GDPR policy. John Pitts, AME

The General Data Protection Regulations (GDPR) apply in the UK from 25th May 2018. The aim is to give individuals the right to access and correct their personal data and prevent it from being used for marketing when they don’t want it to be. 

The individual is the data subject. The UK CAA has decided that in the context of pilot and ATCO medicals, the CAA is the data controller and AMEs are data processors. You should be aware that as your AME I have signed a contract to that effect with the CAA. 

The CAA (and FAA) collects your personal medical data and stores it on an electronic patient record system. Any concerns you have about this should be addressed to the data manager at the CAA (or FAA).

In addition to acting as a date processor for the CAA, I retain some data on my customers and believe that I have the responsibilities of a date controller in this context. 
 
The data I collect and store
1. I keep a PDF scan of your application forms, ECGs and ECG reports
2. I keep a PDF scan of any medical reports or blood results you send me.
3. I keep a client list as an encrypted word document with your CAA reference no, date of birth, name, class of medical, expiry date, email address and mobile number.
4. These are stored on One Drive, a Microsoft encrypted cloud backup system.

Why I collect your data
1.    I am obliged by the General Medical Council’s principles of Good Medical Practice to maintain accurate records.
2.    I keep your medical records so that I can assist you with queries and CAA casework requests.
3.    I periodically send out reminder emails that medicals or test results are due.
4.    The CAA currently expects me to retain your application forms until I retire. 

How I respect your rights under the GDPR
1.    I am registered as an individual (Dr John Pitts) and as a company (ViA Ltd) with the ICO.
2.    I never share your data with anyone other than your regulator (CAA or FAA) without your consent.
3.    I never use your data for marketing purposes or allow anyone else to do so.
4.    I am always happy for you to inspect your data, take copies of it, ask for it to be corrected or to be deleted. If you wish your data to be deleted I would need to send the existing data I hold on you to the CAA to be scanned onto your medical record as I would no longer be storing it for the CAA until I retire.
5.    I would expect you to provide valid photographic ID to access your data.
6.    I will notify you (as well as the ICO) if your data is compromised.    
7.    I will carry out periodic DPIA (data protection impact assessments) when new technology is implemented.