...
Part 2 – Joint Controller Arrangement specific clauses (patient-contributed data only)
Part 3 – Data Processing Contract-specific clauses
...
Schedules – Applicable to all scenarios
PART 1
This Agreement is dated [01 JANUARY] 2022.
1. PARTIES
Patients Know Best (“PKB”); and
...
each a “Party” and together the “Parties”.
2. BACKGROUND
A. The Lead Controller has contracted with PKB under the Commissioning Contract to provide patients with access to and some control of their health data. The PKB platform facilitates patient access to their health data contributed by the Providers and facilitates the patient to add information which may be viewed by their health and care providers and other people of their choosing. The Providers are all organisations with a legal duty to provide free at the point of delivery care to individuals (as part of the NHS), to which PKB supports the facilitation of this duty.
...
I. Where PKB are Joint Controllers with the Providers, Parts 1, 2, 4 and the Schedules shall apply 3.
3. DEFINITIONS AND INTERPRETATION
3.1 Unless specifically provided for in this Agreement, the following terms shall have the following meanings:
...
3.3.1 the main body of this Agreement and the Schedules, except as expressly stated otherwise, the main body of this Agreement shall prevail to the extent of such conflict
4. SCOPE AND APPLICATION
4.1 This Agreement applies to the processing of Personal Data on the PKB Platform. Any reference in this Agreement to PKB Data shall be interpreted as a reference to any Personal Data held on the PKB Platform.
...
4.4 Where PKB Data under this Agreement is accessed by another Provider organisation, that organisation shall be considered a Third Party under Article 4 of UK GDPR.
5. COMMENCEMENT AND DURATION
5.1 This Agreement shall commence on the date set out at the top of it (the “Commencement Date”) and shall continue in accordance with its terms.
6. PATIENT AND REGULATORY ENGAGEMENT
6.1 Prior to the commencement of Processing, in respect of the activities contemplated by this Agreement, the Parties shall cooperate with each other to:
...
6.2 Following the commencement of processing activity, the Providers will continue to promote the proposed processing activity in accordance with their duty of transparency
7. AGREED PURPOSES
7.1 The Parties agree to only Process PKB Data under this Agreement for:
...
each of the above, an “Agreed Purpose”.
PART 2 – APPLICABLE WHERE A JOINT CONTROLLER RELATIONSHIP EXISTS
8. LAWFUL BASES FOR PROCESSING AND CLASSIFICATION OF PARTIES
8.1 The lawful bases for each Party’s Processing of Personal Data and the classification of the Parties for the purposes of Data Protection Law under this Agreement is set out in Schedule 2.
9. PROVIDER’S RESPONSIBILITY FOR PATIENT-FACING COMMUNICATIONS
9.1 Generally
9.1.1 Except where expressly stated in this Agreement or agreed by the Parties in writing, Providers shall be responsible for all communications with Data Subjects in relation to Personal Data covered by this Part 2, prior to the creation of the Patient Account:
...
(d) Providers shall keep PKB reasonably informed as to the status and resolution of the Data Subject Request.
10. DATA MINIMISATION (INCLUDING OPT-OUT) AND PSEUDONYMISATION
10.1 Taking into the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects each Party shall implement appropriate technical and organisational measures, including pseudonymisation, to ensure that the use of Personal Data in relation to the processing is minimised.
10.2 Each Party shall periodically review data minimisation measures implemented in accordance with this clause 8,and may agree with the other Party further steps to be taken to ensure the minimisation of Personal Data as may be required by Data Protection Law and in any case no less than every three years.
11. GENERAL OBLIGATIONS OF THE PARTIES
11.1 Each Party shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or accidental access, loss, alteration, disclosure, destruction or other unauthorised or unlawful forms of Processing (such measures may include, where appropriate,
...
11.11 The Parties shall keep this Agreement under review and either Party may request a change to this Agreement as may be reasonably required to comply with Data Protection Law. Upon receipt of such a request from a Party, the Parties shall discuss and consider such request in good faith and do all things reasonably necessary to comply with Data Protection Law, including varying this Agreement or entering into any subsequent agreements.
12. JOINT CONTROLLERS
12.1 Each Party acknowledges and agrees that there is a common objective in respect of the Processing and are Joint Controllers for the purpose of Data Protection Law in respect of such Processing.
...
Compliance obligation | Responsible Party |
Publicise a contact point for Data Subjects to facilitate the exercise of their rights in relation to the Processing under this Agreement. | Providers |
Upon request, make available to Data Subjects a summary of the arrangement between the Parties under this Agreement, such summary to be in a form agreed by the Parties. | Providers and PKB |
Maintaining transparency material online to meet A13 and A14 requirements | Providers and PKB |
13. USE OF PROCESSORS
13.1 Where PKB uses a Processor to Process Personal Data covered by this Part 2 a, PKB shall:
...
13.4 where Providers has provided its prior written approval to the international transfer of Personal Data covered by this Part 2 conduct such international transfer in accordance with Data Protection Law.
14. COMBINATION WITH OTHER DATA
14.1 Providers acknowledge and agree that PKB may combine Providers Data with external sources of health data (including other Trusts, patient inputted data and third-party application data) with the objective of increasing the quality and breadth of the Personal Data covered by this Part 2.
15. DATA RETENTION AND DELETION
15.1 The Parties shall not retain or Process Personal Data covered by this Part 2 under this Agreement for longer than is necessary to carry out the Agreed Purposes.
PART 3 – APPLICABLE WHERE PKB IS A PROCESSOR
15. PKB AS A PROCESSOR
16. The Parties acknowledge that for the purposes of the Data Protection Legislation that the Providers are the Controller and PKB is the Processor. The only processing that the Processor is authorised to do is set out in Schedule 1, which is attached to and forms part of this agreement, by the Controller and may not be determined by the Processor.
...
16.24 The Processor will ensure adequate business continuity services and disaster recovery services are in place and regularly tested. Evidence of this testing will be required as part of the Controller's due diligence.
PART 4 – APPLICABLE TO ALL
17. RECORDS
17.1 Each Party shall maintain such records as required by Data Protection Law in respect of its Processing of PKB Data and as may be reasonably necessary to demonstrate its compliance with this Agreement.
18. REVIEW OF THIS AGREEMENT
18.1 The effectiveness of this Agreement shall be reviewed from time to time at such intervals as may be agreed by the Governance Committee, having consideration to the Permitted Purposes and whether any amendments may be necessary to this Agreement. This review will involve assessing whether:
...
18.1.2 Personal Data Breaches have been handled in accordance with this Agreement where PKB Data is involved.
19. WARRANTIES
19.1 Each Party represents and warrants to the other Party that:
...
19.2 the use of PKB Data as permitted by this Agreement does not infringe the rights of any third party.
20. LIMITATION AND EXCLUSION OF LIABILITY
20.1 Each Party’s liability arising out of or in connection with this Agreement, whether in contract, tort (including negligence) or otherwise shall be limited costs incurred by the other parties as a direct result of the negligence of the Party, including failure to comply with this Agreement
...
20.3 Any liability arising from processing activity undertaken under this Arrangement shall be determined by the roles and responsibilities of each Party in line with Article 82 of GDPR.
21. TERMINATION
21.1 Without affecting any other right or remedy available to it, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party:
...
21.3 Each Party’s rights to terminate this Agreement set out in this clause 20 shall not affect any other right or remedy available to it including those arising under this Agreement prior to termination.
22. CONSEQUENCES OF TERMINATION
Upon termination or expiry of this Agreement:
...
Termination or expiry of this Agreement shall not affect any rights, remedies, obligations or liabilities of the Parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination or expiry.
23. FORCE MAJEURE
23.1 Non-performance or delay of either Party will be excused to the extent that performance is caused by any circumstance beyond the Party’s reasonable control, including strike, fire, natural disaster, governmental acts, orders or restrictions, failure of suppliers or subcontractors. In such circumstances, the affected Party shall be entitled to a reasonable extension of time for performance. If the period of non-performance or delay continues for ninety (90) days, the Party not affected may terminate this Agreement immediately on written notice to the affected Party.
24. ASSIGNMENT AND OTHER DEALINGS
24.1 Neither Party may assign or otherwise transfer any of its rights or obligations under this Agreement without the prior written approval of the other Party, except as expressly permitted by clause 23.2.
...
24.3 This Agreement will be binding upon and inure to the benefit of the Parties hereto and their permitted successors and assigns.
25. VARIATION
25.1 No variation of this Agreement shall be effective unless it is in writing and signed by the Parties.
26. NOTICES
26.1 All notices required or permitted under this Agreement and all requests for approvals, consents and waivers must be delivered by a method providing for proof of delivery. Any notice or request will be deemed to have been given on the date of delivery. Notices and requests must be delivered to the Parties at the addresses on the first page of this Agreement until a different address has been designated by notice to the other Party.
27. SEVERANCE
27.1 If any provision of this Agreement is found to be unenforceable, such provision will be deemed to be deleted or narrowly construed to such extent as is necessary to make it enforceable and this Agreement will otherwise remain in full force and effect.
28. RELATIONSHIP OF THE PARTIES
28.1 The Parties are and will be independent contractors and neither Party has any right, power, or authority to act or create any obligation on behalf of the other Party.
29. RIGHTS AND REMEDIES
29.1 The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
30. WAIVER
30.1 No term or provision of this Agreement will be deemed waived and no breach will be deemed excused unless such waiver is in writing and signed by the Party claimed to have waived.
31. COUNTERPARTS
31.1 This Agreement may be executed in counterparts (which may be exchanged by facsimile or .pdf copies), each of which will be deemed an original, but all of which together will constitute the same Agreement.
32. THIRD-PARTY RIGHTS
32.1 This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
33. FURTHER ASSURANCE
33.1 Each Party shall use reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement.
34. COSTS
34.1 Each Party shall pay its own costs incurred in connection with the negotiation, preparation, and execution of this Agreement.
35. ENTIRE AGREEMENT
35.1 This Agreement constitutes the entire agreement between the Parties and supersedes and extinguishes all previous drafts, agreements, arrangements, and understandings between them, whether written or oral, relating to its subject matter.
35.2 Each Party acknowledges that in entering into this Agreement it does not rely upon, and shall have no remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in this Agreement. No Party shall have any claim for innocent or negligent misrepresentation based on any statement in this Agreement.
36. GOVERNING LAW AND DISPUTE RESOLUTION
36.1 Governing law
36.1.1 This Agreement and all matters arising out of or in connection with it, including any Dispute and any dispute resolution procedure provided for in this Agreement, shall be governed by, and construed in accordance with, the law of England and Wales.
...
36.2.1 The Parties shall resolve any Disputes in accordance with the Commissioning Contract terms
SCHEDULE 1
37. DATA PROCESSING PARTICULARS / PERSONAL DATA TO BE PROCESSED
37.1 This Schedule describes the types of PKB Data that may be Processed under this Agreement. The Parties may agree to amend the descriptions in this clause at any time with the approval of the Parties.
...
37.4 The inclusion of personal data of any natural person under the age of 16 should be considered on a case-by-case basis.
SCHEDULE 2
38. PROCESSING OPERATIONS
2A PROCESSING OPERATION A
Processing Operation: Maintaining Patient Account
Performed by: PKB
Classification of Parties: PKB – Sole Controller
Lawful Bases for Processing: -Article 6(1)(f) and Article 9(2)(h)
Specific Responsibilities for Parties: N/A as no Joint processing
Compliance with Principles
Principle 1 – Processing is lawful, fair and Transparent:
Individuals are invited to create an account by their healthcare provider (who has commissioned PKB) where they are able to provide their own personal data. Where this is the case, PKB act as Sole Controller and as such provides the individual with transparency information when registering.
Principle 2 – Collected for specific, explicit and legitimate purposes:
Personal data processed by PKB within the patient account is only used for the purposes of providing that service to the individual to help the individual manage their health and care. It is not used for further purposes.
Principle 3 – Adequate relevant and not excessive:
This processing will only involve personal data provided by the patient themselves, and as such will be limited to the personal data provided by the patient.
Principle 4 – Accurate and up to date:
Given the personal data provided by the patient, PKB will have no determination as to the accuracy of that data. However, this will be marked within the PKB system as patient-inputted data, so it will be clear to those accessing the Patient Record (in the case it is transferred to the Patient Record).
Principle 5 – Kept for no longer than is necessary:
The Patient Account will be kept for up to 8 years after the last access date by Providers.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.
2B PROCESSING OPERATION B
Processing Operation: Maintaining Patient-Inputted Data as part of the Patient Account were accessed by the Provider
Performed by: PKB and Providers
Classification of Parties: PKB and the Providers act as Joint Controllers
Lawful Bases for Processing:
Providers – Article 6(1)(e) and Article 9(2)(h)
PKB - Article 6(1)(e) and Article 9(2)(h)/(g)
Specific Responsibilities for Parties:
PKB provide the platform
...
The Providers are responsible for only providing access to those in their own organisation who require it Principle 1 – Processing is lawful, fair and Transparent:
Processing of the patient-inputted data is considered necessary in order to support the care of the individual and allows the individual to have more choice and engagement with regard to their health and care information.
Principle 2 – Collected for specific, explicit and legitimate purposes:
Personal data processed which is provided directly by the patient is processed in line with the original purpose of collection.
Principle 3 – Adequate relevant and not excessive:
Patients will be responsible for the information provided by themselves and they are able to decide what is shared with the healthcare providers
Principle 4 – Accurate and up to date:
The accuracy of the information provided directly by patients is the responsibility of those patients which choose to do so, but all self-uploaded records are notified to clinicians as such to enable clinicians to make decisions based on the knowledge these are self-uploaded data items.
Principle 5 – Kept for no longer than is necessary:
The Patient-Inputted data will be kept for up to 8 years after the contract with Providers ends to maintain the integrity of the health record.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.
2C PROCESSING OPERATION C
Processing Operation: Service Evaluation and Improvement
Performed by: PKB
Classification of Parties: PKB as Independent Controller
Lawful Bases for Processing:
PKB - Article 6(1)(f)
Specific Responsibilities for Parties:
PKB will undertake service evaluation and improvement to improve the user experience for both clinicians and patients.
Principle 1 – Processing is lawful, fair and Transparent:
Processing for these purposes is detailed within the transparency information to inform individuals of the processing. No special category data will be used for these purposes, and any personal data will be pseudonymised and aggregated where necessary for this purpose.
Principle 2 – Collected for specific, explicit and legitimate purposes:
The purpose of service evaluation and improvement is considered a compatible purpose of processing against the original purpose of collection in order to support the original purpose Personal Data was collected.
Principle 3 – Adequate relevant and not excessive:
All Personal Data will undergo pseudonymisation and aggregation where necessary to ensure that only the minimum necessary personal data is used for this purpose.
Principle 4 – Accurate and up to date:
All Personal Data will be utilised directly from the PKB Account and Record to ensure it is accurate and up to date.
Principle 5 – Kept for no longer than is necessary:
Any Personal Data used for this purpose will be destroyed in line with standard PKB retention schedules. No Personal Data will be retained for longer for this specific purpose.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.
2D PROCESSING OPERATION D
Processing Operation: Maintaining Patient Records (where data originates from Provider) Performed by: PKB and Providers
Classification of Parties: Provider as Controller, PKB as Processor
Lawful Bases for Processing:
Providers - Article 6(1)(e) / Article 9(2)(h)
Specific Responsibilities for Parties:
PKB will only act under the following instruction of the Provider for this processing operation
...
Plan for return and destruction of the data once the Processing is complete UNLESS requirement under Union or Member State law to preserve that type of data | At the end of the Agreement, all personal data will be destroyed or returned to the Controller, at the choice of the Controller |
Transfers of data outsidethe UK | There will be no transfers of personal data outside the UK |
SCHEDULE 3
39. SECURITY CONTROLS
SECURITY RESPONSIBILITIES
...
39.7 PKB shall ensure that all transfers of the Data undertaken by it or on its behalf will be in accordance with Secure File Transfer Protocols within the Health and Social Care Network (HSCN) and/or in accordance with the NHS Digital Good Practice Guidelines (which are, as of the date of this Contract, published at https://digital.nhs.uk/data-security-information-governance ).
40. SECURITY MANAGEMENT
40.1 PKB shall plan, determine, create, implement, manage, review and maintain security control over the technology and physical storage infrastructure, and respond appropriately to security events. This includes the implementation of secure technical infrastructures, technologies and physical controls (including firewalls, encryption, authentication services and swipe access) appropriate to the UK public health sector.
...
40.4 PKB shall create, acquire, provide, install, implement, manage and maintain any such improvements reasonably requested by the Providers that reflect Good Industry Practice.
41. SECURITY ADMINISTRATION
41.1 PKB shall track, coordinate, implement, manage and maintain all security changes across the Services.
41.2 PKB shall limit the risk of unauthorised access to the Services Environment including content filtering to prevent objectionable material, virus protection, password controls and physical security. PKB shall have regard to the confidentiality and sensitivity contained within the Services Environment and shall ensure that measures applicable to the UK health and social care sector are in place to prevent unauthorised access.
42. SECURITY AUDIT
42.1 PKB shall provide to the Providers any information that the Providers reasonably requires for the purpose of allowing the Providers to have assurance with PKB’s compliance with the provisions of this Clause 4 within a reasonable time from the Provider’s request. PKB shall provide this information in such format as the Providers may reasonably require.
43. NON-COMPLIANCE REPORTING
43.1 PKB shall monitor, on an ongoing basis, computer and network security configurations.
43.2 PKB shall create and issue reports to the Providers on incidents of non-compliance with the Security Policy according to their severity within a reasonable time after such incidents occur.
44. SYSTEM ACCESS CONTROL
44.1 PKB shall administer the provision of access to the Services Environment (by both the Provider’s Personnel and PKB's Personnel), Data and any other applicable data in accordance with Good Industry Practice.
...
44.3 PKB shall restrict user access to information and data held on external networks.
45. CRYPTOGRAPHY MANAGEMENT
45.1 PKB shall ensure that Data is encrypted as appropriate in accordance with Good Industry Practice and the most current version of the Data Security and Protection Toolkit and ISO 27002 - Code of Practice for Information Security Management (with the principles of the Data Security and Protection Toolkit prevailing in case of any conflict).
45.2 PKB shall manage all processes and procedures pertaining to the administration of the encryption keys, including secure key storage, periodic changing of keys, destruction of old keys, and registration of keys with the appropriate authorities.
46. ASSET PROTECTION
46.1 PKB shall acquire, create, provide, manage and maintain mechanisms to prevent or mitigate the destruction, loss, alteration, disclosure or misuse of equipment used within the Services Environment, Data and Providers assets, having regard to Good Industry Practice. This includes annual penetration testing and the satisfactory completion of remedial actions identified following that testing.
...
46.7 Implement National Cyber Security Centre (NCSC) guidelines (e.g. cyber essentials) as agreed with the Controller so that assets are protected.
47. SECURITY AWARENESS
PKB shall ensure that all its Personnel working on the Providers account are screened and security checked to an appropriate standard, trained in the Security Policy and any other requirements of this Contract, undertake annual training and are deemed competent to undertake processing activities and are individually accountable for their actions. All PKB Personnel shall, as at the commencement of the Services, be deemed to be appropriately screened and trained to a level befitting the UK health and care sector.
48. DOCUMENTATION AND RECORD PRESERVATION
48.1 PKB shall protect all Data held by its employees, agents or Processors in a physical form by adopting a “clear desk” policy in respect of such Data and disposing of such information securely by treating it as confidential waste.
...
48.3 PKB will classify the security of documentation and information to limit distribution and to ensure adequate controls are in place to protect more sensitive content.
SCHEDULE 4
49. SIGNATORIES
Party A
Patients Know Best Ltd
PATIENTS KNOW BEST LIMITED, a company limited by shares and registered in the United Kingdom with company registration number 06517382, whose registered office is at St John's Innovation Centre, Cowley Road, Cambridge CB4 0WS
...
____________________________
Party B
NAME OF LEAD CONTROLLER
NAME OF LEAD CONTROLLER Whose registered office is at Registered Office Executed by:
...