GDPR defines different types of data (See this link).
Concentric uses ‘Personal data’ which is data that can be used to directly identify someone and ‘Special category data’ which is sensitive data that usually requires more protection.
The following personal data is processed: title, given name, family name, date of birth, gender, patient identification number (e.g. NHS number). This data is required for clinical safety purposes, as it needs to be displayed on-screen during all clinical interactions. It is best practice to share consent information with patients, and therefore an email address and mobile phone number is stored to allow communication of the consent process.
The following special category data, i.e. data relating to health, is also processed: name of treatment, indication and purpose of treatment, alternatives and risks discussed, and name and job title of clinicians who have been involved in providing care. This information is required as it is documented on the consent form.
Under the General Data Protection Regulation (GDPR), organisations can only process this data if there is a lawful basis for doing so. Where Concentric is used, the Kingston Hospital Foundation Trust is the data controller, and Concentric is the data processor for the Trust.
The legal basis for processing is that of ‘direct care’. Healthcare organisations have a requirement to receive and record procedural consent as part of providing care. The contract between the healthcare organisation and Concentric to deliver a digital consent platform provides Concentric’s ‘direct care’ legal basis for processing.