...
Part 2 – Joint Controller Arrangement specific clauses (patient-contributed data only)
Part 3 – Data Processing Contract-specific clauses
...
24.2 A Party may, upon written notice to the other Party and subject to the prior written approval of the other Party (such approval not to be unreasonably withheld or delayed), assign or otherwise transfer this Agreement to any of its affiliates or in connection with a change of control transaction (whether by merger, consolidation, sale of equity interests, sale of all or substantially all assets, or otherwise). For clarity, where the such assignment or transfer would give rise to a breach of obligations of obligations in relation to Data Protection Law or other Applicable Law or may already affect any research ethics approvals or would not be expected in accordance with the common law duty of confidentiality, such grounds shall amongst other matters be considered reasonable for refusing approval to such assignment or transfer. Any assignment or other transfer in violation of this clause will be void.
...
2A PROCESSING OPERATION A
Processing Operation: Maintaining Patient Account
Performed by: PKB
Classification of Parties: PKB – Sole Controller
Lawful Bases for Processing: -Article 6(1)(f) and Article 9(2)(h)
Specific Responsibilities for Parties: N/A as no Joint processing
Compliance with Principles
Principle 1 – Processing is lawful, fair and Transparent:
Individuals are invited to create an account by their healthcare provider (who has commissioned PKB) where they are able to provide their own personal data. Where this is the case, PKB act as Sole Controller and as such provides the individual with transparency information when registering.
Principle 2 – Collected for specific, explicit and legitimate purposes:
Personal data processed by PKB within the patient account is only used for the purposes of providing that service to the individual to help the individual manage their health and care. It is not used for further purposes.
Principle 3 – Adequate relevant and not excessive:
This processing will only involve personal data provided by the patient themselves, and as such will be limited to the personal data provided by the patient.
Principle 4 – Accurate and up to date:
Given the personal data provided by the patient, PKB will have no determination as to the accuracy of that data. However, this will be marked within the PKB system as patient-inputted data, so it will be clear to those accessing the Patient Record (in the case it is transferred to the Patient Record).
Principle 5 – Kept for no longer than is necessary:
The Patient Account will be kept for up to 8 years after the last access date by Providers.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.
2B PROCESSING OPERATION B
Processing Operation: Maintaining Patient-Inputted Data as part of the Patient Account were accessed by the Provider
Performed by: PKB and Providers
Classification of Parties: PKB and the Providers act as Joint Controllers
Lawful Bases for Processing:
Providers – Article 6(1)(e) and Article 9(2)(h)
PKB - Article 6(1)(e) and Article 9(2)(h)/(g)
Specific Responsibilities for Parties:
PKB provide the platform
...
The Providers are responsible for only providing access to those in their own organisation who require it Principle 1 – Processing is lawful, fair and Transparent:
Processing of the patient-inputted data is considered necessary in order to support the care of the individual and allows the individual to have more choice and engagement with regard to their health and care information.
Principle 2 – Collected for specific, explicit and legitimate purposes:
Personal data processed which is provided directly by the patient is processed in line with the original purpose of collection.
Principle 3 – Adequate relevant and not excessive:
Patients will be responsible for the information provided by themselves and they are able to decide what is shared with the healthcare providers
Principle 4 – Accurate and up to date:
The accuracy of the information provided directly by patients is the responsibility of those patients which choose to do so, but all self-uploaded records are notified to clinicians as such to enable clinicians to make decisions based on the knowledge these are self-uploaded data items.
Principle 5 – Kept for no longer than is necessary:
The Patient-Inputted data will be kept for up to 8 years after the contract with Providers ends to maintain the integrity of the health record.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.
2C PROCESSING OPERATION C
Processing Operation: Service Evaluation and Improvement
Performed by: PKB
Classification of Parties: PKB as Independent Controller
Lawful Bases for Processing:
PKB - Article 6(1)(f)
Specific Responsibilities for Parties:
PKB will undertake service evaluation and improvement to improve the user experience for both clinicians and patients.
Principle 1 – Processing is lawful, fair and Transparent:
Processing for these purposes is detailed within the transparency information to inform individuals of the processing. No special category data will be used for these purposes, and any personal data will be pseudonymised and aggregated where necessary for this purpose.
Principle 2 – Collected for specific, explicit and legitimate purposes:
The purpose of service evaluation and improvement is considered a compatible purpose of processing against the original purpose of collection in order to support the original purpose Personal Data was collected.
Principle 3 – Adequate relevant and not excessive:
All Personal Data will undergo pseudonymisation and aggregation where necessary to ensure that only the minimum necessary personal data is used for this purpose.
Principle 4 – Accurate and up to date:
All Personal Data will be utilised directly from the PKB Account and Record to ensure it is accurate and up to date.
Principle 5 – Kept for no longer than is necessary:
Any Personal Data used for this purpose will be destroyed in line with standard PKB retention schedules. No Personal Data will be retained for longer for this specific purpose.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.
2D PROCESSING OPERATION D
Processing Operation: Maintaining Patient Records (where data originates from Provider) Performed by: PKB and Providers
Classification of Parties: Provider as Controller, PKB as Processor
Lawful Bases for Processing:
Providers - Article 6(1)(e) / Article 9(2)(h)
Specific Responsibilities for Parties:
PKB will only act under the following instruction of the Provider for this processing operation
...
49. SIGNATORIES
Party A
Patients Know Best Ltd
PATIENTS KNOW BEST LIMITED, a company limited by shares and registered in the United Kingdom with company registration number 06517382, whose registered office is at St John's Innovation Centre, Cowley Road, Cambridge CB4 0WS
...
____________________________
Party B
NAME OF LEAD CONTROLLER
NAME OF LEAD CONTROLLER Whose registered office is at Registered Office Executed by:
...