Data Retention
Â
Retention Overview
For the avoidance of doubt, where it concerns Provider-contributed data, the Provider will be the sole determining party as to the data retention within PKB. The following Deletion vs. Retention Matrix illustrates typical scenarios, PKB does not, independently, make any determination about retention where it concerns Provider-contributed data.
For Patient-contributed data, the Patient is the determining party. PKB will retain Patient-contributed data for a minimum of 8 years unless otherwise indicated by the Patient. Where this Patient-contributed data has been accessed by a Provider it becomes part of the Patient Record and the deletion request is then handled by the Provider.
Deletion vs. Retention Matrix
The following principles apply in all cases:
Where a controller, the controller must specify their lawful basis for processing and expected deletion. Deletion justification must be justified and documented (GDPR Article 5(1)(e))
Where a processor, data must be deleted on the instruction of the controller unless there is a separate duty to process, including retention (GDPR Article 28(3)(g))
Where joint controllers, each controller purpose, lawful basis and retention should be documented in the JCA
Where the PKB data is in a Patient Account, the data subject may request the deletion and this will be implemented unless another legal duty applies, in which case the data subject will be informed and the data will be deleted at the earliest opportunity
Where the PKB data is in the Patient Record, deletion requests will be handled as noted in the matrix above.
Definitions:
A Patient Record comprises data sourced from health and social care provider records and other records which may be accessed by Healthcare Professionals (HCPs) from single or multiple source organisations
A Patient Account is created when the data subject has activated their access to their record and exercises control over who can see what of their data and may also contribute to their record
Â