Processing patient and other data on behalf of hospitals
Brainomix as a Processor
Brainomix manufactures, provides, and supports medical imaging software devices, as a service, for use by medical professionals to aid in the diagnosis and treatment of individual patients. In this context, Brainomix is a Processor because we process data on behalf of and under the authority and instructions of a Controller (typically a hospital).
Brainomix acts a ‘processor’ as defined by Article 4 (8) of the GDPR and adheres to Articles 28 and 29. Brainomix processes personal patient data on behalf of, and under the authority of the data ‘controller’ (as defined by Article 4 (7) of the GDPR).
The Hospital using Brainomix software is the Controller of the personal data because the hospital decides which patient data to process using Brainomix software, why that patient data is being processed and in what manner, as well as establishing the retention period and legal basis for which Brainomix may process the patient personal data held, provided by or otherwise controlled by the hospital.
The exact nature of processing is typically governed by specific Data Processing Agreements between by Brainomix and a Hospital and all data processed by Brainomix on behalf of hospitals (or other controllers) is held and processed within the UK and the EU in accordance with such data processing agreements.
Brainomix does not have direct contact with data subjects (patients) nor does Brainomix process their personal data for its own purposes. The controller (the hospital) is responsible for their obligations to provide information to data subjects as set out in Article 13 and to facilitate the rights of data subjects as set out in articles 15 - 22 in the GDPR. As a processor, Brainomix will endeavour to assist controllers to meet their obligations to ensure the rights of data subjects and to comply with data protection legislation for any of the processing Brainomix is involved with.
Brainomix is responsible for implementing technical and organisational measures to ensure that any processing is carried out in accordance with data protection law and under instructions from the Controller.
As a Processor, Brainomix will:
- Meet all its obligations as set out in data protection law
- Process data in accordance with governance agreements made with Data Controllers
- Assist Controllers, as set out in data protection law and governance agreements, to ensure the rights of Data Subjects.
Types of Processing
As a core activity of the products and services Brainomix provides, Brainomix processes ‘special category’ personal data relating to patients. Specifically, this relates to personally identifiable data relating to health, which includes identifiable medical images and image data.
Processing in this context, includes automated processing which is performed by Brainomix software products on patient image data.
Additionally, Brainomix processes personal data (provided by the Controller) relating to users of the products and services Brainomix provides (typically hospital staff) in order to automatically send processing results information and to provide technical support and training. This information is typically limited to user’s name, role, e-mail address and telephone numbers.
User personal data may be used to obtain technical, clinical and usability feedback relating to the Brainomix products and services they use as part of proactive product surveillance to support product and service improvement. Such user personal data will not be used for marketing purposes without explicit individual consent.
Typical patient data processing activity
Brainomix software is used to processes personally identifiable data relating to health on behalf of the hospital, which includes identifiable medical images and image data. This patient scan data is sent by the hospital to the software which automatically processes the data to provide information for medical professionals who are involved in diagnosing or treating patients.
Brainomix software is installed on a server which sits within the hospital. After the patient has had their scan, images are sent to this server. The image processing results are then sent back to the hospital image storage system for relevant medical professionals to analyse. In this context, patient data does not leave the hospital system.
In some cases, the processing results may be sent to a cloud-based server for access by medical professionals. In these cases, the image data is transmitted securely in an encrypted format and the data itself is pseudonymised which means it is coded so that individuals cannot be identified by anyone without access to the identifiable data in the hospital systems. Access to the cloud-based server is also protected and restricted to authorised users.
Additionally, when the image data is processed, a notification may be sent to specific relevant medical professionals to inform them that the results are ready. Any imaging information sent in this manner is also pseudonymised which means it is coded so that individuals cannot be identified without access to the same data within the hospital system.
Brainomix software is not a data storage system. Data is sent from other hospital imaging systems and temporarily held on the Brainomix server before being securely deleted as directed by the hospital’s retention policy (typically 30 days). Results of Brainomix processing are typically sent back to the hospital imaging systems for long-term retention.