Retention Overview
Page Properties | ||
---|---|---|
| ||
|
For the avoidance of doubt, where it concerns Provider-contributed data, the Provider will be the sole determining party as to the data retention within PKB. The following Deletion vs. Retention Matrix illustrates typical scenarios, PKB does not, independently, make any determination about retention where it concerns Provider-contributed data.
...
The following principles apply in all cases:
Where a controller, the controller must specify their lawful basis for processing and expected deletion. Deletion justification must be justified and documented (GDPR Article 5(1)(e))
Where a processor, data must be deleted on the instruction of the controller unless there is a separate duty to process, including retention (GDPR Article 28(3)(g))
Where joint controllers, each controller purpose, lawful basis and retention should be documented in the JCA
Where the PKB data is in a Patient Account, the data subject may request the deletion and this will be implemented unless another legal duty applies, in which case the data subject will be informed and the data will be deleted at the earliest opportunity
Where the PKB data is in the Patient Record, deletion requests will be handled as noted in the matrix above.
Definitions:
A Patient Record comprises data sourced from health and social care provider records and other records which may be accessed by Healthcare Professionals (HCPs) from single or multiple source organisations
...