Patient Data Privacy Policy

Effective Date: February 1st, 2024

1. Introduction

Doccla UK Limited ("Doccla", "we", "our", or "us") is committed to protecting the privacy and security of patient data. This policy outlines how we collect, use, and protect your personal data in relation to our healthcare services. It is an extension of our General Privacy Policy, which provides further details on our data processing activities.

2. Who We Are

Doccla acts as a Data Processor when providing remote patient monitoring services on behalf of healthcare providers and as a Joint Controller in certain cases where we determine the purposes and means of processing. For any questions, you can contact our Data Protection Officer (DPO) at dpo@doccla.com.

3. What Personal Data We Collect

We may collect and process the following categories of patient data:

Identity Data: Name, date of birth, Healthcare Identifier, patient ID.
Contact Data: Home address, phone number, email.
Health Data: Medical history, diagnoses, treatment details, vital signs, medication information.
Usage Data: Interaction with our platform, including device and system logs.
Technical Data: IP address, device identifiers, location data (where applicable).
Feedback & Communications: Information provided through surveys, feedback forms, or recorded calls with our support team.
Supplemental Data: Any information provided upon referral, this could include ethnicity or other demographic data.

4. How We Use Your Personal Data

Your data is processed for the following purposes:

Healthcare Provision: To support remote monitoring and clinical decision-making. Maintain patient health records and medical history. To diagnose, treat, and manage patient healthcare needs.
Communication: To facilitate communication between patients and healthcare professionals.
Compliance: To meet regulatory and contractual obligations.
Service Improvement & Product Development: Used to enhance and develop our technology, improve user experience, and optimise service delivery.
Security & Fraud Prevention: To protect against unauthorised access and maintain system integrity.

Where possible, we use anonymisation and pseudonymisation techniques to protect patient data.

5. Legal Basis for Processing

5.1. General Data Processing (Article 6 GDPR)

We process your personal data under the following legal bases:

Healthcare Provision & Public Interest (Article 6(1)(e)): Processing is necessary for the performance of a task carried out in the public interest, including healthcare service provision and improvement.
Legitimate Interests (Article 6(1)(f)): To improve our services, develop new tools, and enhance patient care, where such interests are not overridden by your rights and freedoms.
Contractual Necessity (Article 6(1)(b)): Where processing is required to fulfil a contract with you or a healthcare provider.
Legal Obligation (Article 6(1)(c)): To comply with applicable healthcare laws and regulations.
Vital Interests (Article 6(1)(d)): When processing is necessary to protect an individual’s life or ensure the patient’s health and well-being.
Consent (Article 6(1)(a)): Where you have explicitly consented to the processing of your data for a specific purpose.

5.2. Special Category Data Processing (Article 9 GDPR)

Where processing involves special category data (e.g., health data), we rely on the following legal bases:

Healthcare Provision (Article 9(2)(h)): Processing is necessary for medical diagnosis, healthcare, or treatment.
Public Interest in Public Health (Article 9(2)(i)): Processing is necessary for ensuring high standards of healthcare, service improvements, and patient safety.
Vital Interests (Article 9(2)(c)): When processing is essential to prevent serious harm or protect an individual’s health.

6. How Long We Keep Your Data

We retain patient data in accordance with the UK Medical Devices Regulation (UK MDR 2002) and the EU Medical Device Regulation (EU MDR 2017/745), our organisation retains medical device data for a period of 10 years. This retention period is determined by the classification of our medical devices, ensuring compliance with applicable laws after the last interaction unless a longer retention period is required by law. This includes data collected through surveys, feedback forms, and recorded calls, which are retained under the same general retention rules.

7. Sharing Your Personal Data

We only share patient data where necessary and in accordance with GDPR:

Healthcare Providers: To facilitate remote monitoring and clinical decisions.
Sub-Processors: Secure cloud hosting, IT support, and analytics providers (see our General Privacy Policy for details).
Regulatory Authorities: Where required for compliance with legal obligations.

We do not sell patient data to third parties.

8. International Data Transfers

If data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), to maintain data protection compliance.

9. Your Rights

Under GDPR, you have the right to:

Access: Request a copy of your data.
Correction: Update inaccurate information.
Erasure: Request deletion where applicable.
Restriction: Limit processing under certain conditions.
Objection: Challenge processing based on legitimate interests.
Data Portability: Request data in a structured format.
Withdraw Consent: Where applicable.

To exercise your rights, contact dpo@doccla.com

10. Data Security

We implement strict technical and organisational measures to protect your data, including:

ISO 27001 Certification: International standard for information security.
Cyber Essentials Plus: Ensuring protection against cyber threats.
NHS DSPT Compliance: Meeting NHS data security standards.
Encryption & Access Controls: Secure data transmission and restricted access.

11. Updates to This Policy

We may update this policy periodically. Any significant changes will be communicated via our website or other appropriate means.

For further information, please contact our Data Protection Officer (DPO) at dpo@doccla.com.