EIDO may receive patient data from hospital customers for use in its digital products. This data is processed in line with the policy set by the customer, who acts as the data controller.
How data is handled
- The customer sends patient data to EIDO.
- EIDO processes the data using one or more of its digital products.
- Once processing is complete and the retention period has passed, the data is purged.
The diagram below shows this workflow.
What purging means
Purging redacts (anonymises) all identifiable patient data. This includes names, addresses, contact details, and signatures—wherever they appear in the core database or system log files.
When the data retention period ends, the patient is added to the purge queue. Each night, a process redacts their identifiable data and logs the purge.
Retention periods
There are two types of data retention period:
| Type | Description | Time period |
| Standard | Triggered when a patient episode is complete. Data is purged after this. | 180 days |
| Custom | Set by the data controller as a global setting for the organisation. | Flexible |
The retention period starts after the most recent interaction with the patient record. If the patient interacts again—for example if they read an article or complete a consent form—the retention period resets.
Example timeline
| Day | Action | Time to purge |
| 1 | Add patient demographics | 180 days |
| 3 | Send invite to patient | 180 days |
| 6 | Patient reads article | 180 days |
| 28 | Send consent form invite | 180 days |
| 36 | Patient completes consent form | 180 days |
| 62 | Consent confirmed at hospital visit | 180 days |
| 242 | No further interaction – data purged | 0 days |
What resets the retention period
Not all actions reset the retention period. For example, viewing a patient in the dashboard or downloading a consent form does not.
The following actions do reset it:
- Adding patient demographics
- Sending article to patient
- Sending consent form to patient
- Patient reads article
- Patient completes consent form
- Expire link sent via dashboard
- Completing consent session with patient in clinic
- Completing confirmation of consent
- Withdrawing consent via dashboard
- Updating patient demographics
Integrations
If patient data is updated via an integration with an EPR or TIE, the retention period resets.
Interacting with the retention period
It is possible to change how the retention period works:
- Putting a patient into read-only mode stops the retention period from resetting. Once the period ends, the data is purged.
- Admins can also purge a patient immediately, adding them to the purge queue for overnight processing. This functionality can be restricted to Admin users only if required.
Both actions can be done manually in the EIDO Dashboard.
System backups
The system is backed up regularly. If a restore is needed, EIDO uses the purge log to re-purge any previously deleted patient data.