Patients Know Best, Ltd. Registered in England and Wales Number: 6517382. VAT Number: GB 944 9739 67.

Registered Office:

Patients Know Best

St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

Patients Know Best B.V. Handelsregister 76822613.

Registered Office:

Patients Know Best B.V.,

of Van Heuven Goedhartlaan, 935 A, 1181LD, Amstelveen, Amsterdam, The Netherlands

David Grange

Patients Know Best

Address: St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

Email: dpo@patientsknowbest.com

Phone: 01223 790708

ICO Registration: Z2704931

David Grange

Patients Know Best B.V.,

of Van Heuven Goedhartlaan, 935 A, 1181LD, Amstelveen, Amsterdam, The Netherlands

Email: dpo@patientsknowbest.com

Phone: +44 1223 790708

AP Registration: FG012552

Mohammad Al-Ubaydli

Chief Executive Officer

Patients Know Best

St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

Contact

Mate Varga

Chief Technology Officer

Patients Know Best

St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

Contact

Patients Knows Best is at all times a processor of customer data. PKB acts as a Controller with clear lawful basis (GDPR Article 6) for processing personal data received from the patient and exemptions for processing special category personal data (GDPR Article 9). PKB provides individuals with a Privacy Notice during the registration process, ensuring transparency and fairness in data processing.

Personal data is used solely for managing healthcare records and service provision, in full compliance with the lawful basis detailed in our Privacy Notice. Patients Know Best do not use data for commercial purposes or engage in data sales.

PKB only holds personal data transferred by Provider organisations. Providers are responsible for sending only necessary data. When PKB collects data directly from data subjects, only key data items required for patient account creation are requested. The patient has complete discretion in deciding which additional information to include in their patient account.

Providers ensure data accuracy by regularly updating data from their platforms via API interfaces. Data accuracy and requests for data erasure within the patient record are handled in accordance with the Provider's local information rights policies. For data contributed by patients, we identify it as patient-inputted information, we have no determination as to the accuracy of that data.

In most cases, personal data within the patient record is retained for 8 years after last access, aligned with the NHS Records Management Code of Practice. Patient-inputted data that has not been shared with the provider, will be deleted at the patient’s request. Exceptions apply in specialties where retention periods are different. Retention terms are stipulated in the Data Processing Contract (DPC) at the Provider's request, PKB is able to adopt any schedule the controller specifies.

PKB maintains a high level of security through technical and organisational measures, including annual penetration testing, adherence to the Data Security and Protection Toolkit, Cyber Essentials Plus, and role-based training for employees. Personal data is encrypted, preventing access except for authorised access to manage the healthcare record and service provision. Patients have some control e.g. over who may access their health record and amending privacy labels.

Patients Know Best (PKB) ensures accountability through an independent Data Protection Officer and maintaining accurate Records of Processing Activities specifying data processing purpose and duration.

PKB proactively addresses data protection concerns by implementing Data Privacy by Design and Default principles in information system development and incident response.

PKB ensures that data subjects are informed about how their data is processed through transparent and clear communication. This includes information about data collection, processing purposes, and data subject rights.

• Privacy Notice: Our Privacy Notice explains how data is collected, used, and protected.

• User Agreement: Our User Agreement outlines an individual’s rights and responsibilities when using our services.

• PKB Platform (Access Log): Access logs in our web application allow individuals to track interactions with their data.

• Blog and Video Segments: We regularly share informative content to keep individuals updated on best practices and relevant information regarding their data and privacy.

• PKB Patient Manual and Trust Centre: Our patient manual and Trust Centre provide detailed information about data handling, security, and privacy practices.

• The customer controller is responsible for ensuring adherence to the right to be informed where PKB is the processor.

The customer controller through PKB, grants data subjects the right to access their personal data. Where PKB is the controller, PKB is only processing data which has been supplied by the patient.

Patients may access their data through the Patients Know Best (PKB) platform, and providers can access data they have entered.

The data controller is responsible for rectification of their data and the patient has the functionality within the Patients Know Best platform for rectification of data they have entered.

Data subjects can request data rectification through the PKB portal. PKB does not modify data without the data controller's specific instructions, ensuring data accuracy and integrity.

While data subjects may have the Right to Erasure in certain circumstances, given PKB is considered a healthcare record this right may not apply. The data controller is the sole determining party for evaluating how this right is upheld. Where PKB is a controller, and where that data has not been shared with a controller, the patient is the sole determining party for the erasure of that data.

Patients have the Right to Restrict Data Processing, which can be facilitated in PKB through mechanisms such as "Stop Sharing", "Disable Sharing" or by changing privacy labels. Where the patient wishes to restrict processing by the customer controller, the patient must contact the controller directly.

Patients Know Best supports data portability by enabling patients to grant access to their health records directly through the platform, ensuring secure and seamless sharing with others.

The patient can object to processing and enable mechanisms through the PKB Portal that restrict the processing. They cannot, however, object to the processing where PKB is a processor, the objection must be handled by the Controller. 

N/A Patients Know Best do not use any automated decision making or profiling.

For Provider inputted data within the Patient Record.

• Providers - Provision of health/social care (Art 6(1) e UK GDPR, 9(2)h UK GDPR)

Patients Know Best and the Provider are Joint Controllers for the Patient inputted data within the Patient Account.

• Providers – Provision of health/social care (Article 6(1)e, 9(2)h UK GDPR)

• Patients Know Best - Provision of health/social care (Article 6(1)e, 9(2)g/h UK GDPR)

For Patient inputted data.

• PKB’s Lawful basis changed on 02/02/2022 from Consent to Legitimate Interest (Article 6(1)f and 9(2)h UK GDPR)

For any data they originate e.g metadata, stats etc.

• Patients Know Best - Article 6(1)f Legitimate Interests UK GDPR

For Provider inputted data within the Patient Record.

• Providers - Provision of health/social care (Article 6(1)e, 9(2)h GDPR)

Patients Know Best and the Provider are Joint Controllers for the Patient inputted data within the Patient Account.

• Providers – Provision of health/social care (Article 6(1)e, 9(2)h GDPR)

• Patients Know Best - Provision of health/social care (Article 6(1)e, 9(2)g/h GDPR)

For Patient inputted data.

• PKB’s Lawful basis changed on 02/02/2022 from Consent to Legitimate Interest (Article 6(1)f and 9(2)h GDPR)

For any data they originate e.g metadata, stats etc.

• Patients Know Best - Article 6(1)f Legitimate Interests GDPR