Summary

Patients Know Best is committed to protecting personal data in compliance with GDPR and the UK Data Protection Act 2018. This policy outlines our principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, and accountability. It applies to all personal data handled by PKB employees, contractors, and third parties across global operations. Robust measures, including access controls, encryption, auditing, and incident management, ensure data is secure. PKB respects data subject rights and enforces strict compliance, with disciplinary actions for breaches. Regular reviews and training embed accountability and safeguard trust with patients and partners.

1. Purpose

Patients Know Best is committed to handling personal data responsibly, securely, and in full compliance with the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. This policy provides a framework for collecting, processing, storing, and disposing of personal data in a secure and lawful manner. By adhering to these principles, Patients Know Best ensures transparency in its data processing practices, enabling individuals to understand how their data is used and building trust with patients, customers, employees, and partners. This policy reflects the organisation’s dedication to safeguarding the rights of data subjects and maintaining accountability for its data protection practices.

2. Scope

This policy applies to all personal data processed by Patients Know Best, whether in electronic, paper, or other formats, and across all aspects of our operations. It encompasses all data processing activities, including collection, storage, access, sharing, and disposal, ensuring that data is handled securely and in compliance with applicable legislation and regulatory requirements.

The policy is applicable to:

All employees of PKB, including permanent, temporary, and contract staff.
Third-party suppliers, partners, and service providers who process data on PKB’s behalf.
All personal and sensitive data processed by PKB, including but not limited to data relating to patients, employees, customers, and suppliers.
This policy covers all data processing activities conducted across PKB’s systems, services, and locations, regardless of geography. It applies equally to data processed within the UK and internationally, ensuring compliance with relevant local and global data protection laws.

For clarity, this policy outlines PKB’s responsibilities as both a data controller and a data processor, depending on the context. Where PKB acts as a data processor on behalf of its customers, the processing activities will also be governed by customer-specific agreements and directives.

3. Data Protection Principles

Patients Know Best is committed to ensuring that all personal data is processed in accordance with the core principles of data protection as outlined in the General Data Protection Regulation (GDPR). These principles guide every aspect of our data handling practices, ensuring compliance, accountability, and respect for the rights of individuals.

Lawfulness, Fairness, and Transparency
Patients Know Best processes personal data lawfully, fairly, and transparently. Individuals are fully informed about how their data is collected, used, shared, and stored through clear and accessible privacy notices.
Purpose Limitation
Personal data is collected for specific, explicit, and legitimate purposes. PKB does not process personal data in a way that is incompatible with these purposes unless justified by law.
Data Minimisation
Patients Know Best collects only the data that is necessary for the intended purpose. We ensure that data collection is proportionate and limited, avoiding the unnecessary gathering of excessive or irrelevant information.
Accuracy
Personal data is maintained to ensure its accuracy and reliability. PKB takes reasonable steps to correct or delete data that is inaccurate or outdated, ensuring that decisions based on this data are fair and appropriate.
Storage Limitation
Personal data is retained only for as long as necessary to fulfil its intended purpose, in line with PKB’s Retention Register and legal obligations. Once no longer required, data is securely deleted or anonymised to prevent unauthorised use.
Integrity and Confidentiality (Security)
PKB ensures personal data is processed securely, protecting it from unauthorised access, loss, alteration, or destruction. Technical and organisational measures are in place to safeguard the confidentiality, integrity, and availability of all personal data under our control.
Accountability
PKB takes responsibility for compliance with these principles and demonstrates this through documented policies, training programs, audits, and ongoing monitoring. We maintain comprehensive records of processing activities and ensure that all staff are aware of their responsibilities under this policy.

By adhering to these principles, PKB ensures that personal data is handled with the highest standards of care and in full compliance with data protection laws, safeguarding the trust placed in us by our patients, customers, employees, and partners.

4. Roles and Responsibilities

The Chief Executive Officer holds overall accountability for PKB’s compliance with data protection laws and ensures that the organisation meets its obligations under the General Data Protection Regulation (GDPR) and other relevant standards. This includes providing leadership and ensuring adequate resources are allocated to support data protection practices across the organisation.

Senior Information Risk Owner (SIRO) is accountable to the Executive Team and the Chief Executive for ensuring that PKB has policies, governance structures, and risk management frameworks in place to protect personal and sensitive data. This role involves providing assurance that technical and organisational measures comply with legal and regulatory standards and supporting the implementation of effective controls.

The Data Protection Officer (DPO) plays a central role in monitoring compliance with data protection legislation and this policy. The DPO provides independent advice to the Executive Team, SIRO, and all employees on data privacy matters, providing risk-based advice to support decision making with regards to processing personal and special category information within the principles and individual subject rights of the Data Protection Legislation together with managing responses to the Information Commissioner’s Office.

Managers are responsible for ensuring that the staff within their teams are aware of and adhere to PKB’s data protection policies and procedures. Managers must ensure that team members complete data protection training and that any incidents or breaches are reported promptly to the Information Governance Team.

The Information Governance Team provides operational support and oversight for data protection across PKB. This includes maintaining policies and procedures, auditing processing activities, and ensuring training programs are effective. The IG Team investigates data protection incidents, coordinates breach responses, and ensures PKB complies with reporting requirements. It also advises on lawful processing activities and monitors organisational compliance.

The Information Security Team is responsible for implementing and maintaining the technical measures necessary to protect personal data and mitigate security risks. This includes managing encryption, access controls, and monitoring tools, as well as responding to technical incidents to safeguard PKB’s systems and data.

All staff, contractors, and third parties have a personal responsibility to ensure that data is handled securely and in compliance with PKB’s policies. They must report any suspected or actual breaches promptly to the IG Team and follow all guidance issued by the DPO. Staff must also ensure that data is accessed and shared only with authorised individuals and is stored in a secure manner to prevent unauthorised access or misuse.

More specific detailed guidance aimed at individual teams on how information security and data privacy can be implemented within teams can be found on the internal wiki.

In addition to the above, all staff have a responsibility to notify the Finance team of any changes in their own circumstances, such as a change of contact details, so that all personnel records are accurate and complete.

5. Policy

Patients Know Best (PKB) is committed to the responsible, secure, and lawful processing of personal data. This policy establishes a clear framework to ensure that all personal and sensitive information handled by PKB is protected against unauthorised access, misuse, and loss. It demonstrates our dedication to meeting legal and regulatory obligations, safeguarding the trust of patients, customers, employees, and partners.

Data Protection Measures

To protect personal and sensitive data, PKB implements technical and organisational controls, including:

Access Controls: Role-based access is enforced to ensure that only authorised personnel can view or process personal data.

Encryption: All data at rest and in transit is encrypted using industry-recognised standards to prevent unauthorised access.

Monitoring and Auditing: Systems are regularly monitored to identify and address vulnerabilities, and audits are conducted to ensure compliance with policies and procedures.

Incident Management: PKB has established procedures for identifying, reporting, and responding to data breaches or security incidents. All incidents are thoroughly investigated, with lessons learned used to strengthen future controls.

Retention and Disposal: Data is retained only as long as necessary to meet its intended purpose, after which it is securely deleted or anonymised in line with PKB’s Retention Register and legal requirements.

Transparency and Accountability

PKB is committed to maintaining transparency in its data processing activities. Privacy notices clearly outline how personal data is collected, used, shared, and stored, ensuring that individuals are informed of their rights and the measures taken to protect their information

Accountability is embedded throughout the organisation, with clear roles and responsibilities assigned to ensure compliance with this policy. Regular training and awareness programs are provided to all staff to ensure a shared understanding of data protection principles and obligations.

Compliance with Legal Obligations

This policy reflects PKB’s adherence to data protection legislation, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. It is underpinned by procedures and practices designed to demonstrate compliance with these laws, including:

Maintaining up-to-date records of processing activities.
Conducting data protection impact assessments (DPIAs) for high-risk processing activities.
Ensuring data subject rights, such as access, rectification, and erasure, are respected and facilitated.

Non-Compliance

PKB information and systems remain the property of PKB at all times and PKB reserves the right to monitor compliance with PKB policies in accordance with applicable laws, with due regard and respect for the fair treatment of all individuals, and to protect its infrastructure and network from systems and events that threaten or degrade operations.

PKB reserves the right to copy and examine PKB owned files or information resident on systems or devices. If the device or its use is in contradiction to PKB policy or allegedly related to unacceptable use, those responsible may be subject to disciplinary action up to and including dismissal, and where applicable, may be referred to law enforcement agencies for prosecution.

Failure to comply with this policy may result in disciplinary action for PKB staff, up to and including dismissal, or contract termination for third parties. Serious breaches may be referred to regulatory authorities or law enforcement, depending on their nature and severity.

6. Monitoring and Review

Patients Know Best is committed to ensuring that this Data Protection Policy remains effective, relevant, and aligned with current legal, regulatory, and operational requirements. Regular monitoring and review processes are in place to assess compliance with the policy, address emerging risks, and incorporate advancements in data protection practices.

The Data Protection Officer, in collaboration with the Information Governance Team, is responsible for overseeing the policy’s effectiveness and ensuring that it reflects the latest developments in data protection laws, including the General Data Protection Regulation and the UK Data Protection Act 2018. This includes:

Conducting annual reviews of the policy to ensure alignment with organisational objectives and regulatory obligations.
Revising the policy following significant changes in legislation, technology, or operational practices.
Coordinating regular audits of PKB’s data protection practices to identify areas for improvement and ensure compliance.

8. Third-Party Disclosures and Audit Logging

Patients Know Best (PKB) maintains strict controls and transparency regarding any disclosure of Personally Identifiable Information (PII) and Personal Identifiable Data (PID) to third parties.

8.1 Record of Disclosures

PKB maintains a detailed and accurate log of all authorised disclosures of PII/PID to third parties. This log includes:

The identity of the receiving party
The categories of PII/PID disclosed
The date and legal basis of disclosure
Any supporting authorisations (e.g. patient consent, lawful requests)

These records support regulatory obligations under the UK GDPR, Data Protection Act 2018, and SOC 2 control requirements, and are retained securely in accordance with PKB’s data retention schedule.

8.2 Notification of Legally Binding Requests

If PKB receives a legally binding request (e.g. court order or regulatory demand) to disclose PII/PID, PKB will:

Assess the legality and scope of the request
Promptly notify the relevant Data Controller of the request, where PKB is acting as a Processor
Inform the affected Data Subject of the disclosure request, unless prohibited by law or court order

Where legally restricted from notifying a Data Subject, PKB will document the reason for non-disclosure.

8.3 Medico-Legal Audit Trail

For its role in supporting clinical care, PKB maintains a comprehensive, medico-legal audit trail within the Personal Health Record (PHR). This includes records of:

Who accessed or modified data
When the access occurred
What data was shared and with whom

This audit trail is:

Available to the Controller (e.g. health organisation) upon request
Retained in line with medico-legal and professional standards
Protected by strong security and access controls

8.4 Data Subject - Access to Sharing History

Registered PKB users (Data Subjects) have real-time visibility into:

Who has accessed their record
Which organisations or professionals have viewed or contributed data
Their own sharing permissions and activity

This ensures patients are empowered to monitor and manage access to their health record in accordance with transparency and accountability principles under UK GDPR.

Appendix A

Examples of Personal Data and Special Category Data items are shown in the table below.

Personal Information	Special Category Information (sensitive personal data)
Name	Health Data
Personal Address	Biometric Data
Personal Telephone Number	Genetic Data
Personal Email Address	Race
Date of Birth	Ethnic Origin
National Insurance Number	Political Opinions
Nationality	Religion
Passport Details	Philosophical Beliefs
Driving Licence Details	Trade Union Membership
Personal IP Address	Data concerning a Natural Person’s sex life
Signature	Sexual Orientation
Job Title	Personal Financial Information
Personal Vehicle Registration
Employment History
Personal Salary & Benefits Details
Criminal Records
Business Email Address
Business Address
Business Telephone Number
Skype ID

Revision History

Version	Date	Editor	Reviewer	Approver	Description
1.0	19.11.25	Sarah Roberts	Selina Davis-Edwards	David Grange	Reviewed in line with SOC2 requirement.

Data Protection by Design