Biolab has the greatest respect for all personal data provided to us and we take extensive measures to ensure the security of this data. Our systems, protocols and policies all adhere to GDPR requirements. We are committed to using personal data fairly, lawfully and transparently. This policy provides details of the personal data we hold, how we use that information and how you can request changes to your data and, if necessary, make a formal complaint about the handling of your data.
We store sufficient information on each patient to identify their samples, report their results and seek reimbursement for testing services provided. This information is held subject to our legal obligations for up to 8 years from the date of receipt.
Personal Data stored at Biolab
We store personal contact details for patients, referring clinicians and suppliers to Biolab. This may also include digital copies of correspondence including email correspondence.
Personal data held is as follows:
Name (and sometimes the name of a legal guardian)
Company name (where applicable)
Contact telephone number(s)
Copies of correspondence (in some cases)
Additionally for patients we may also store:
Date of birth
Referring clinician’s details for each test request
Test results (as generated by Biolab and as received from third-party referral laboratories)
Debit/credit card details until payment for Biolab services has been made.
Additionally for practitioners:
Professional qualifications and associations
Debit/credit card details for some practitioners with a Biolab credit account.
The above data is provided by patients and practitioners when they register with Biolab. This registration process is via the Biolab web site, by email or when in attendance at Biolab. Some patient details are provided on pathology request forms accompanying samples submitted for analysis by post/courier/other delivery method.
What we do with your data
Personal data from patients is used to identify individuals for whom we are reporting pathology results and invoicing for services provided. Patient names, sex and date of birth are on occasions provided to carefully selected referral pathology laboratories who are conducting requested tests on patient’s samples. These referral laboratories are all GDPR compliant and only use the supplied information to identify samples and report results back to Biolab. We refer samples to laboratories in the United Kingdom, mainland Europe and the United States of America.
Reports of patient results are either posted to the referring practitioner or uploaded to a secure web portal for download directly by the referring practitioner.
Practitioner details are held in order to communicate requested patient results. Practitioners registered as referring clinicians will also sometimes receive email updates on the tests we offer and notifications of scheduled educational meetings. Practitioner details are never disclosed to external organisations.
On occasions where recovery of an outstanding debt is necessary personal details may be provided to external debt recovery agencies. Advance notification will always be given in writing to the debtor.
Supplier data is solely used for the purpose of discussing and ordering equipment, supplies and services for Biolab and arranging payment for these. Data relating to supplier personnel is never disclosed to outside parties.
Personal data is not provided to any other organisations outside of Biolab other than those above.
How to check, rectify or request deletion of personal data
Individuals can contact our administration staff to request copies of their personal data, or to request rectifications or deletions (which will be granted subject to any legal obligation to retain data). We will respond to these enquiries promptly and always within one calendar month.
Individuals can also ask us to restrict processing or to forward their data to other suppliers.
How long we do store personal data
We follow Department of Health recommendations for the retention of hospital records and therefore retain patient results for a period of 8 years, and children’s results until they reach the age of 25.
Referring practitioners who resign their registration with Biolab will have their details removed from our databases with immediate effect (unless they specifically ask to remain on our “educational” mailing list).
Biolab does not undertake any form of profiling on personal data stored on our systems.
The Biolab website collects information for the following purposes:
1. For practitioners to register as referring practitioners for the purpose of requesting Biolab tests on their patients.
2. To request the provision of our test kits for patients (received details are stored as medical records as described above).
Personal data for both of the above is stored on an internal Biolab database server and not on the web site host server.
3. To register to receive notifications of educational events and news about our services (name and email address only) – this data is stored on a an independently hosted server and details can be removed/amended by contacting Biolab directly, or clicking “Remove” on received emails.
4. Our web site includes a small number of cookies that are used to optimise your view (text size etc) and any information obtained is permanently deleted at the end of your session and is not shared with any other organisations.
Personal data stored on Biolab computers is encrypted and our systems are maintained to ensure they have the latest cyber security measures in place. Our premises are locked and secured and the buildings are monitored by security cameras.
Data Protection Officer
Biolab’s Data Protection Officer is Mark Howard who can be contacted at the address below or by telephone: 020 7636 5959 or email: firstname.lastname@example.org
Complaints about the use of personal data should be reported to our Data Protection Officer in the first instance. If you are not satisfied how we handled your complaint, you are entitled to make a complaint to the Information Commissioner’s Office (https://ico.org.uk/concerns/).
We will report any unlawful data breach of personal data stored at Biolab, or the database(s) of any of our third party data processors, to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been disclosed inappropriately.
Changes to this policy
(last update 21st May 2018)