Hi Nicola
You have choices...
Patient identifiable data will be sent/pulled into the system to be processed, and can then be deleted automatically. The following data is always retained:
- Patient age at time of study (which could be used to get approximate date of birth)
- Patient sex
- Patient height and weight
- Accession number - not considered patient identifiable in the UK, but can be encrypted with a one-way hash if required
You can then choose to retain the following in addition:
- Patient name
- Patient ID
- Patient date of birth
As with the accession number, the patient name and ID can be encrypted with a one-way hash if required.
The reasons that you might want to retain patient name and ID, with or without encryption are:
- Finding patients for incident investigations (though normally accession number will suffice)
- Tracking cumulative dose where this is relevant, for example for skin dose alerts over a defined period.
If patient names and IDs are retained, then users with the right permissions will be able to search using those terms and export with those data, but not view them in the web interface. If they are encrypted, then searching will require an exact match in order to get the same one-way hash to match against.
Finally, the encryption is not salted or particularly secure, but it does prevent a trivial tracing of which patient any particular data belonged to, and is probably a good balance between not retaining any patient identifiable data you don't have a need to hold, and being able to do cumulative dose alerts.
Kind regards
Ed