Policy for personal data protection at Private Doctor
How we treat your data
In connection with our doctor’s examination, diagnostics and treatment of you as a patient, then we gather personal data about you. In this policy for personal data protection we describe how we treat your data.
Types of information
Private Doctor collects and treat the following data about you (to the extent relevant for you): Standard categories of data:
• Name, address, email address, phone number, CPR number (or just date of birth if non-citizen in Denmark), sex
Special categories of data: (”sensitive personal data”):
• Health information (e.g. patient record information, lab results, xray and scanning results), sexual orientation, ethnicity and religious orientation.
Private Doctor uses your data in the following ways:
Examination, diagnostics and treatment of you, including
• Medical reports to other health personel or insurance companies
• Communication with or referral to other health personnel, doctors, hospitals, dentists, laboratories etc.
• Reporting of lab values to hospital laboratories
Adherence to Danish and European regulations for GDPR and other documentation practices, including:
• General medical documentation
• Adherence to basic principles for treatment of personal data and laws for medical treatment
• Establishment and maintenance of technical and organisational data security, including preventing non-authorised access to systems and information, preventing receiving or sending malware or other electronic virus
• Examination in case of suspicion or knowledge of security breach and reporting of this to relevant authorities and individuals
• Handling of requests or complaints from registered or others
• Handling of inspections from authorities
• Handling of disagreements between registered individuals and third party
When Private Doctor collects your personal information directly from you, then you hand over your data voluntarily. You are not obliged to provide your data to Private Doctor, but the consequence will be that Private Doctor cannot act according to the purposes described above, including that we in most cases cannot examine, diagnose and treat you.
We in some cases collect personal data on you from other health personnel or institutions, e.g. from hospitals, referring doctor or by searches in electronic data records. We treat received data in accordance with this policy for treatment of personal data.
Provision of data to third parties
When needed for an examination, diagnosis or treatment of you, then we share your personal information with the following:
• We pass on your information to other health personnel if it is necessary in relation to a current disease or treatment of you or if you ask us to do it
• We pass on information to the Danish Vaccination Registry, the Danish Registry for Patient Safety, The Danish database for prescription medicines, the police, social authorities and the National Work Insurance, all in accordance with Danish laws.
• As patient, you have access to your own data
• In case of referral, we provide your data to where the referral is submitted
• When submission of lab tests, we provide the samples to the hospital laboratories
• We pass on your data to the pharmacies and to the Danish Drug Agency when prescribing medicine
• In certain cases, the information is provided to insurance companies or relatives.
Laws and regulations for provision of personal data
The legal foundation for collection, treatment and passing on your data is:
• For use during usual treatment of patients, then collection, treatment and passing on of data is done in accordance with the GDPR Act, Article 6(1)(c) and (d), while the sensitive personal information is collected, treated and passed on as per Article 9(2)(c) and (h).
• Moreover, we are obliged to treat information about you during usual patient treatment in accordance with the Danish Medical Authorization Law, chapter 6, section on health personnel’s records, in particular paragraphs 5-10 and The Danish Health Laws chapter 9.
• Health information in relation to referrals is passed on as per The Danish Health Laws chapter 9.
• Submission of lab samples til hospital laboratories is done in accordance with the Danish Health Authority’s guidance on handling of these as per the Danish Medical Authorization Law
• Prescriptions are sent online via the official Danish prescription IT server as per the Danish Health Law’s chapter 42 and as per the instructions on prescriptions and dosing of prescription medicines, especially chapter 3.
• Your information is passed on to insurance companies solely upon your written consent, in accordance with the GDPR Act, Article 6(1)(a) and 9(2)(a).
• Your personal data is passed on to your relatives solely upon your written consent as per the Danish Health Law paragraph 43.
• Post-mortem information can be provided to closest relatives, your General Practitioner and to the doctor who treated the person at time of death, as per the Danish Health Law paragraph 45.
Withdrawal of consent
In case treatment of your data is based on provided written consent, then you can anytime withdraw your consent. This will have no consequence for the treatment provided prior to withdrawal of consent.
Our systems to treat your data
Your personal data is treated and stored by Private Doctor’s system providers, which store these on behalf of Private Doctor. Our system providers are:
• Microsoft Office365
Duration of storage of your data
Private Doctor stores your data as long as we need to act as per the purposes described above. However, Private Doctor is as per the Danish Health Law for medical records obliged to keep your data for a minimum period of 10 years since the latest addition to your records. There can be cases where Private Doctor need to keep your data for longer, e.g. in relation to complaint cases. In these cases, your data will be kept until closure of the case.
You are entitled to – however limited by Danish Laws – certain rights, including the right to obtain a copy of the data we store on you, the right to have incorrect data corrected, the right to have data deleted, the right to data portability, the right to object to our treatment of your data. To the latter, this includes automated decision making (“profiling”).
You also have rights to complain to the Danish Authorities, including the Danish institution for data management, called Datatilsynet.
Should you have questions in relation to how we treat your data or to your rights, then kindly write to us at firstname.lastname@example.org or send a letter to us to the address below.
Lille Strandstræde 10, 1.
1254 København K
Date: May 25th 2018