Skip to main content

Clinical Governance & Data Compliance

This document outlines the clinical standards and data protection measures implemented in Skin Club Pro to ensure patient safety and legal compliance.

1. Data Compliance (GDPR)

Regulatory Framework

Skin Club Pro adheres to the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

  • Data Controller: Skin Club Pro (for platform users).
  • Data Processor: Skin Club Pro (for practitioner-patient data).
  • Special Category Data: Health data (Article 9) is treated with the highest level of security.

Key Compliance Features

  • Right to Erasure: We implement "Soft Delete" for patient records. While PII is removed, clinical records are retained for the statutory period (typically 10 years).
  • Data Portability: A "Download My Data" feature allows users to export their profile and clinical history in JSON/PDF format.
  • Audit Trails: Every access to a patient record is logged.
    • Log Entry: {Timestamp, UserID, Action, RecordID, IPAddress}.
  • Encryption: AES-256 at rest (RDS/S3) and TLS 1.2+ in transit.

2. Clinical Governance

  • Digital Signatures: Captured via a touch-optimized canvas and stored as timestamped SVG/PNG.
  • Immutable Records: Once a consent form is signed and a treatment is completed, the record is locked and cannot be edited.
  • Version Control: Consent forms are versioned. If a form changes, patients must re-sign the latest version.

Medical History

  • Mandatory Updates: The system prevents treatment bookings if a patient's medical history has not been updated within the last 6 months.
  • Red Flag Alerts: Certain medical responses (e.g., pregnancy, specific allergies) trigger "Red Flag" alerts for the practitioner.

Practitioner Verification

  • Role-Based Access (RBAC):
    • Admin: Can manage clinic settings but cannot view sensitive clinical notes.
    • Practitioner: Can view and edit clinical notes for patients they have treated.
    • Patient: Can view their own records and upcoming appointments.

3. Cyber Threat Mitigation

  • XSS Protection: HttpOnly cookies for session tokens.
  • CSRF Protection: Synchronizer Token Pattern for state-changing requests.
  • Rate Limiting: Implemented on Auth and Payment endpoints to prevent brute-force and card-testing attacks.
  • WAF: AWS WAF rules protect against common web exploits (SQLi, XSS).