasure of a data subject.  Some treatment and hospital notes and results will require data to be held for a specific amount of time.  

Lawful Basis for Processing

The General Data Protection Regulation (GDPR) is legislation explaining your rights over the processing of your personal information. The GDPR requires Kent Medical Secretarial Services Ltd to identify which of the six “lawful reasons” we use when processing your data: we process data on the basis of “consent” when sending newsletters or material relating to Kent Medical Secretarial Services Ltd and we operate on the basis of “legitimate interest” when communicating with you in other ways (e.g. when responding to your enquiry). When processing personal data relating to treatment then we use “Consent” and “Contract” for our lawful basis for processing. This will be dependent upon the consultant that we will be providing our service to being. 



Kent Medical Secretarial Services Ltd will only hold and process data that they feel that they have the correct consent for. The data subject has the right at any time to withdraw the consent, this consent can be withdrawn from any department within the organisation. For those under Sixteen (16) years of age, then consent will be required from a parents or guardian to process information relating to that data subject.  

Data security

The organisation takes the security of HR-related personal data seriously. The organisation has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by employees in the proper performance of their duties. These controls are implemented under the ICO and the General Medical Council (GMC) guidelines. Other guidelines may be implemented depending upon the data being held, this is to include hospital and consultant guidelines. 


Where the organisation engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data. Our staff, trainers and associates undergo regular hospital, Data and GDPR training, to ensure that our policies and procedures are compliant with all aspects of data protection. Our servers are held in a restricted area internally and are managed and monitored by IT and cyber data experts within our office premises. This service is done so by a recognised and accredited service provider.  Encryption for our data and emails are used at all times. Our consultants and associates have a responsibility to control and hold data commensurate to our security, data and cyber policies and General Medical Council (GMC) guidelines. Consultants and associates may also store the data on their own personal electronic device, which is suitably protected by password and encryption. This will be commensurate to their own security policy. 

Sharing personal information 

As an organisation we do not share any information held with third parties unless consent is given by the data subject or is needed to be done so within the conduct of a course. We do not conduct profiling or marketing using an individual’s personal details for the conduct of our business. We will only share information with the following organisations if it is felt that we have a legal obligation or are instructed to do so from an authority requiring specific information on a data subject. 

  • Police force within the United Kingdom 
  • A government department or agency  
  • A local authority 

Your data may be transferred to countries outside the European Economic Area (EEA). If any data is transferred outside the EEA it is based on the contractual obligations to third parties and processed in accordance with your data rights. 


If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Complaints procedure

Please contact us directly with any questions or complaints as we aim to resolve any questions relating to data privacy with the data subject immediately.  

Email: The Data Protection Officer (DPO) 

All legal rights regarding privacy are the responsibility of the Information Commissioners Office (ICO). More information about their complaints procedure can be found at: 

 ICO Registration – ZA398427 

Changes to this Privacy Notice 

We reserve the right to make changes to this Privacy Notice from time to time, so please take the time to review periodically. 

Reviewed: May 2019