Data Protection Directive
Individuals living in the UK and other member states of the European Union are governed by the Data Protection Directive. This directive regulates the processing of personal data and on the free movement of such data.
Meaning of “personal data”
Personal data includes personal information and health details. Health information is also considered sensitive personal data, which requires additional safeguards.
Meaning of “processing of data”
The DPD applies to the “processing of data”. This includes the operations Kalix completes with or to personal data: i.e recording, organising, storing, adapting or altering, retrieving and transferring.
Transfer of personal data out of the UK
Personal data entered into Kalix is stored in Microsoft Azure servers located in the US. The Data Protection Directive restricts the transfer of personal date to countries outside the European Union. However, US companies that meet the Data Protection Directive can be certified a Safe Harbor, meaning that they comply with the DPD. Microsoft is one of those Safe Harbor organisations, hence UK users can use Kalix and still meet the Data Protection Directive.
To meet best practices we recommend that Kalix users in the UK obtain the explicit consent of their patients when using Kalix.
The consent required
Under the DPD, consent defined as any freely given specific and informed indication of a person’s wishes by which they confirm and communicate their agreement for their personal data to be processed.
As a health care professional you can seek consent by providing an appropriate notification containing a description of the proposed processing of patient data and tick boxes (or click boxes on a website) in an application or order form on which the patient may indicate his or her consent to processing by means of an opt-in. The notice should also explain how consent, once given, can later be withdrawn.