How Your Data Is Protected

This page describes the technical and organisational measures Chronicle Health uses to protect your health data during processing.

Single-operator model

Your data is handled by one person. There are no employees, contractors, or third parties with access to your health records. This eliminates the most common source of data breaches: unnecessary access.

Encryption

  • In transit: All data transfers use TLS encryption
  • At rest (local): Full-disk encryption (FileVault 2, AES-256) on the processing device
  • At rest (cloud): Proton Drive end-to-end encryption with zero-access architecture - Proton cannot read your files, and neither can anyone who compromises their servers
  • Email: ProtonMail end-to-end encryption for any communication containing your data

Pseudonymisation before AI processing

Before any data is sent to an AI model, all direct identifiers are removed:

  • Full name, date of birth, addresses, postcodes
  • Phone numbers, email addresses
  • NHS numbers, hospital/patient IDs

What remains is the clinical content: appointment dates, diagnoses, test results, medications, and clinical correspondence. This is pseudonymised data - it retains medical utility while removing the information that directly identifies you.

The removal process runs in two stages (PDF-level and text-level) as a defence-in-depth measure. Medical details and event dates are retained because they are essential for producing a useful health record.

Pseudonymised data is not the same as anonymised data. Your medical history is inherently unique to you, and a sufficiently motivated person could theoretically re-identify you from clinical details alone. The pseudonymisation reduces risk; it does not eliminate it entirely.

AI processing: AWS Bedrock (EU only)

AI-assisted processing (primarily transcription of handwritten clinical notes) uses AWS Bedrock in the London (eu-west-2) region.

  • Zero data retention: Prompts and responses are not stored, logged, or used for model training by AWS or the model provider (Anthropic). This is configured at account level and verified against AWS contractual terms (Service Terms section 50)
  • EU-only processing: IAM policies enforce that all AI requests are routed to EU regions only. Non-EU requests are rejected at the AWS API level. This is enforced at two independent layers (IAM permissions boundary and application configuration) as a defence-in-depth measure
  • No international transfers: Your data does not leave the UK and EU during AI processing

Evidence for zero data retention and EU-only enforcement is available on request.

Storage during processing

During an engagement, your identifiable health data is stored on Proton Drive (Proton AG, Switzerland). Proton uses end-to-end encryption with a zero-access architecture - your files are encrypted before they leave your device, and Proton holds no decryption keys. The UK-Switzerland data adequacy decision means no additional transfer safeguards are required.

No health data is stored on third-party servers, cloud platforms, or SaaS tools other than Proton and AWS Bedrock (which retains nothing).

Device security

  • Full-disk encryption (AES-256) protects the processing device when powered off or closed
  • Biometric authentication and automatic screen lock
  • Multi-factor authentication on all systems that access client data
  • Separate user accounts for daily work and system administration

Data deletion

All identifiable data is deleted 7 to 14 days after delivery of your personal health record, or immediately on request. This includes:

  • Raw SAR responses and source documents
  • Processed and structured files
  • Identity documents (if provided for SAR submissions)
  • Any temporary or derivative files created during processing

A deletion log (containing only non-identifiable timestamps) is retained for audit purposes.

What we don’t control

The measures above cover everything within Chronicle Health’s security boundary. However, we cannot control how data controllers (such as GP practices and hospital trusts) transmit your records to us in response to a Subject Access Request. Some practices send records via secure portals; others use standard email or post. If you have concerns about how your practice handles data in transit, you are welcome to raise this with them directly or ask us to specify a preferred delivery method in the request.

Communication channels

Email (ProtonMail) and WhatsApp are used for client communication. WhatsApp is used for administrative conversation only — scheduling, questions, updates. No health data, identity documents, or files containing personal data are sent or received via WhatsApp. Health data files are transferred exclusively via encrypted channels (Proton Drive).

What we don’t do with your data

  • Store health data on unencrypted devices or services
  • Use AI providers that retain or train on your data
  • Commit it into source control (e.g. Github)
  • Process data outside the UK and EU
  • Share your data with anyone other than the sub-processors listed on the privacy page
  • Retain your data beyond the agreed retention period
  • Use cookies, analytics, or tracking on this website

Further information

A Data Protection Impact Assessment (DPIA) has been completed for the processing described on this page. A copy is available on request. If you have questions about any of these measures, get in touch.