Data Protection Impact Assessment (DPIA)
(For DVSP ltd trading under UK ME/CFS specialist clinic)
1. Project / Processing DescriptionThe clinic provides private online medical consultations for ME/CFS and related conditions. Personal and special category health data are processed for the purposes of patient assessment, diagnosis, care planning, clinical documentation, and follow-up. Data are collected via secure intake forms, during video consultations, and through direct patient communications.
2. Lawful Basis for Processing
UK GDPR Article 6(1)(b): Performance of a contract (provision of medical services).
UK GDPR Article 6(1)(c): Legal obligation (medical record-keeping).
UK GDPR Article 9(2)(h): Processing of special category health data for medical diagnosis, provision of health care, and management of health systems.
3. Data Categories Processed
Patient identification data (name, date of birth, contact details)
Clinical information (symptoms, medical history, medications, test results, assessments, care plans)
Consultation notes
Communications related to care
Appointment metadata (date/time of consultation)
4. Systems and Data Processors
PKB, Smilenotes: Secure cloud-based clinical notes and patient records.
Doxy.me: Encrypted video consultation platform.
All providers are GDPR-aligned and operate under data processing agreements (DPAs) with the clinic.
5. Data Storage and Retention
All clinical records are stored within PKB and Smilenotes’ secure cloud environment.
No video consultations are recorded.
Records are retained in line with UK medical record retention guidance (minimum 8 years for adult patient records or longer where clinically indicated).
6. Risks to Data Subjects
Unauthorised access to sensitive health data
Data breach or accidental disclosure
Loss of availability of clinical records
Cyberattack or system compromise
7. Risk Mitigation Measures
Encrypted data storage and transmission
Multi-factor authentication for system access
Role-based access control (solo clinician only)
Strong password policies
Regular system updates
Secure device use with full-disk encryption
Daily automated cloud backups
No recording of consultations
Data minimisation (only clinically necessary data collected)
8. Residual Risk AssessmentResidual risk is assessed as low to moderate, appropriate to the scale and nature of the service. No high-risk processing requiring prior consultation with the ICO has been identified.
9. Data Subject Rights ManagementPatients are informed of their rights under UK GDPR, including access, rectification, erasure (where applicable), restriction, and data portability. Requests are handled within statutory timeframes.
10. DPIA ApprovalThis DPIA has been reviewed and approved by the Clinic Director and will be reviewed annually or upon material system or service changes.