This page is for the information governance team at a health care institution using Patients Know Best (PKB) with its patients for the first time.

What does the PKB platform include?

PKB has three main features: a back-end EMR, a front-end view of the data specific to patients and clinicians, and workflow tools for both:
1. A back-end electronic medical record: able to store all the records that are in a standard EMR package like EMIS or Cerner, but also encrypting each patient’s data using a patient-specific key.

2. Front-end views of the data: these are role-specific, e.g. the patient can look at their own medical record and that of consenting family members; the clinician can see the records of all the patients they are treating; the coordinator can manage the access rights to the records and manage treatment plan templates, without seeing the actual records.

3. Workflow tools: these are for patients and clinicians to work together, including messaging and online consultation.

Ownership and responsibilities

The software, data storage and clinician training are provided by PKB to customers.

Servers: PKB is in charge of the servers and they reside within a secure network under ISO 27001 hosting. Data are encrypted so that only the patient, and the professionals that the patient chooses, can access the patient’s data. PKB ensures this continued compliance.

Software: Intellectual property for the software and its features are owned by PKB. PKB is responsible for maintaining its software and servers. PKB’s software is mature and has already been extensively tested by many organisations across many care settings, so no additional changes are required for PKB customers to provide a smooth service to their patients. PKB regularly updates the software based on feedback and requests from users, and an update from one user’s request is made available to all customers with each PKB server upgrade.

Content: Intellectual property for any care plans created is owned by the clinical team which created the care plans.

Data: The copy of data in a patient’s account is owned by the patient. The copy of data in a clinician’s account is owned by the employer of the clinician. No party can edit or delete data as this is a medico-legal record. Patient, carers and clinicians can add new data and comments to improve the accuracy of the record, and all additions are tracked with an audit trail.

Training: Customer training is provided by clinicians and project managers employed by PKB. They have received specialist training in delivering workshops to people using the system. The training is delivered by either workshop format or online webinar. Technical support is provided to employees of PKB customers as part of the service contract.

Monitoring: Each customer monitors the use of the system in accordance with their existing policies. The customer also monitors compliance with the system, in accordance with their existing policies. PKB does not have access to individual accounts of clinicians or patients.

Notifications: Each patient can add data to their own account – the account is not the property of the customer, and thus not the responsibility of the customer. There is a clause contained on every appropriate page in PKB that removes liability from clinicians if they do not see or access information uploaded. When a patient explicitly wants to communicate with a customer clinician about an upload, the clinician will receive a notification by email to their chosen customer email address.

Contract termination

If the customer wishes to terminate its contract with PKB, ownership of the data remains with the end users.

Data copied into a patient’s PKB account are owned by the patient. The original copy on the customer’s servers remains the property of the customer. A copy of data from the patient to the clinician is owned by the customer employing the clinician.

PKB has no rights over the information placed in the system. In addition, due to the security protocols in place, PKB cannot access any of this information without the patient’s consent. Therefore, it is not possible for Patients Know Best to create a mailing list or contact the patient directly, although the health care institution can do so.

On termination, the patient will retain their PKB account for 8 years and can access this information at any time. They continue to own all this information, according to data protection legislation. This information will not be deleted and access will not be revoked. Termination means that the customer can no longer send new information to the patients’ PKB accounts. The patient cannot add data unless they can find another sponsoring institution, or they pay directly themselves.

Clinical responsibility

The customer and their clinicians are responsible for information they provide to patients. Other parties (including the patient and the people the patient chooses) are responsible for information they provide. The source of all materials is recorded on the system and provides a full medical audit trail.

Complaints should be handled in the same way as they are for all normal clinical events.

Data confidentiality

Information is kept confidential so that only the patient, and the people the patient chooses, are able to access the patient’s medical records. PKB encrypts data so that it is unable to access the data, let alone leak it, therefore only patients or clinicians can leak patient data. PKB is responsible for the encryption in its software. Patients and clinicians are responsible for not leaking the data they have access to.

PKB’s encryption has three layers:

1. Medical record data storage layer: encrypts using a unique public and private key for each patient. Only the patient, and the people the patient chooses, have a copy of the private key. Only the private key allows accessing the patient’s data. Therefore, no other parties are able to access the patient’s data.

2. Secure server holding the data: this is hosted to ISO 27001 standard inside the NHS N3 network, behind the NHS firewall. This protects against malicious hacking attempts and provides uptime, disaster recovery and business continuity guarantees.

3. Transport through SSL: this secures transmission of data from the server to the end user’s computer. 

Who can access the system?

Every authorised user is either a patient who has been identified and consented by a medical professional; or a professional whose employer (e.g. NHS hospital or County Council social worker) has identified and authorised them to use the system. The patient may choose to invite a carer or professional who has not been formally identified, but these unverified accounts cannot be used with any other patients. There is a full audit trail of who gave who access to which accounts.

How are patients consented?

The professionals who are working with the patient can assess if the patient is competent to understand their control over the record. The patient can make the decision over their interest in managing this control, i.e. they may decide to delegate this management to their carers, or back to the professional.

No new protocols are required for this informed consent, they are the same as those for consenting the patient for any other procedure, and have the same exclusions for patients who are children; who have temporary mental health problems; or who have dementia and thus with power of attorney to a carer.

How are data transferred into PKB?

PKB allows manual and automated data transfer. Manual data transfer is when the patients and clinicians use the web site to enter data directly, for example the patient filling out their symptoms, and the clinicians sending clinic letters to patients.

PKB also supports automated HL7 message data transfer. Systems that can be integrated include letter, tests, radiology, medications, and the medical notes written in clinic. We aim for total integration, sharing all medical records with each patient, to provide the best and most efficient medical care.

PKB works with the customer’s IT department to set up integration for automated data transfer.

How are data destroyed?

Data is not destroyed but sharing may be revoked at any point. The sharing of data may be disabled by a patient or by a Privacy Officer on the patient's behalf. The PKB record is retained in line with NHS retention guidelines regarding medicolegal records. 

How are the data encrypted?

Firstly, for all communication between clients and the PKB servers, and even between the PKB servers in the datacenter, we use SSL with high grade (AES-256) encryption. We do not support unencrypted HTTP for browser requests, and internal communication between the web application, EJBs, LDAP, and database are all over SSL as well.

Secondly, medical data arriving from users or through APIs are immediately encrypted using DESede (Triple DES). The private key is stored with each document after being encrypted using the 1024-bit RSA public key that is unique to that patient account; thus, the private key (and the document) cannot be read except by users who have explicitly been granted access by the patient. Each user has their own asymmetric key pair, encrypted using their password (DESede again here), so the process of granting access encrypts the account private key using the new user's public key.

Thanks to this system, even a theoretical intruder (including a trusted PKB employee) with the root password and access to the application source code and database still would be unable to access private medical data. Furthermore, even if a single patient's account were compromised, that would not affect the security of other patient data in the system.

Who deals with patient access problems? When is support available?

If a patient forgets their password, there is a password reset process requiring the patient’s demographic details and security question. If the patient still cannot remember their password, they can request a reset by clinical staff. PKB employees cannot help with access as all the data are encrypted and we do not have decryption rights.

However, patients often contact us directly (by clicking the “Help” link on every page) to ask about using the software. Our staff answer these questions within 1 working day.

How can all patients get to use PKB?

PKB can be reached from any computer with internet access. We test PKB so that it works within Internet Explorer 6 for NHS computers. The web site also works with any modern standards-compliant browser, including all versions of Chrome, Firefox and Safari.

This includes smartphones (used by over 50% of the population across most OECD countries), the preferred method of access for most of our patients. In addition, there is a dedicated smartphone app that is password protected and allows storing the full record on the patient’s phone to bring to the emergency department or while traveling. Patients can also use their local library or school computer, and homeless patients have used the system as receiving letters in the post is not possible.

PKB is also tested with screen readers by users with visual disabilities like Thalidomide Trust beneficiaries, and is compliant with RNIB guidelines for color-blind users. The system has also been translated into Arabic, Chinese, Dutch, German, Polish, Spanish and Urdu, with other languages available on request from customers. 

Data Flow Map

The following illustration shows how data flows in and out of PKB. The diagram is structured in such a way to depict Data Subjects (Patients), Legal Entities (Data Controllers and Data Processors), and Third Parties, the rows part of the diagram. The columns depict the journey the data takes from Creation, Storage, Usage, Transfer or Sharing to Disposal. 

The third row titled 'Third Party' remains blank given PKB does not use any Third Party to handle or process data. All sensitive clinical data remains fully encrypted (refer to details above) inside of PKB's secure infrastructure, hosted within the NHS N3 Network and is only accessible to Patients, Carers, Authorised Professionals (added by the patient), Verified Institutions and Verified Organisations. 

Data Centre Security and Redundancy

Patients Know Best maintain two data centres, one in The Netherlands and one in the UK. 

NL Data Centre (

The data centre is certified and satisfies all requisite standards, such as NEN7510 (standard for information security in health care) and the ZSP standard for health care service providers, PCI compliance for the financial sector and the international standard for information security ISO/IEC 27001. 

UK Data Centre (Carelink) 

Data Centre Power Supply and UPS systems

The data centre in Telehouse docklands has two separate power supplies and full UPS backup systems (220/240V AC). The entire electrical system in the Data Centre is designed with multiple levels of built-in redundancy.

The back-up electrical power system is powered by a diesel generator located in a secure, protected equipment yard onsite. UPS batteries can sustain AC power supplies under full load for up to 10 minutes. Redundant, onsite fuel tanks provide forty-eight hours worth of generator fuel. To ensure redundant power sources are available when they are needed and that they function as planned, the generators are tested on a weekly basis.

Data Centre Mechanical Systems

The data centre has reliable heating, ventilation and air conditioning (HVAC) system - to assure optimum conditions for our customers' equipment operation and to help minimise downtime due to equipment failure.
  • The HVAC system in the Data Centre has been designed to consistently provide appropriate airflow, temperature and humidity.
  • The mechanical systems themselves are monitored around the clock, providing additional protection. 
  • Documented procedures for routine maintenance help assure the reliable operation of these key systems, backed by maintenance contracts with local vendors that specify a maximum four-hour response time for emergency service.
  • An advanced fire detection system that continuously samples the air for any indication of fire and warns onsite staff of potential fire hazards, initiating extensive and localised emergency procedures to extinguish any fire at the source.

Data Centre Physical Security

One of our highest priorities is providing the level of security required to protect our customers' mission-critical Internet and HSCN operations while assuring that only authorised personnel have the 24x7 site access they need to perform their work. The Data Centre delivers financial-grade security for equipment through our multilevel physical security features and rigorously enforced security policies and procedures.  This includes:

  • Security staff onsite 24x7, with roving security patrols in addition to staff guarding building entries
  • Access to the main Centre from the welcome area is strictly controlled to prevent forced entry into the facility
  • Swipe card devices control access to secured areas within the main Centre, including the production floor and the shipping/receiving area
  • High-density, motion-sensing digital colour closed-circuit television cameras (CCTV) throughout the facility including at least two cameras covering private suites and at least four cameras covering cabinets in shared areas
  • Motion detectors and alarm systems are located throughout the facility, with a silent alarm and automatic notification of appropriate law enforcement officials protecting all exterior entrances

The design for the Data Centre site specifies a hardened structure that meets numerous physical criteria, ranging from Class 3 or Class 4 standards to local Uniform Building Code. Concrete bollards or other similar barriers are placed around the perimeter of the facility to prevent vehicles from penetrating an exterior wall. External mechanical or equipment yards are secured by fences and concrete bollards and are under 24 hour motion-sensitive video surveillance.