Kairos Rehabilitation Trust is committed to follow the regulations for good practice as requested by the Care Quality Commision.

Please see below for our Mission Statement and some relevant policies including how the privacy of patients, staff and donors is handled


Kairos Rehabilitation Trust


Vision Statement and Values


  1. To provide the best possible care, treatment and rehabilitation for patients dealing with hard to treat long-term conditions, particularly those suffering persistent pain and all its consequences.
  2. To provide as optimal and comprehensive a service as possible by working together with colleagues in integrating conventional, anthroposophic and other non-traditional methods for patients’ maximal benefit.  
  3. To listen and pay attention to the individual’s own considered personal, social, financial or other needs in creating an environment and delivering interventions which are meaningful and effective for that person. And by these means, to enable motivation and engagement, the taking of initiative in finding better charge of their own health, life and destiny.
  4. To develop and promote opportunities for teamwork within and outside the Trust which, where appropriate, include the patient at its heart. And in so doing to encourage and acknowledge the role and potential contribution of each team member thereby kindling opportunity for personal, team and overall Trust development.
  5. To serve, assist and enrich the aims and effectiveness of the National Health Service (NHS) in relation to patient benefit by working with colleagues within and around the service.
  6. To evaluate outcomes of the work in terms of patients benefit, cost effectiveness and service delivery by working with a multi-disciplinary team of colleagues - with a view both to publication.
  7. To continue to develop innovative rehabilitation facilities and expand provision of the service by recognizing and responding appropriately to individual, local and national needs in health and social care.
  8. To work with others in training the next generation of clinicians and supporting staff to meet current and future challenges of health and social care provision.







The ‘Kairos Model’ has been recognised as innovative in its field (Finalist BMJ 2017 Awards). It is concerned with rehabilitation of a population that is recognised as difficult to treat. The main emphasis is on persistent pain but rehabilitation is offered to anyone suffering any long term condition which has not responded to previous treatments. The following conditions and circumstances make up the common predicaments that patients face before and during treatment:


  1. Any difficult-to-treat or unexplained condition most commonly – Fibromyalgia (FMS), Chronic Fatigue Syndrome (CFS), ‘Global’ Pain, failed back surgery, injury without radiological explanation.
  2. Failed pain treatments at other pain clinics/pain management programs
  3. Medication problems – intolerance, polypharmacy, dependence
  4. Mental Health issues complicating e.g. anxiety, depression, PTSD
  5. Social factors – poor English, loneliness, isolation, nothing to do.
  6. Financial issues with benefits, work-related difficulties



Treatments and interventions offered:


A. Full medical & biographical assessment. Reinterpretation of the history with explanation of how anthroposophic therapies belong.

B. Therapies 1:1 (massage & eurythmy) to relieve symptom burden.

C. Rationalisation and reduction of analgesic and psychotropic medication

D. Social activities (often patient-initiated but therapeutically led) Choir,  painting, crafts, cookery and gardening.

E. State Benefits problems: help filling forms, attending Medicals & Appeal Tribunal;

F. New opportunities for education, training, volunteering & work

G. Team working in close cooperation with the patient




Special regard for the patient and staff


  1. The patient is regarded as unique and sacrosanct[1] as a person and needs to be acknowledged respected and honestly treated.
  2. Each person involved in the work, including each staff member, is considered to be on a path of personal development into which all life events including the experience of illness need to be taken into account.
  3. Vulnerability is common and must be looked out for and identified to avoid unwittingly causing harm.
  4. Treatment and interventions are designed as much around the needs of the person as their clinical condition. Satisfying the former often results in alleviation of the latter.
  5. Special effort is made to listen to and understand the predicament as the patient sees it and to identify what is or may be of first importance to that individual in the initiation of treatment
  6. The fitness and health of the staff and ways to maintain them are considered vital as they encourage optimal working and capacity to apply one’s ‘will to heal’



Special conditions of delivery


The following have been found essential in the delivery of the programme

  • Ease of access to the service by phone, text, mail.
  • Continuity of care: seeing the same doctor and or therapist during treatment blocks
  • Adequate time for appointments and therapy sessions
  • Good listening
  • Coordination of delivery by close teamwork
  • Optimal and where possible personal communication with GP’s and hospital specialists;
  • Translation in case of language difficulty
  • Chaperoning or company chosen by the patient during consultations or treatments
  • Advantage is taken of feedback from patients and staff including mistakes, significant events and complaints;
  • Attention paid to positive value of equal opportunity, safety and governance issues
  • Alertness and proper dealing with safeguarding issues
  • Good communication and working together with partner agencies e.g. Greenwich CCG, Circle MSK, Greenwich Association for Disabled People (GAD)
  • Security of funding;

[1] ‘except from violation or criticism’ Shorter Oxford Dictionary


Consent policy


“No decision about me without me’(1) – Shared decision-making in practice


1. INTRODUCTION: Kairos Rehabilitation Trust (KRT) provides medical-therapeutic rehabilitative treatment to patients with long-term, hard to treat medical conditions, primarily pain related. The majority of patients are referred for Pain Management by Circle Greenwich MSK Services on behalf of Greenwich Clinical Commissioning Group. Patients who either come from out-with this geographical area, or whose complaint does not fall under Circle MSK’s remit may be seen by the charity. These patients are asked to bring a medical summary from their GP and to consent to said GP being kept informed about treatment at KRT.



 The general legal and ethical principle that valid consent must be obtained before starting treatment or physical investigation for a person has been enshrined in The NHS Constitution for England 2010(2).   The Department of Health set out guidance on how to achieve this in Good practice in consent implementation guide: consent to examination or treatment 2001(3). This was supported by HSC2001/023 Good practice in consent: achieving the NHS Plan commitment to patient-centred consent practice (4), and reinforced through the Reference guide to consent for examination or treatment 2009(5) which sets out the legal and ethical principles for obtaining valid consent within the NHS. 


Further legal, ethical and good practice requirements for gaining valid consent with children, people with mental health issues and those with decreased capacity are detailed in Seeking consent: working with children(6) the Code of Practice: Mental Health Act 1983 (2007)(7) Mental Capacity Act 2005 Code of Practice(8) respectively.


The General Medical Council also identifies, in its document Good Medical Practice(9), that doctors must be satisfied that they have consent or other valid authority before they undertake any examination or investigation, provide treatment or involve patients in teaching.  This responsibility is further detailed in Consent: patients and doctors making decisions together(10).


 1 White Paper, Equity and Excellence: Liberating the NHS:  (DH, 2010)
 3 http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4005762
 4 http://www.dh.gov.uk/en/Publicationsandstatistics/Lettersandcirculars/Healthservicecirculars/DH_4003736
 5 http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_10364
 6 http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_400700
 7 http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_084597
 8 http://www.justice.gov.uk/guidance/protecting-the-vulnerable/mental-capacity-act/index.htm
10 http://www.gmc-uk.org/static/documents/content/Consent_0510.pdf


 The documents cited above are clear on the following principles:

The principles of consent apply to all decisions about care: from the treatment of minor and self-limiting conditions, to major interventions with significant risks or side-effects. 

If you are the doctor undertaking an investigation or providing treatment, it is your responsibility to discuss it with your patient and gain valid consent. 

You must work in partnership with your patients to ensure good care. 

You must: a) listen to your patient and respect their views about their health b) discuss your patient’s diagnosis, prognosis, treatment and care involved with them c) share information with your patient that they need or want to make a decision d) support your patient’s ability and opportunity to make decisions for themselves e) respect your patient’s decision



 KRT expects the following principles to be followed by all staff involved in a patient’s care:

4.1 All consultations should be based on openness, trust and good communication

  4.2 You must adapt your consultation style to suit each patient and each situation.

 4.3 You should assume each patient has the capacity to make decisions for themselves and:

  • make an assessment with the patient of their condition, taking account of their medical history, views, experience and knowledge
  •  use this information alongside your specialist knowledge and skills to identify the best course of action for your patient
  • explain the possible options to your patient, setting out the benefits and risks of each option
  • enable your patient to weigh up the best option for them, including the option to have no treatment
  • if your patient asks for a treatment you do not consider would be of overall benefit to them, you do not need to provide it BUT you must explain your reasons and document them in the patient’s notes. If your patient is not able to make decisions for themselves, you must work closely with them and their carers or relatives, following sections 7 and 9 of this policy where applicable.



 5.1 You must share all relevant information with your patient and:

  • take account of their individual needs and capacity
  • do not make assumptions about what information your patient might need or want
  • give your patient all the information they need or want to make a decision
  • check that your patient has understood the information they have been given
  • give your patient time to make their decision

5.2 Do not withhold any clinical information from your patient.

5.3 You should respect your patient’s wishes if they want another person to be involved to help them make a decision.

 5.4 You must provide clear, accurate information to your patient about any adverse outcomes that may result from your proposed treatment options.  These will include:

  • side effects
  •  complications
  • failure of an intervention to achieve the desired aim

 5.5 You must assess and communicate the risk to your patient by:

  • considering the nature of their condition, their general health and other circumstance
  •  taking account of their preferences or concerns about different outcomes
  • telling them about serious adverse outcomes even if the likelihood is very small and less serious side effects that occur frequently
  • giving information in a balanced and unbiased way, using clear, simple language
  • checking that they have understood the information

5.6 You must respect your patient’s right to refuse consent or withdraw it BUT you must explain the risks and benefits of doing so and fully document in their notes.


6. DIFFERENT FORMS OF CONSENT AND APPROPRIATE DOCUMENTATION Before accepting a patient’s consent you must ensure that you have met sections 4 and 5 of this policy.  KRT expects the following principles to be followed by all doctors and therapists  providing care:

6.1 The care provided by KRT is limited to what the patient was referred for .

6.2 Oral or implied consent (by complying with the proposed examination or treatment, for example, by rolling up their sleeve to have their blood pressure taken) is appropriate so long as you are satisfied that your patient understands what you propose to do and why.

 6.3 You must record fully your discussion with your patient in their clinical record.



KRT expects all clinicians to involve children and young people as much as possible in discussions about their care and to encourage them to share their decision with their parents or carers if they have the capacity to consent.

7.1 You must clearly document in the clinical notes the details of the person calling on behalf of a child or accompanying them to the clinic, including details of parental responsibility.

7.2 When children lack the capacity to give consent then you must seek the consent of at least one parent.

7.3 Young people aged 16 and over can be presumed to have capacity to make most decisions about their treatment and care.

7.4 You should assess individual young people under 16 for their ability to understand and weigh up options to make a decision and determine whether they are able to understand the nature, purpose and possible consequences of investigations or treatments you propose.

 7.5 The young person must be able to understand, retain, use and weigh this information and communicate their decision to others to be able to give consent.

7.6 You must always respect confidentiality whenever this is requested by a child who is competent to make their own decision unless:

  • there is an overriding public interest in the disclosure
  •  the disclosure is required by law




If you need to make a decision about treatment and care for patients who lack capacity you must comply with the Mental Capacity Act 2005 which sets out the criteria and procedures you need to follow.

9.1 In line with 4.3 you must work on the presumption that every adult patient has the capacity to make decisions about their care until it is clear that they cannot understand, retain, use or weigh up the information needed to make that decision, or communicate their wishes.

9.2 You must not assume that a patient lacks capacity to make a decision solely because of their age, disability, appearance, behaviour, medical condition (including mental illness), their beliefs, their apparent inability to communicate, or the fact that they make a decision that you disagree with.

 9.3 Remember to give your patient enough accessible information and time to make their decision so that their ability to make decisions is maximised.  You may want to consider:

  • asking the patient what would help them make a decision
  • speaking to those close to the patient about the best ways of communicating with your patient, taking account of confidentiality issues
  • supporting with written information
  • using the following communication aids:

  The interpreting service for patients whose first language is not English

 Type-talk for the hard of hearing o Simplified language and Easy-read materials for those with learning disabilities

 9.4 You must assess a patient's capacity to make a particular decision at the time it needs to be made.

 9.5 Your patient would be deemed to lack capacity to consent if they cannot:

  • understand the information relevant to that decision, including understanding the likely consequences of making, or not making the decision
  • retain that information
  • use or weigh that information as part of the process of making the decision
  •  communicate their decision (whether by talking, using sign language or any other means)

9.6 You should assess your patient’s capacity with advice from their relatives or carers who may be aware of their usual ability to make decisions.

9.7 You must fully document your decisions about assessing your patient’s capacity to consent or not to treatment in their clinical notes.



KRT offers planned appointments only. In case an emergency arises and it is not possible to find out a patient's wishes, you can treat them without their consent within the scope of your training, provided the treatment is immediately necessary to save their life or to prevent a serious deterioration of their condition.

10.1  You must provide treatment that will be the least restrictive of the patient's future choices.  10.2  When the patient regains capacity while in your care, you should tell them what has been done, and why, as soon as they are sufficiently recovered to understand.

10.3 You must document your actions in your patient’s medical record.

Data Protection Policy and Procedures


The Kairos Rehabilitation Trust (KRT) recognises the importance of Information Governance, as it gives assurance to the patients that personal information is dealt with legally, securely, efficiently and effectively in order to deliver the best possible care.

It is therefore of paramount importance to ensure that information is effectively managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.

The KRT will maintain policies and procedures to ensure compliance with requirements contained in the Genera Personal Data Regulation (GDPR).

 KRT is committed to a policy of protecting the rights and privacy of individuals, the KRT needs to collect and use certain types of Data in order to carry out our work. This personal information must be collected and dealt with appropriately.

The GDPR which supersedes the Data Protection Act of 1988 on May 25th 2018 governs the use of information about people (personal data). Personal data can be held on computer or in a manual file, and includes medical files, letters, email, and photographs. KRT will remain the data controller for the information held. KRT staff including volunteers will be personally responsible for processing and using personal information in accordance with the GDPR.    All staff with access to Personal Data are required to undertake training to carry out their duties safely.

Staff and volunteers running KRT, who have access to personal information, will be expected to read and comply with this policy. All staff must sign a confidentiality agreement before commencing work at KRT (appendix A), a disciplinary procedure is in place. All staff will have an annual refresher training on all aspects of Data Security and Confidentiality.


The purpose of this policy is to set out KRT’s commitment and procedures for protecting personal data. KRT regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal.

The Data Protection Act Legislation

This contains 8 principles for processing personal data with which KRT will comply.  Personal data:

1. Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met,

2. Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with that purpose or those purposes,


3. Shall be adequate, relevant and not excessive in relation to those purpose(s)


4. Shall be accurate and, where necessary, kept up to date,


5. Shall not be kept for longer than is necessary


6. Shall be processed in accordance with the rights of data subjects under the Act,


7. Shall be kept secure by the Data Controller who takes appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information,


8. Shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.

The following list contains definitions of the technical terms we have used and is intended to aid understanding of this policy:

Data Controller – The person who (either alone or with others) decides what personal information KRT will hold and how it will be held or used.

Data Protection Act 1998 – The UK legislation that provides a framework for responsible behaviour by those using personal information.

Data Protection Officer – The person who is responsible for ensuring that KRT follows its data protection policy and complies with the Data Protection Act 1998

Data Subject/Service User – The individual whose personal information is being held or processed by KRT(for example: a service user or a supporter)

‘Explicit’ consent – is a freely given, specific and informed agreement by a Data Subject (see definition) to the processing of personal information about her/him.  

Explicit consent is needed for processing sensitive data this includes the following:

(a)  racial or ethnic origin of the data subject

(b) political opinions

(c) religious beliefs or other beliefs of a similar nature

(d) trade union membership

(e) physical or mental health or condition

(f)  sexual orientation                                                                       

(g) criminal record

(h) proceedings for any offence committed or alleged to have been committed

Notification – KRT is a not-for profit organisation and as such exempt from notifying the Information Commissioners Office (ICO) about the data processing activities of KRT.

Information Commissioner – The UK Information Commissioner responsible for implementing and overseeing the Data Protection Act 1998.

Processing – means collecting, amending, handling, storing or disclosing personal information

Personal Information – Information about living individuals that enables them to be identified – e.g. names, addresses, telephone numbers and email addresses. It does not apply to information about organisations, companies and agencies but applies to named persons, such as individual volunteers of the Group.



Applying the Data Protection Act within KRT

Whilst access to personal information is limited to the staff and volunteers at KRT, Volunteers at the KRT may undertake additional tasks which involve the collection of personal details from members of the public e.g Gift Aid.

In such circumstances we will let people know why we are collecting their data and it is our responsibility to ensure the data is only used for this purpose.

Correcting data 

Individuals have a right to have data corrected if it is wrong, to prevent use which is causing them damage or distress or to stop marketing information being sent to them.


KRT is the Data Controller under the Act, and is legally responsible for complying with Act, which means that it determines what purposes personal information held will be used for.

The management committee will take into account legal requirements and ensure that it is properly implemented, and will through appropriate management, strict application of criteria and controls:

·         Observe fully conditions regarding the fair collection and use of information,

·         Meet its legal obligations to specify the purposes for which information is used,

·         Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements,

·         Ensure the quality of information used,

·         Ensure that the rights of people about whom information is held, can be fully exercised under the Act.   These include:

o   The right to be informed that processing is being undertaken

o   The right of access to one’s personal information

o   The right to prevent processing in certain circumstances e.g. withhold consent for photos to be used in KRT publications, and

o   The right to correct, rectify, block or erase information which is regarded as wrong information

·         Take appropriate technical and organisational security measures to safeguard personal information,

·         Ensure that personal information is not transferred abroad.

·         Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation, genetic, biometric makeup or ethnicity when dealing with requests for information,

·               Set out clear procedures for responding to requests for information


·         Procedures for dealing with Personal Data:

a)    Patients are entitled to inspect their own medical records, both paper and electronic, The patient must make an appointment with the coordinator and must attend in person. The patient will be given a private area for the inspection. In line with GDPR patients are also entitled to request their records in electronic form. This will be adhered to.

b)    If the patient wishes someone else to act on their behalf, we will need written authority form the patient, and some form of identification from the person acting on the patient’s behalf.

c)    Patient data such as appointments may be sent by Royal Mail. KRT does not use fax.

d)    Letters to GP or consultant: The Privacy Note to patients states that clinical letters will be sent to their GP/Consultants as part of the care plan. All letters are copied to the patient.

·         Consent

Patients give consent or not for their personal data to be used for research purposes. It is made clear to patients that consent for this can be withdrawn at any time. (see appendix B).

·         Removable media

a)    Any patient data put on a removable media must be encrypted to comply with NHS Information Governance policy

b)    It is the responsibility of all staff to keep their passwords secure. They should not be shared with anyone. All staff undergo yearly CPD training in Data Security.

·         Staff

a)    All staff sign a confidentiality clause on their first day of work.

b)    The staff handbook contains a section on patient confidentiality. All staff are sent an electronic copy of the handbook as part of their induction. They are also alerted to where to find the hard copy.


The Data Protection Officer on the management committee is:

Name   Ingrid Hermansen

Contact Details     Ingrid.hermansen1@nhs.net / 07712810108


The Data Protection Officer will be responsible for ensuring that the policy is implemented and will have overall responsibility for:

·           Everyone processing personal information understands that they are contractually responsible for following good data protection practice

·           Everyone processing personal information is appropriately trained to do so

·           Everyone processing personal information is appropriately supervised

·           Anybody wanting to make enquiries about handling personal information knows what to do

·           Dealing promptly and courteously with any enquiries about handling personal information

·           Describe clearly how KRT handles personal information

·           Will regularly review and audit the ways it hold, manage and use personal information

·           Will regularly assess and evaluate its methods and performance in relation to handling personal information 

·           All  staff and volunteers are aware that a breach of the rules and procedures identified in this policy may lead to legal action being taken against them and that KRT is required by law to report any serious breach to the IOC.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

In case of any queries or questions in relation to this policy please contact the KRT Data Protection Officer.

Data collection

Informed consent

Informed consent is when

§  A Data Subject clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data

§  and then gives their consent.

KRT will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data, KRT will ensure that the Data Subject:

·         Clearly understands why the information is needed

·         Understands what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing

·         As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed

·         Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress

·         Has received sufficient information on why their data is needed and how it will be used

Data Storage

Information and records relating to service users will be stored securely and will only be accessible to authorised members of staff.

Information will be stored for only as long as it is needed or required statute and will be disposed of appropriately.

It is KRT’s responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the Data Protection Act 1998.

Data Subject Access Requests

Members of the public may request certain information from the Local Authority under the Freedom of Information Act 2000. The Act does not apply to KRT. However if at anytime we undertake the delivery of services under contracts with the Local Authority we may be required to assist them to meet the Freedom of Information Act request where we hold information on their behalf.


KRT needs to share data with other agencies such as other medical professionals involved in the person’s care. This line of communication is the reverse of the line of communication that brought the patient to KRT.   Where personal data has to be shared with 3rd parties such as DWP, solicitors, local social services it will happen at the request of the Data Subject and be drawn up in collaboration with them. It is the responsibility of the Data Subject to send off any letter to 3rd parties.

 There are circumstances where the law allows KRT to disclose data (including sensitive data) without the data subject’s consent.  

These are:

1.    Carrying out a legal duty or as authorised by the Secretary of State

2.    Protecting vital interests of a Data Subject or other person

3.    The Data Subject has already made the information public

4.    Conducting any legal proceedings, obtaining legal advice or defending any legal rights 

5.    Monitoring for equal opportunities purposes – i.e. race, disability or religion

6.    Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Data Subjects to provide consent signatures.

KRT regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom we deal. 

KRT intends to ensure that personal information is treated lawfully and correctly.

Risk Management 

The consequences of breaching Data Protection can cause harm or distress to service users if their information is released to inappropriate people, or they could be denied a service to which they are entitled. Volunteers should be aware that they can be personally liable if they use service user’s personal data inappropriately.  This policy is designed to minimise the risks and to ensure that the reputation of KRT is not damaged through inappropriate or unauthorised access and sharing.

Destroying personal data.

Medical data is kept in accordance with the legal obligations. Other personal data, e.g. from donors, recipients of newsletters will be destroyed after 3 years if renewed consent is not given.

Further information 

If members of the public/or stakeholders have specific questions about information security and data protection in relation to the KRT please contact the Data Protection Officer:

The Information Commissioner’s website (www.ico.gov.uk) is another source of useful information. 

GDPR provisions

Where not specified previously in this policy, the following provisions will be in effect on or before 25 May 2018.


Privacy Notice - transparency of data protection


Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation. The following are details on how we collect data and what we will do with it:


What information is being collected?

From staff:

1.       Full name, address, Date of Birth,

2.       Contact details: phone, email

3.       CV including Diplomas/ Certificates

4.       DBS check

5.       Professional indemnity insurance arrangements


From patients:

1.       Referral letter will include name, address, contact details of the individual as well as their GP,  NHS number, Date of birth, summary of medical history, letters pertaining to the referral. A copy of the referral letter goes to the patient.

Who is collecting it?

KRT medical Officer and co-ordinator

How is it collected?

Staff members submit details to co-ordinator as part of the recruitment process

Patient’s details arrive in the NHS email or letter addressed to the Medical Officer

Why is it being collected?

Information is collected for the safe and smooth running of the service.

How will it be used?

Information will be used to carry out the business of KRT: provide medical therapeutic care, communicate with individuals, safe guard vulnerable adults and children in the service.

Who will it be shared with?

Information is shared with HCPs involved in the care of the individual in accordance with NHS policies on this. It will be shared with 3rd parties e.g. local authorities, legal representatives, other charities involved in a particular case only with the explicit consent of the individual. All letters re copied to the data subject who is responsible for mailing letters to 3rd parties themselves.

Identity and contact details of any data controllers

 Data Protection Officer: Ingrid Hermansen, Forum at Greenwich, Trafalgar Road, London SE10 9EQ.

Email: Ingrid.hermansen1@nhs.net

Tel: 07712810108

Details of transfers to third country and safeguards

There is no need for transfer of personal data except for in a fully anonymised format in connection with research for which explicit consent is obtained.

Retention period

In compliance with current legislation. Information about non-patients will be destroyed after 3 years. (e.g. donors, people receiving our newsletter) These individuals will be asked to agree to stay on our mailing list beyond this time.

Personnel files must legally be retained for 6 years

Patient files retained for 12 years.

Conditions for processing


We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.

Justification for personal data

We will process personal data in compliance with all six data protection principles.


We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.


The data that we collect is subject to consent by the data subject. (as part of the referral process which the patient has requested).Letters written to support a benefit claim are done on request only and in collaboration with the Data Subject. They are  given to the individual for approval and is sent off by the Data Subject. Consent is sought for access to medical records for research purposes. This consent can be revoked at any time as stated on the consent form. See appendix B


Criminal record checks


All staff at KRT are required to undergo Enhanced DBS checks as we work with people in a vulnerable state.

Data portability

Upon request, a data subject has the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.

Right to be forgotten

A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies. All medical records must be kept for 12 years, Personnel files for 6 years.

Privacy by design and default

Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.


When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

International data transfers

KRT has no need to transfer personal data abroad and does not allow it. Anonymised data may be transferred. Everyone, whose data has been anonymised for research purposes have given written consent,.

Data audit and register


Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.


Reporting breaches


All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:


·         Investigate the failure and take remedial steps if necessary


·         Maintain a register of compliance failures


·         Notify the Supervisory Authority (SA) of any compliance failures that are material either in their own right or as part of a pattern of failures


Please refer to our Compliance Failure Policy for our reporting procedure.




Everyone must observe this policy. The DPO has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.


Consequences of failing to comply

We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk.


The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.

If you have any questions or concerns about anything in this policy, do not hesitate to contact the DPO.


Signed: ___________________________________                                                  

Dated: ____________________________________

Review Date: _______________________________










Appendix A


Forum at Greenwich
Trafalgar Road
London SE10 9EQ







The reasons for the Policy:


·         all information held at the Kairos Rehabilitation Trust (KRT) about patients is confidential, whether held electronically or in hard copy

·         other information about KRT(for example its financial matters, staff records) is confidential

·         staff will by necessity have access to such confidential information from time to time




The policy applies to all employees, and also applies in principle to other people who work at KRT e.g. self-employed staff, temporary staff and contractors – collectively referred to herein as ‘workers’.



·         Workers must not under any circumstances disclose patient information to anyone outside KRT, except to other health professionals on a need to know basis, or where the patient has provided written consent.

·         All information about patients is confidential: from the most sensitive diagnosis, to the fact of having been referred to or visited Kairos.  This includes information about patient’s families or others associated with them.

·         Workers must not under any circumstances disclose other confidential information about KRT to anyone outside the organisation unless with the express consent of the co-ordinator or medical officer.

·         Workers should limit any discussion about confidential information only to those who need to know within Kairos.

·         The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.

·         Workers must be aware of and conform to the requirements of the Caldicott recommendations.

·         All patients can expect that their personal information will not be disclosed without their permission (except in the most exceptional circumstances when disclosure is required when somebody is at grave risk of serious harm).

·         Where disclosure of information is required which is non-routine in nature the patient will, where possible be fully informed of the nature of the disclosure prior to this being released.

·         Electronic transfer of any confidential information, once approved by the co-ordinator or medical officer, must be transmitted via the NHS Net.  Workers must take particular care that confidential information is not transmitted in error by email or over the Internet.

·         Workers must not take data from the organisation’s computer system (e.g. on a memory stick or removable drive) off the premises unless authorised to do so by the co-ordinator or medical officer.

·         Workers who suspect a breach of confidentiality must inform the co-ordinator or medical officer. Any breach of confidentiality will be considered as a serious disciplinary offence and may lead to dismissal.

·         Workers remain bound by the requirement to keep information confidential even if they are no longer working for/ employed by KRT. Any breach, or suspected breach, of confidentiality after the worker has left the organisation’s employment will be passed to the trust’s lawyers for action.




All health professionals must follow their professional codes of practice and the law. This means that they must make every effort to protect confidentiality. It also means that no identifiable information about a patient is passed to anyone or any agency without the express permission of that patient, except when this is essential for providing care or necessary to protect somebody’s health, safety or well-being.


All health professionals are individually accountable for their own actions. They should, however, also work together as a team to ensure that standards of confidentiality are upheld, and that improper disclosures are avoided.


Additionally, KRT as Employers:


·         Is responsible for ensuring that everybody employed by the organisation understands the need for, and maintains, confidentiality.

·         has overall responsibility for ensuring that systems and mechanisms are in place to protect confidentiality.

·         has vicarious liability for the actions of those working in the organisation– including health professionals and non-clinical staff  (i.e. those not employed directly by Kairos but who work in the organisation).


Standards of confidentiality apply to all health professionals, administrative and ancillary staff - including receptionists, workshop leaders, co-ordinator, cleaners and maintenance staff who are bound by contracts of employment to maintain confidentiality. They must not reveal, to anybody outside the organisation, personal information they learn in the course of their work, or due to their presence on the premises, without the patient’s consent. Nor will they discuss with colleagues any aspect of a patient’s treatment in a way that might allow identification of the patient unless to do so is necessary for the patient’s care.


If Disclosure is Necessary


If a patient or another person is at grave risk of serious harm which disclosure to an appropriate person would prevent, the relevant health professional can take advice from colleagues within the organisation, of from a professional / regulatory / defence body, in order to decide whether disclosure without consent is justified to protect the patient or another person. If a decision is taken to disclose, the patient should always be informed before disclosure is made, unless to do so could be dangerous. If at all possible, any such decisions should be shared with another member of the medical therapeutic team.

Any decision to disclose information to protect health, safety or well-being will be based on the degree of current or potential harm, not the age of the patient.



Forum at Greenwich
Trafalgar Road
London SE10 9EQ


Staff confidentiality agreement




·         Be aware that careless talk can lead to a breach of confidentiality – discuss your work only with authorised personnel, preferably in private.

·         Always keep confidential documents away from prying eyes

·         Verbal reporting should be carried out in private.  If this is not possible, it should be delivered in a volume such that it can only be heard by those for whom it is intended.

·         When asking for confidential information in circumstances where the conversation can be overheard by others, conduct the interview in as quiet and discreet a manner as possible and preferably find somewhere private for the discussion.

·         Information should be given over the telephone only to the patient or, in the case of children, to their parent or guardian.  Precautions should be taken to prevent the conversation being overheard.  Care must be taken to ensure that the duty of confidentiality to a minor is not breached, even to a parent.

·         The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.

·         When using computers, unauthorised access should be prevented by password protection and physical security such as closing/locking the doors when officers/consulting rooms are left unattended. 

·         Where possible VDU screens should be positioned so they are visible only to the user. 

·         Unwanted paper records should be disposed of safely in shredders on site. 

·         Computer files on  USB drives should be deleted when no longer required


·         If you are unsure about authorisation to disclose, or a person’s authorisation to receive confidential information, always authorisation from the  co-ordinator or medical officer before disclosing any personal health information

·         Original Medical records and information must not be handed to the patient or relative.  Copies may be provided following appropriate application, consent and recording.

·         Traffic of medical records and information must be coordinated by the appropriate KRT staff.





I understand that all information about patients held by Kairos Rehabilitation Trust is strictly confidential, including the fact of a particular patient having visited the organisation.

I will abide by the confidentiality guidelines set out below.

I have read the Staff Confidentiality Policy above and fully understand my obligations and the consequences of any breach of confidentiality. I understand that a breach of these obligations may result in dismissal.


I understand that any breach, or suspected breach, of confidentiality by me after I have left the organisation will be passed to KRT’s lawyers for action.


If I hold a professional qualification and my right to Practice depends on that qualification being registered with a governing body, it is my responsibility to have read and understood their advice on confidentiality.










Print | Sitemap
© kairos rehabilitation