...
Retention Overview
For the avoidance of doubt, where it concerns Provider-contributed data, the Provider will be the sole determining party as to the data retention within PKB. The following Deletion vs. Retention Matrix illustrates typical scenarios, PKB does not, independently, make any determination about retention where it concerns Provider-contributed data.
For Patient-contributed data, the Patient is the determining party. PKB will retain Patient-contributed data for a minimum of 8 years unless otherwise indicated by the Patient.
Deletion vs. Retention Matrix
...
The following principles apply in all cases:
Where a controller, the controller must specify their lawful basis for processing and expected deletion. Deletion justification must be justified and documented (GDPR Article 5(1)(e))
Where a processor, data must be deleted on the instruction of the controller unless there is a separate duty to process, including retention (GDPR Article 28(3)(g))
Where joint controllers, each controller purpose, lawful basis and retention should be documented in the JCA
Where the PKB data is in a Patient Account, the data subject may request the deletion and this will be implemented unless another legal duty applies, in which case the data subject will be informed and the data will be deleted at the earliest opportunity
Where the PKB data is in the Patient Record, deletion requests will be handled as noted in the matrix above.