About patient data
Data security
Patient data used in Pharmlogic products is protected with the same high security standards we use for all data. We build the platform in line with NHS Digital Information Governance Standards that require us to keep records following the Records Management Code of Practice for Health and Social Care and retain an audit trail of all data that passes through our communication platform. This audit trail includes patient data.
Organisations remain in control of this data in the audit trail. It's there so that you can 're-constitute' the information that was in there previously, to aid you with investigations, etc.
We will physically (i.e. permanently and completely) delete patient data in this way in response to:
A valid physical deletion request from the provider itself, or
Court orders or other legislative requirements.
How do we ensure the request to delete data from audit trails is valid?
Pharmlogic acts as a Data Processor under UK GDPR, and so we have to be sure that we're taking our instructions from someone with authority on behalf of the Data Controller.
This is especially important with regard to the audit trail. The NHS Information Governance Standards sets out how we should do this.
This must take the form of a specifically authenticated and validated written request from an organisation's Caldicott Guardian or Privacy Officer, co-signed by a senior clinical representative.
It's best to include as much evidence as you can of these people's status, such as your Caldicott Guardian registration, or public evidence of the senior clinician's status at the organisation (e.g. staff page on the website).
You can send this request to [email protected]. They may ask you for more information to make sure the request can be validated and carried out. Our Privacy Team will ask a senior engineer with securely deleting the data. A record of this action and the written request for it are retained in a secure log by Pharmlogic.
Making a valid request
Making a request for a copy of patients data and/or deletion
Pharmlogic is a Data Processor and so, we cannot delete patient data or supply patients with a copy of the data we hold on them unless this comes directly from the Data Controller. This is as per UK GDPR.
Your registered primary healthcare provider will need to request a copy/deletion of data on behalf of the patient.
An example template on how this needs to be submitted by the registered primary healthcare provider can be found below.
Example template requesting data deletion
You can find an example template Word document to complete below sent to us for these types of requests that you may receive.
The letter must include:
Patient NHS Number,
Patient Date of Birth
Specific detail about what data you would like to be physically deleted from the Pharmlogic platform and audit trail. Please provide the relevant period of time in which the data was likely created.
Two separate signatures, one from a Senior Clinician and the other from the organisation's Caldicott Guardian / Privacy Officer.
If this is not supplied, then the request will be returned and will not be completed.
If you still have any questions or concerns, feel free to chat with us using the black message bubble in the bottom right-hand corner of this page.