Record Deletion

When can PKB records be deleted?

Kaleidoscope Consultants Limited | +44 (0) 20 3637 1111 | info@kaleidoscopeconsultants.com

East Side, Kings Cross, London, N1C 4AX, UK | The Black Church, St. Mary’s Place, Dublin, D07 P4AX, RoI | Calle Balmes 173, 4-2, Barcelona 08006, España

Deletion conditions

Controller/Processor/Joint Controller

I am of the opinion that the legal basis for retention is unaffected by which organisation is the controller on the basis that:

1. Where a controller, the controller must specify their lawful basis for processing and expected deletion. Deletion justification must be justified and documented (GDPR article 5(1)(e))
2. Where a processor, data must be deleted on the instruction of the controller unless there is a separate duty to process, including retention (GDPR article 28(3)(g))
3. Where joint controllers, each controller purpose, lawful basis and retention should be documented in the JCA
4. Where the PKB data is in a Patient Account, the subject may request deletion and this will be implemented unless another legal duty applies, in which case the subject will be informed and the data will be deleted at the earliest opportunity
5. Where the PKB data is in Patient Record, deletion requests will be handled as noted in the previous slide.

​

Definitions

1. A patient record comprises data sourced from health and social care provider records and other records which may be accessed by Healthcare Professionals (HCPs) from single or multiple source organisations
2. A patient account is created when the data subject has activated their access to their record and exercises control over who can see what of their data and may also contribute to their record

History