Privacy Notice 2021

Plain English Summary

Welcome to your Patients Know Best (PKB) Account. This privacy notice tells you how your Personal Data is used. This is so you can decide whether or not to give your consent to PKB; to create your PKB Account and for the Service to use your personal data. The privacy notice is not a user guide so it does not tell you how to use the Service or Account.

The PKB user guide is available at https://manual.patientsknowbest.com/

Terminology

  • “You” This means the user and the person giving their consent to see or share their record

  • “Patients Know Best (PKB) Account” is an online account that that lets you gather, edit, store, and share personal health information

  • “The Service” is the IT platform used to provide your online account

  • “Carers” are friends, family or other people that help you with your care

  • “Professionals” are employees of organisations using PKB whose identity and qualifications have been legally verified, for example, doctors and nurses

  • “Organisations” are customers of PKB that are involved in your care and that you trust to view your records, for example, hospitals

  • “Encryption” secures data in such a way that only those with the correct credentials can access it

Types of PKB Service Users

You can use PKB with three other types of users:

  1. Carers

  2. Professionals

  3. Organisations

Verification

Because Professionals have been legally verified they can do things on your behalf and in your interest. For example, they can legally confirm that: you are an adult, you can understand information about your health, and that you can be in control of your PKB account.

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a "processor" only and we must act under the instructions provided by NHS Digital (as the "controller") when verifying your identity. To see NHS Digital's Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

Purpose of PKB

Our aim is to bring you your health records from anywhere, and for you to control who sees these records.

Your record is divided into four parts:

  1. General health (e.g. diabetes)

  2. Sexual health (e.g. sexually transmitted infections)

  3. Mental health (e.g. depression)

  4. Social care information (e.g. day centres)

After registering with PKB you decide who can see what, e.g. you may want your doctor to see everything but your family to only see your general health. You can also request that others decide on your behalf, e.g. your doctor can share with other doctors for you. If an Organisation has data about you and the Organisation agrees to send the data to Patients Know Best, using Encryption, Patients Know Best will show you the data in your Account.

For example, Organisations can automatically send their discharge letters to your record. When you log in, PKB software will search external databases for you. None of your data is sent outside PKB for these searches.

Will my information be used for anything else?

Once you have provided consent to PKB and have decided who can see your record, PKB will use software to search databases to show you information. You decide how to make use of this information, e.g. if we tell you about a research trial, you can decide to take part. Your information is not shared until you have told us you want to share it.

Patients Know Best does not use your Account-holder information for marketing purposes without first asking for and receiving your opt-in. We do not use or disclose your information except as described in this Privacy Notice.

If you send us a help request to help@patientsknowbest.com you are likely to tell us your name and email address.

Occasionally, although we ask you not to, Users may tell Patients Know Best clinical information about themselves (e.g. "I cannot access my message from Dr Smith" or "How do I get my haemoglobin test result from my daughter's cancer team").

Patients Know Best has no ability to access any clinical information in your health records.

Data disclosure and use

To help you with your query, Patients Know Best may use personal information:

  • To provide you with important information about the Service, such as important updates and notifications

  • To send you the Patients Know Best e-mail newsletter (if you choose to receive it)

  • To determine your age and location to help determine whether you meet the criteria for an Account

Patients Know Best may hire other companies to provide services on our behalf, such as a support desk or to answer queries about the Service. We give those organisations access only to the minimum personal data to help you with your queries, such as your IP address or e-mail address.

Confidentiality

Patients Know Best requires the companies to maintain the confidentiality of your personal data and prohibits them from using it for any other purpose. Patients Know Best does not share any health records with these third parties because we do not have access to such information.

Is PKB free?

For the patients, yes - there is no charge to patients, carers or individual professionals you invite to view your record. PKB is paid for by organisations such as your hospital, health board or local practice. PKB will continue to provide a service to you, the patient, even if our contract ends with the organisation you originally signed up with.

Can I delete or hide my PKB account if I change my mind?

Because Professionals make medical decisions based on the information in your PKB record, it is a health record. Data cannot be deleted for 8 years after last usage, in case there is a legal case about medical safety. You are in control of access to your record unless the law stipulates access by another individual or authority is required. Professionals accessing your record must declare the consent they have, this is recorded in PKB.

This allows professionals to access your record in an emergency, using PKB's Break the Glass functionality. Break The Glass allows a professional to see a your record without your consent. This is for emergency situations when you lack the capacity to consent (e.g the you are unconscious) and the professional's clinical judgement is that your safety requires the professional to see the record. More information on this functionality can be found here: https://manual.patientsknowbest.com/privacy-officer/break-the-glass

You may enable a feature called Disable Sharing if you do not wish to share your record with any Professional, and this will also prevent professionals from being able to Break the Glass.

After Disable Sharing is enabled by an Organisation's Privacy Officer, Professionals will only be able to see data they have contributed to the record. More information on Disable Sharing is available here: https://manual.patientsknowbest.com/privacy-officer/disabled-sharing

The one exception is children’s records, Professionals have control to ensure the safety of the child’s medical care. Full control of your record is possible from 11 years old barring special circumstances.

You can only edit or hide data you have added. You cannot edit or hide data others have added. If you would like to change or hide information that has been added about you, or if it is incorrect, you can contact the Organisation and request this.

How is my information protected?

Patients Know Best is committed to protecting your privacy.

PKB cannot see your health record and has no control over your record. We keep the information on secure servers. We encrypt the data so no one can see your health record except the people you choose or those with a lawful basis. We have registered with the Information Commissioner’s Office (“ICO”), which regulates data protection in the UK, and our registration number is Z2704931.

Tracking, Cookies and Analytics

You can opt-in to receive the PKB newsletter which has updates about PKB. PKB tracks software usage to improve software quality. PKB does not track identifying information or records. PKB uses cookies to improve website operation and usage; for example, we use cookies to set a Users language and to monitor usage trends. Cookies do not contain identifying information such as IPs, health data or personal details.

This Privacy Notice

This privacy notice applies to the Patients Know Best Service (referred to in this privacy notice as the "Service"), which you access by logging into your account.

This privacy notice does not apply to any other online or offline Patients Know Best sites, products, or services.

The privacy notice is written generally as if you are the patient, ie you use your own Account to manage your health records. If you are a Carer who manages the patient’s records for them, you must read the privacy notice on the basis that it refers to you using your Account to manage the patient’s health records

Agreement and Further Information

A User's continued use of the Service constitutes the User’s agreement to this privacy notice. If you feel you require further information before you are able to provide consent – please refer to The User Information and Security Statement section below or contact help@patientsknowbest.com.


Full User Information and Security Statement

This User Information and Security Statement explains how the Service works and how we keep the Service secure.

Explanation of Terms Used in This Statement

  • “User” is the person giving their consent to see or share their record

  • “Account-holder Information” is your contact details (including your e-mail address, postal address and postal code) and your account password, security question and security answer.

  • “Patients Know Best (PKB) Account” is an online account that that lets you gather, edit, store, and share personal health information

  • “The Service” is the IT platform used to provide your online account

  • “Carers” are friends, family or other people that help you with your care

  • “Professionals” are employees of organisations using PKB whose identity and qualifications have been legally verified, for example doctors and nurses.

  • “Organisations” are customers of PKB that are involved in your care and that you trust to view your records, for example: hospitals

  • “Encryption” secures data in such a way that only those with the correct credentials can access it

Creating an Account

To create an Account, the User must provide the Account Holder Information.

We will use the e-mail address provided to send the User an e-mail requesting that they validate the e-mail address.

If the User wants to change Account Holder Information – such as changing the email address they will need to verify with an Organisation again.

Existing Health Care Records

If an Organisation has data about the User and the Organisation agrees to release the data to Patients Know Best, Patients Know Best will show the data in the User Account.

For example, Organisations can automatically send their discharge letters to the record. When a User logs in, PKB software will search external databases. Organisations can publish a database of research trials for the Patient to consent to share their data with an Organisation.

Sharing your Account-holder information

The following items are visible to everyone with access to the User Account:

  • Your name, date of birth.

  • Your contact details including your e-mail address, telephone, postal address and postal code.

  • Your national identifiers e.g. NHS number in England or IHI number in Australia.

  • Skype ID

User-managed personal information

An Account allows you to manage health records as the Patient or Carer. Any User can add data, for example:

  • diagnoses, medications and allergies;

  • fitness-related activities such as aerobic sessions;

  • measurements such as blood glucose and blood pressure;

  • discharge summaries from hospitalisations;

  • laboratory test results you have received;

  • health history.

A User can only edit or hide data they have added. The User cannot edit or hide data others had added. The User must ask Organisations or Professionals to edit or hide data they have added to the User Account.

Sharing health records

Each data point (e.g. a test result) has one of four Privacy Labels:

  1. General,

  2. Mental,

  3. Sexual,

  4. Social care

When sharing a record the User must decide which combination of privacy labels to allow. For example, a Patient might want their Professional (a doctor) to have access to all four Privacy Labels but for a Carer (a family member) might only authorise access to data points marked with General Privacy Label.

When a Professional or Carer invites someone to a Patient’s record, they see the Patient’s identity and the parts of the record the User has granted them access to. Whenever an Organisation or Professional shares a Users record, PKB logs the details and the stated reason for sharing.

The Organisation, Carer, Professional or User is responsible for the legal basis of their sharing and access. At any time you can stop sharing with any Professional or Carer, or change the privacy labels they have access to.

Programs

Programs are software written by third parties that can connect with the Service. PKB provide the User with information about these Programs. The User decides which privacy labels to give the Programs access to, and the User can stop sharing or change sharing with the Programs at any time.

The Service provides links to each Program's privacy notices at the time the Service asks the User to authorize the Program's access. The providers of the Programs are responsible for their privacy notices. The User should examine their privacy notices and terms of use prior to using them or allowing them access to health records.

As described in their privacy notices, Programs may also use the User’s e-mail address. In order to access the Service, the Program provider must commit to protecting the privacy of the User’s health records. Patients Know Best will reserve the right to revoke a Program provider's access to the Service if a Program does not meet its privacy commitments to Patients Know Best.

We encourage you to contact us if you believe a Program is not protecting the privacy or security of health records.

Children’s records

Records about people under the age of 18 are handled differently for child safety.

The child and carers are not the custodians of the child's record. Professionals can select certain parties whose access to the child's record cannot be stopped.

Examples include the family physician and paediatric team for the safety of the child; social services staff assigned to the child as part of a court order; carers with parental responsibility.

Professionals can also temporarily stop the access of the Patient and Carers while they investigate a child protection issue. Just prior to a patient turning 11, a professional will review access and decide who should have access to the record. This can include stopping sharing the record with their parents if the child is deemed competent to administer their own record. Decisions regarding access are not determined by PKB.

Deleting health records

Once a Patient’s record has been verified by a Professional it is a health record on which the Professional can make medical decisions. Therefore, Patients Know Best will maintain the record for a minimum of 8 years after last usage and/or last data addition (whichever is later) to provide a medico-legal audit trail.

Disclosure and use of personal data

We do not use or disclose Personal Data except as described in this notice. If we receive a help request to help@patientsknowbest.com we may be provided with a name and email address. Occasionally, although we ask Users not to, Users may tell Patients Know Best clinical information about themselves (e.g. "I cannot access my message from Dr Smith" or "How do I get my haemoglobin test result from my daughter's cancer team").

Patients Know Best has no ability to access any clinical information in the health records because the health records are encrypted and there is no facility for removing the encryption for the purpose of answering such enquiries.

In support of these uses, Patients Know Best may use personal information:

  • To provide important information about the Service, including critical updates and notifications;

  • To send the Patients Know Best e-mail newsletter (if you opt in via your Account preferences);

  • To determine age and location to help determine whether The User meets the criteria for an Account. Patients Know Best may hire other companies to provide services on our behalf, such as: hosted infrastructure e.g. e-mail and support desk; and answering enquiries from Users about our products and services.

Third parties

PKB may use third party services to provides support or additional features, such as the PKB Help Support Desk (a ticket system tracking support requests to help@patientsknowbest.com). We give those organisations access to the minimum personal data from Account-holder information that they need in order to deliver the service, such as IP address or e-mail address.

Patients Know Best requires the companies to maintain the confidentiality of personal data and prohibits them from using it for any other purpose.

Patients Know Best does not share any health records with these third parties because we do not have access to such information.

Lawful disclosures

Patients Know Best may access and/or disclose Account-holder information if such action is necessary to:

  1. Comply with the law or orders served on Patients Know Best;

  2. Protect or defend the rights or property of Patients Know Best (including the enforcement of our agreements); or

  3. Act in urgent circumstances to protect the personal safety and welfare of users of Patients Know Best services or members of the public.

Data storage

PKB's data centres are in Australia, the Netherlands and the UK. Data for European customers remain stored in the European Economic Area (EEA). Data for UK NHS customers are stored inside the UK data centres. Data for Australian customers are stored inside the Australian data centres. Data for Dutch customers are stored in Dutch data centres. All PKB’s data centres are ISO 27001 certified. Patients Know Best will add future data centres for customers in Europe, Russia and the USA, and storage of those customers’ data will be in those jurisdictions.

How we use aggregated information and statistics

Patients Know Best may use aggregated information from the Service to improve the quality of the Service and for marketing of the Service (for example, to tell potential advertisers how many Service users' data are stored in the United Kingdom data centre).

This aggregated information is not associated with any individual Account.

Patients Know Best does not use Account-holder information for marketing purposes without Patients Know Best first asking for and receiving User opt-in. The only information we aggregate is usage data, e.g. how many people are using the Service, how many messages they are sending, how many test results they are receiving.

We have no access to actual health records or communications, i.e. which Users are sending messages via the Service, what the content of their message is, or what the test result was.

Newsletter

To keep Users informed of the latest improvements, the Service will send a newsletter. The newsletter is sent on an opt-in basis. If Users do not want to receive the newsletter, they do not check the box that requests the newsletter when signing up for the Service. Users can unsubscribe at any time with one click through a link at the bottom of the newsletter. If Users later decide that they want to receive the newsletter, the newsletter can be requested it by checking the box on the Account profile page.

Security of personal information

Patients Know Best is committed to protecting the security of personal information. We use a variety of security technologies and procedures to help protect personal information from unauthorized access, use, and disclosure. For example, we store Account-holder information and health records on computer servers with limited access that are located in controlled facilities. The Service stores all clinical data using encryption so that only Users, and the people Users grant access to, are able to read health records. The Service sends all communications, except e-mail, using HTTPS. The Services keep a log of all access and actions to any health record, and Users can view the full log for any health record for which they are a Patient or Professional. E-mail messages are not encrypted, so when we send email notifications, the message only contains:

  • The patient or Account-holder’s name.

  • The fact that they have new clinical data.

  • The type of clinical data they have, eg a new test result, a new message from a doctor.

  • A link to log in securely to the Account to see the data.

When we replace our servers we erase the old equipment completely as part of ISO 27001 compliance and in line with NCSC guidelines.

Use of Cookies

We use cookies with this Service to enable Users to sign in and to help personalise the Service. A cookie is a small text file that a web page server places on the device Users use to access their Account. For information about how we use cookies, please see our Cookie Policy at: http://help.patientsknowbest.com/Cookies.html

Use of web beacons

Patients Know Best web pages may contain electronic images known as web beacons (sometimes called single-pixel gifs) that may be used:

  1. to assist in delivering cookies on our sites;

  2. to enable us to count users who have visited those pages;

  3. to deliver services co-branded with other organisations.

We may include web beacons in promotional e-mail messages or in our newsletters in order to determine whether Users opened or acted upon those messages.

Users can unsubscribe at any time with one click through a link at the bottom of the newsletter. Patients Know Best may also employ web beacons from third parties to help us compile aggregated statistics and determine the effectiveness of our promotional campaigns.

We prohibit third parties from using web beacons on our sites to collect or access your personal information for their own use. [We may collect information about visits to patientsknowbest.com, including the pages viewed, the links clicked, and other actions taken in connection with the Service.]

We also collect certain standard, non-personally identifiable information that the browser sends to every website a User visits, such as your browser type and language, access times, and the website addresses of any website(s) that linked the User to patientsknowbest.com.

Changes to this privacy notice

We may update this privacy notice at any time. When we do, we will change the "last updated" date at the bottom of the privacy notice. If there are material changes to this privacy notice we will notify Users, either by placing a prominent notice on the home page of the Patients Know Best web site or by sending a notification by email or directly to the User Account.

We encourage Users to review this notice periodically. Users' continued use of the Service constitutes the Users' agreement to this privacy notice, as amended.

Contact information

The name “Patients Know Best” is a registered trademark of Patients Know Best Limited, which is a private company limited by shares and registered in the UK with company number 6517382. You can find our registered office address and contact telephone number in the footer of our website at www.patientsknowbest.com.

Comments

Patients Know Best welcomes comments regarding this notice. If you have questions about this notice or believe that we have not adhered to it, please contact us by using our web form. If you have a technical or general support question, please visit http://support.patientsknowbest.com to learn more about Patients Know Best Support offerings.


Privacy Notice - Version 3 - Updated: [23rd May 2018]