Privacy Policy

Who we are and the law that governs this page

King's College Hospital London — Jeddah (KCHJ) is the data controller for the personal data we collect through this website, the patient portal, and the KCHJ mobile app. We are registered with the SDAIA National Data Governance Platform, and our processing follows the Personal Data Protection Law (Royal Decree M/19, as amended in March 2023) and the executive regulations issued by SDAIA.

The data we collect

We collect only what we need to provide care, run our business, and meet legal duties. The categories below cover everything we hold about you.

Identity — name, national ID or iqama, date of birth, nationality, gender.
Contact — phone, email, postal address, next-of-kin details.
Health records — diagnoses, treatment plans, medications, imaging, lab results, clinical notes.
Biometric and sensitive data — fingerprints used for portal sign-in (where enabled), genetic markers in oncology workflows.
Insurance and billing — policy number, payer, claim history, invoices.
Device and usage — IP address, device identifier, browser, app version, pages viewed, language and accessibility preferences.
Location — only when you explicitly enable it.

Why we use it, and on what legal basis

For each purpose below we record the legal basis under PDPL. You may withdraw any consent-based purpose at any time without affecting purposes we are obliged to keep.

Treatment and clinical care

Contractual necessity

Billing, insurance claims, ZATCA invoicing

Legal obligation

Statutory reporting (MOH disease registries)

Legal obligation

Marketing communications and promotions

Explicit consent (opt-in)

Research and quality improvement using identifiable data

Explicit consent

Site analytics and performance

Explicit consent (cookie banner)

How long we keep your data

We keep data only for as long as the law requires or the purpose justifies.

Medical records

Per Saudi Ministry of Health regulations (typically 15 years from last visit)

Billing and tax records

Per ZATCA tax-retention rules (10 years)

Marketing consent

Until you withdraw consent

Cookies and analytics data

Per the Cookie Policy; site analytics anonymised at 14 months

Audit logs of access to health records

5 years from the date of access

Who we share your data with

Inside the hospital your record is shared on a need-to-know basis. Outside the hospital we share only when you instruct us to, when the law requires, or under a written processor agreement.

Insurers and Third-Party Administrators (TPAs) for direct billing.
Reference laboratories and imaging centres for tests we cannot run in-house.
King's College Hospital London — only with your explicit consent.
Cloud and analytics processors operating under signed Data Processing Agreements (DPAs).
Saudi regulators and law-enforcement bodies on a lawful written request.

Your rights under PDPL

PDPL gives you a clear set of rights over your personal data. You can exercise any of them by emailing the Data Protection Officer at dpo@kch.sa. We acknowledge requests within two business days and aim to respond within ten business days.

Right to know what we hold and why.
Right to access a copy of your data.
Right to correct inaccurate or incomplete data.
Right to erase data we no longer have a lawful basis to keep.
Right to portability — receive your data in a machine-readable format.
Right to withdraw consent at any time.
Right to lodge a complaint directly with SDAIA.

Security and breach response

We protect your data with AES-256 encryption at rest, TLS 1.3 in transit, role-based access on a least-privilege model, and immutable audit logging. If we detect a personal-data breach, we notify SDAIA within 72 hours and affected patients without undue delay.

Changes to this policy

When we make a material change we ask you to read and accept the updated version inside the portal before the change applies to you.

Contact

Questions about this page: dpo@kch.sa or 920 000 000