Patients Know Best, Ltd. Registered in England and Wales Number: 6517382. VAT Number: GB 944 9739 67.

Registered Office:

Patients Know Best

St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

Patients Know Best B.V. Handelsregister 76822613.

Registered Office:

Patients Know Best B.V.,

of Van Heuven Goedhartlaan, 935 A, 1181LD, Amstelveen, Amsterdam, The Netherlands

David Grange

Patients Know Best

Address: St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

Email: dpo@patientsknowbest.com

Phone: 01223 790708

ICO Registration: Z2704931

David Grange

Patients Know Best B.V.,

of Van Heuven Goedhartlaan, 935 A, 1181LD, Amstelveen, Amsterdam, The Netherlands

Email: dpo@patientsknowbest.com

Phone: +44 1223 790708

AP Registration: FG012552

Mohammad Al-Ubaydli

Chief Executive Officer

Patients Know Best

St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

Contact

Mate Varga

Chief Technology Officer

Patients Know Best

St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

Contact

PKB follows the law to handle data fairly and legally. Most of the time, PKB acts as a "Data Processor," which means it provides the secure platform for hospitals or GPs to show patients their records. If a patient adds their own information, PKB acts as a "Data Controller," meaning it is responsible for looking after it. PKB gives individuals a Privacy Notice when they sign up so they know exactly how their data is used.

The organisation only uses information to manage health records and provide the service. PKB does not use data for commercial purposes and does not sell it to others.

PKB holds the information sent by healthcare providers and only asks for the basic details needed to set up a patient's account. Patients have complete choice over what extra information they want to add to their record.

Healthcare teams are responsible for keeping the records they send up to date, Providers ensure data accuracy by regularly updating data from their platforms via API interfaces. Data accuracy and requests for data erasure within the patient record are handled in accordance with the Provider's local information rights policies. Patients can update or amend any information that they have contributed to PKB themselves.

In most cases, personal data within the patient record is retained for 8 years after last access, aligned with the NHS Records Management Code of Practice. Patient-inputted data that has not been shared with the provider, will be deleted at the patient’s request. Exceptions apply in specialties where retention periods are different. Retention terms are stipulated in the Data Processing Contract (DPC) at the Provider's request, PKB is able to adopt any schedule the controller specifies.

PKB maintains a high level of security through technical and organisational measures, including annual penetration testing, adherence to the Data Security and Protection Toolkit, Cyber Essentials Plus, and role-based training for employees. Personal data is encrypted, preventing access except for authorised access to manage the healthcare record and service provision. Patients have some control e.g. over who may access their health record and amending privacy labels.

Patients Know Best (PKB) ensures accountability through its Data Protection Officer and maintaining accurate Records of Processing Activities specifying data processing purpose and duration.

PKB proactively addresses data protection concerns by implementing Data Protection by Design principles in information system development and incident response.

PKB ensures that data subjects are informed about how their data is processed through transparent and clear communication. This includes information about data collection, processing purposes, and data subject rights.

• Privacy Notice: Our Privacy Notice explains how data is collected, used and protected.

• User Agreement: Our User Agreement outlines an individual’s rights and responsibilities when using our services.

• PKB Platform (Access Log): Access logs in our web application allow individuals to track interactions with their data.

• Blog and Video Segments: We regularly share informative content to keep individuals updated on best practices and relevant information regarding their data and privacy.

• PKB Patient Manual and Trust Centre: Our patient manual and Trust Centre provide detailed information about data handling, security and privacy practices.

• The Provider, as Data Controller, is responsible for ensuring adherence to the Right to be Informed where PKB is the Data Processor.

The Provider, through their contract with the PKB platform, grants data subjects the right to access their personal data. Where PKB is the Data Controller, PKB is only processing data which has been supplied by the patient.

Patients may access their data through the Patients Know Best (PKB) platform, and providers can always access data they have entered.

The Data Controller is responsible for rectification of their data and the patient has the functionality within the PKB platform for rectification of data they have entered.

Data subjects can request data rectification through the PKB portal. PKB does not modify data without the Data Controller's specific instructions, ensuring data accuracy and integrity.

While data subjects may have the Right to Erasure in certain circumstances, given PKB is considered a healthcare record this right may not apply. The Data Controller is the sole determining party for evaluating how this right is upheld. Where PKB is a Data Controller, and where that data has not been shared with a Controller, the patient is the sole determining party for the erasure of that data.

Patients have the Right to Restrict Data Processing, which can be facilitated in PKB through mechanisms such as "Stop Sharing", "Disable Sharing" or by changing privacy labels. Where the patient wishes to restrict processing by the Provider (Data Controller), the patient must contact the Controller directly.

Patients Know Best supports data portability by enabling patients to grant access to their health records directly through the platform, ensuring secure and seamless sharing with others.

The patient can object to processing and enable mechanisms through the PKB Portal that restrict the processing. They cannot, however, object to the processing where PKB is a Data Processor, the objection must be handled by the Data Controller. 

Patients Know Best do not use any automated decision making or profiling.

For Provider-contributed data to the PKB Patient Record.

• Providers are the Data Controllers - Their lawful bases for processing must be determined by the Providers. For example, in the case of NHS Trusts, the lawful bases for processing personal data is generally, but not exclusively, Article 6(1)(e) Public Task and Article 9(2)(h) Health & Social Care, UK GDPR.
  PKB are the Data Processor operating under the explicit instruction and authority of the Data Controller, under their lawful bases.

PKB and the Provider are Joint Controllers for data points that are contributed to the PKB Record by a patient-user and accessed by Provider teams.

• Providers are Joint Controller – Their lawful bases for processing must be determined by the Providers. For example, in the case of NHS Trusts, the lawful bases for processing personal data is generally, but not exclusively, Article 6(1)(e) Public Task and Article 9(2)(h) Health & Social Care, UK GDPR.

• Patients Know Best are Joint Controller - PKB operates under Article 6(1)(e) Public task (in assisting the NHS Provider to deliver their statutory function) and Article 9(2)(g) Public Interest and (h) Health & Social Care, UK GDPR.

For patient-contributed data through a registered PKB Account.

• Patients Know Best are Sole Controller - PKB operates under Article 6(1)(f) Legitimate Interests and Article 9(2)(h) Health & Social Care, UK GDPR.

Learn more about when PKB’s Lawful basis changed on 02/02/2022 from Consent to Legitimate Interest.

For any data they originate e.g metadata, stats etc.

• Patients Know Best are Independent Controller - PKB operates under Article 6(1)(f) Legitimate Interests and Article 9(2)(h) Health & Social Care, UK GDPR.

For retrieved copies of GP records retrieved under the Explicit Consent of a patient-user through the IM1 PFS service.

• Patients Know Best are a limited Independent Controller - PKB operates under Article 6(1)(a) Consent and Article 9(2)(a) Explicit Consent, UK GDPR.