...
This Agreement is dated .
1. PARTIES
A. Patients Know Best (“PKB”); and
B. The Providers (listed in Schedule 4), (“Providers”),each a “Party” and together the “Parties”.
2. BACKGROUND
A. The Lead Controller has contracted with PKB under the Commissioning Contract to provide patients with access to and some control of their health data. The PKB platform facilitates patient access to their health data contributed by the Providers and facilitates the patient to add information which may be viewed by their health and care providers and other people of their choosing. The Providers are all organisations with a legal duty to provide free at the point of delivery care to individuals (as part of the NHS), to which PKB supports the facilitation of this duty.
B. Data received by PKB from the Providers is here referred to as the Patient Record.
C. Providers are Independent Controllers and PKB are Processors of the Patient Record.
D. Where a Patient has activated access to their health data, any personal data entered by them is referred to as the Patient Account.
E. PKB is the Controller for data within the Patient Account.
F. Where personal data within the Patient Account is accessed by a Provider, PKB and the accessing Provider are Joint Controllers.
G. The Parties consider it is necessary to use certain Personal Data between them to give effect to the objectives of the Processing and this Joint Controller Arrangement and Data Processing Contract (“Agreement”) sets out the framework for such use, including the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other.
H. Where PKB are Processors for the Providers, Part 1, 3, 4 and the Schedules shall apply.
I. Where PKB are Joint Controllers with the Providers, Parts 1,2,4 and the Schedules shall apply.
3. DEFINITIONS AND INTERPRETATION
3.1 Unless specifically provided for in this Agreement, the following terms shall have the following meanings:
“Agreed Purposes” | has the meaning given in clause 7; |
“Commencement Date” | has the meaning given in clause 5.1; |
“Controller”, “Joint Controllers”, “Personal Data”, “Personal Data Breach”, “Processing” (including “Process” and “Processed”), and “Special Categories of Personal Data” | have the meaning given in the DPA 2018; |
“Commissioning Contract” | means the commercial arrangement between the Parties; |
“Data Opt-Out” | means the opt-out mechanism operated by the NHS that allows NHS patients to opt-out of the use of their data for research or planning purposes; |
“Data Protection Law” | means, for the periods in which they are in force in the United Kingdom, the DPA 2018, the GDPR, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to Processing of Personal Data and privacy; |
“Data Subject” or “Patient” | means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person in any PKB Data; |
“Data Subject Request” | means a request from a Data Subject under Data Protection Law in respect of PKB Data; |
“DPA 2018” | means the Data Protection Act 2018; |
“GDPR” | means the General Data Protection Regulation (Regulation (EU) 2016/679) and UK General Data Protection Regulation; |
“Governance Committee” | The Governance Committee (GC) comprises nominated representatives of all provider signatories in Schedule 4, typically the Data Protection Officer of each, and representatives of PKB, together the controllers. The GC will be responsible for ensuring that the contractual terms are met in respect of data protection laws, for monitoring and reporting on compliance, collaboration where desirable, and identifying and recommending changes to processing activities to the Lead Controller; |
“Lead Controller” | means the party contracting with PKB either solely or on behalf of the Providers and named in the Commissioning Contract; |
“PKB data” | means all personal data held on the PKB platform, both patient Record and Patient Account; |
“Responsible Controller” | has the meaning given in clause 11.7; |
“Services”, “Platform”, “Solution” | means the PKB software and architecture, infrastructure and operations; |
“Third Party Communication” | has the meaning given in clause 11.5; |
“UK GDPR” | means the GDPR as implemented into UK law by the DPA 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). |
3.2 The following rules of interpretation apply to this Agreement:
3.2.1 clause, schedule, and paragraph headings shall not affect the interpretation of this Agreement.
3.2.2 a person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
3.2.3 the Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules;
3.2.4 unless the context otherwise requires, words in the singular shall include the plural and, in the plural, shall include the singular;
3.2.5 a reference to a statute, statutory provision or other legal instrument is a reference to it as amended, extended, or re-enacted from time to time; and
3.2.6 any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
3.3 In the event and to the extent of a conflict between:
3.3.1 the main body of this Agreement and the Schedules, except as expressly stated otherwise, the main body of this Agreement shall prevail to the extent of such conflict.
4. SCOPE AND APPLICATION
4.1 This Agreement applies to the processing of Personal Data on the PKB Platform. Any reference in this Agreement to PKB Data shall be interpreted as a reference to any Personal Data held on the PKB Platform.
4.2 For the purpose of Data Protection Laws, this Arrangement shall prevail in the event of a conflict with the Commissioning Contract and any other agreement between the Parties and PKB.
4.3 For the avoidance of doubt, PKB will comply with all necessary data protection obligations while acting as sole controller.
4.4 Where PKB Data under this Agreement is accessed by another Provider organisation, that organisation shall be considered a Third Party under Article 4 of UK GDPR.
5. COMMENCEMENT AND DURATION
5.1 This Agreement shall commence on the date set out at the top of it (the “Commencement Date”) and shall continue in accordance with its terms.
6. PATIENT AND REGULATORY ENGAGEMENT
6.1 Prior to the commencement of Processing, in respect of the activities contemplated by this Agreement, the Parties shall cooperate with each other to:
6.1.1 conduct patient engagement activities to assist the Parties in considering the views of patients; and
6.1.2 develop supporting materials for the provision of information to patients regarding the Processing of PKB Data;
6.1.3 For a period of not less than eight weeks, promote by all reasonably available and effective communication channels with patients and the public the proposed processing activity, purpose, risks and expected benefits using a layered approach and notifying and explaining the right and process for opting out.
6.2 Following the commencement of processing activity, the Providers will continue to promote the proposed processing activity in accordance with their duty of transparency.
7. AGREED PURPOSES
7.1 The Parties agree to only Process PKB Data under this Agreement for:
7.1.1 The provision of health and social treatment and care
7.1.2 Provide a platform for patients to access and add to their PKB health record
7.1.3 Allow patients to determine which organisations can view their profile
7.1.4 Maintaining a patient level record for statutory period
7.1.5 The maintenance by PKB of the PKB platform and data held on it
7.1.6 [Add here other purpose agreed by the parties]
each of the above, an “Agreed Purpose”.
PART 2 - APPLICABLE WHERE A JOINT CONTROLLER RELATIONSHIP EXISTS
8. LAWFUL BASES FOR PROCESSING AND CLASSIFICATION OF PARTIES
8.1 The lawful bases for each Party’s Processing of Personal Data and the classification of the Parties for the purposes of Data Protection Law under this Agreement is set out in Schedule 2.
9. PROVIDER’S RESPONSIBILITY FOR PATIENT-FACING COMMUNICATIONS.
9.1 Generally
9.1.1 Except where expressly stated in this Agreement or agreed by the Parties in writing, Providers shall be responsible for all communications with Data Subjects in relation to Personal Data covered by this Part 2, prior to the creation of the Patient Account:
9.1.1.1 the provision of information to Data Subjects in accordance with Article 13 and 14 of the GDPR;
9.1.1.2 responding to Data Subject Requests as set out in clause 9.2;
9.1.1.3 notifying Data Subjects of a Personal Data Breach where such notification is required by Data Protection Law.
9.1.2 Notwithstanding the above, each of the Parties acknowledges that a Data Subject may exercise its rights under Data Protection Law against and of the Parties in relation to Personal Data covered by this Part 2 under this Agreement and nothing in this Agreement shall prevent either Party from complying with its obligations under Data Protection Law.
9.2 Data Subject Access Requests.
If either Party receives a Data Subject Access Request related to Personal Data covered by this Part 2:
it shall notify the other within five (5) Business Days of receiving the Data Subject Access Request;
Each Providers shall be responsible for responding to the Data Subject Access Request received by them;
PKB shall provide Providers with reasonable assistance in responding to the Data Subject Access Request including, taking into account the nature of the Processing, assisting Providers by appropriate technical and organisational measures, insofar as this is possible to respond to requests from Data Subjects exercising their rights under Data Protection Law; and
Providers shall keep PKB reasonably informed as to the status and resolution of the Data Subject Access Request.
DATA MINIMISATION (INCLUDING OPT-OUT) AND PSEUDONYMISATION
Taking into the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects each Party shall implement appropriate technical and organisational measures, including pseudonymisation, to ensure that the use of Personal Data in relation to the processing is minimised.
Each Party shall periodically review data minimisation measures implemented in accordance with this clause 10, and may agree with the other Party further steps to be taken to ensure the minimisation of Personal Data as may be required by Data Protection Law and in any case no less than every three years.
GENERAL OBLIGATIONS OF THE PARTIES
Each Party shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or accidental access, loss, alteration, disclosure, destruction or other unauthorised or unlawful forms of Processing (such measures may include, where appropriate, the pseudonymisation and encryption of Personal Data covered by this Part 2 and other measures referred to in Article 32(1) of the GDPR).
Each Party shall ensure that its personnel who have access to Personal Data covered by this Part 2 for the performance of this Agreement are under an obligation of confidentiality and ensure that such access is limited to those individuals who need to know and access PKB Data.
Upon becoming aware of a Personal Data Breach relating processing where both Parties are Joint Controllers, each Party shall:
notify the other Party in writing without undue delay, and in any event within forty-eight (48) hours, (such notification to include the provision of information as is required under Data Protection Law in respect of the Personal Data Breach);
promptly take reasonable steps to investigate, mitigate and remediate the Personal Data Breach; and
provide reasonable assistance to the other Party, in relation to the other Party’s efforts to investigate, mitigate and remediate the Personal Data Breach.
PKB shall not transfer Personal Data covered by this Part 2 from the United Kingdom to another jurisdiction without the prior written approval of the Providers and without putting in place appropriate safeguards where required for compliance with Data Protection Law.
Each Party shall notify the other Parties in writing within five (5) Business Days if it receives a “Third Party Communication” including but not limited to:
any communication from the ICO or any other regulatory authority in connection with Personal Data covered by this Part 2 or;
a request from any third party for disclosure of Personal Data covered by this Part 2 where compliance with such request is required or purported to be required by Applicable Law,
Each Party shall provide the other Party with reasonable assistance in responding to any Third Party Communication and shall work with the other Party to determine the most appropriate Controller to respond to any Third Party Communication (the“Responsible Controller”) provided that nothing in this Agreement shall prevent a Party from responding to a Third Party Communication to the extent required by Applicable Law.
The Responsible Controller shall keep the other Party informed as to the status of the resolution of any Third-Party Communication, and the Parties shall provide all such assistance to one another as may be reasonably requested in respect of the same.
Each Party shall provide reasonable assistance to the other Party in ensuring compliance with its obligations under Data Protection Law taking into account the nature of the Processing for the purposes of this Agreement and the information available to it, including in respect of each Party’s obligations as set out in this Agreement relating to:
security of Processing;
notification of a Personal Data Breach to the ICO;
communication of a Personal Data Breach to the affected Data Subjects; and
Data Protection Impact Assessments and any subsequent consultations with the ICO.
Each Party shall provide the other Party with such information as the other Party may reasonably request to demonstrate compliance with this Agreement, and if the requesting Party (acting reasonably) considers that such information does not demonstrate the other Party’s compliance with this Agreement, to allow for audits, including inspections, by the requesting Party or an auditor mandated by the requesting Party to verify the other Party’s compliance with this Agreement subject to:
such audit or inspection being conducted during the other Party’s usual business hours and on reasonable advance notice; and
the Party conducting the audit and any third-party auditor:
using reasonable endeavours to minimise any disruption on the other Party’s business; and
complying with any reasonable requirements imposed by the other Party to protect the safety, integrity and security of its premises and systems, and the confidentiality of the other Party’s or third-party confidential information.
Each Party shall bear its own costs of any audit or inspection under clause 11.9, unless the audit or inspection was conducted by an independent third party and such third party determines the audited Party has materially breached its obligations under this Agreement in which case the audited Party shall reimburse the auditing Party in respect of its reasonable and properly incurred costs of engaging such third party to conduct such audit or inspection.
The Parties shall keep this Agreement under review and either Party may request a change to this Agreement as may be reasonably required to comply with Data Protection Law. Upon receipt of such a request from a Party, the Parties shall discuss and consider such request in good faith and do all things reasonably necessary to comply with Data Protection Law, including varying this Agreement or entering into any subsequent agreements.
JOINT CONTROLLERS
Each Party acknowledges and agrees that there is a common objective in respect of the Processing and are Joint Controllers for the purpose of Data Protection Law in respect of such Processing.
Each of the Parties shall perform the obligations allocated to it the table below following allocation of responsibilities in accordance with Article 26 of the GDPR:
Compliance obligation | Responsible Party |
Publicise a contact point for Data Subjects to facilitate the exercise of their rights in relation to the Processing under this Agreement. | Providers |
Upon request, make available to Data Subjects a summary of the arrangement between the Parties under this Agreement, such summary to be in a form agreed by the Parties. | Providers and PKB |
Maintaining transparency material online to meet A13 and A14 requirements. | Providers and PKB |
USE OF PROCESSORS
Where PKB uses a Processor to Process Personal Data covered by this Part 2 a, PKB shall:
provide Providers with such information regarding such processors as Providers may reasonably request. For clarity, PKB shall not be required to provide Providers with details of any commercial terms between PKB and any Processor;
ensure that such Processing is subject to an agreement as required by Article 28(3) of the GDPR; and
where Providers have provided their prior written approval to the international transfer of Personal Data covered by this Part 2 conduct such international transfer in accordance with Data Protection Law.
COMBINATION WITH OTHER DATA
Providers acknowledge and agree that PKB may combine Providers Data to external sources of health data (including other Trusts, patient inputted data and third-party application data) with the objective of increasing the quality and breadth of the Personal Data covered by this Part 2.
DATA RETENTION AND DELETION
The Parties shall not retain or Process Personal Data covered by this Part 2 under this Agreement for longer than is necessary to carry out the Agreed Purposes.
...
The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include:
a systematic description of the envisaged processing operations and the purpose of the processing;
an assessment of the necessity and proportionality of the processing operations in relation to the Services;
an assessment of the risks to the rights and freedoms of Data Subjects; and
the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
The Processor shall, in relation to any Personal Data Processed in connection with its obligations under this Agreement:
process that Personal Data only in accordance with Schedule 1, unless the Processor is required to do otherwise by Law. If it is so required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law;
ensure that all measures in Schedule 2 are adhered to and met at all times of the processing and has in place all Protective Measures, which have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event having taken account of:
the nature of the data to be protected;
the harm and risks that might result from a Data Loss Event;
assessment of the technical and non-technical controls to mitigate these risks; and
the cost of implementing any measures if required;
ensuring that the Processor Personnel do not process Personal Data except in accordance with this Agreement, and in particular Schedule 1;
taking all reasonable steps further detailed in schedule 2, both technical and non-technical to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
are aware of and comply with the Processor’s duties under this clause;
are aware of and comply with the Processor’s duties under this clause;
are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor. This includes but is not limited to commercially sensitive information and Personal Data;
are informed of the confidential nature of the Personal Data and commercially sensitive information and do not publish, disclose or divulge any of the Personal Data or commercially sensitive information to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and
have undergone adequate annual training in the use, care, protection and handling of Personal Data and are assessed as competent to undertake the processing activity or activities;
keep personal data and commercially sensitive information confidential for the length of the contract and ensure that once the contract has ended or terminated that personal data and commercially sensitive information is kept confidential indefinitely.
not transfer Personal Data outside of the European Economic Area (EEA) unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46) as determined by the Controller;
the Data Subject has enforceable rights and effective legal remedies;
the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;
the Processor notifies the Data Controller prior to any transformation of the Personal Data which is not part of this agreed processing but occurs due to the transfer of Personal Data from the service provider to or from another organisation party to this agreement.
at the written direction of the Controller, delete or return the Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data.
The Processor shall notify the Controller within 72 hours if it:
receives an Individual Rights Request or any Freedom of Information (FOI) / Environmental Information Regulations (EIR) request relating to this processing;
receives a request to rectify, block or erase or transfer any Personal Data by the data subject;
receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data Processed under this Agreement;
receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
becomes aware of a Data Loss Event.
The Processor’s obligation to notify under clause 16.4 shall include the provision of further information to the Controller in phases, as details become available.
Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 16.4 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing:
the Controller with full details and copies of the complaint, communication, data loss event or request;
such assistance as is reasonably requested by the Controller to enable the Controller to comply with an Individual Rights Request within the relevant timescales set out in the Data Protection Legislation;
the Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
assistance as requested by the Controller following any data loss event;
assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.
The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor.
The Processor when ensuring that it has in place such Protective Measures, having been reviewed and approved by the Controller, shall follow the reasonable request of the Controller to supply such evidence as requested by the Controller within 28 days.
...
Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must:
notify the Controller in writing of the intended Sub-processor and processing;
obtain the written consent of the Controller;
enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause 1 and associated schedules such that they apply to the Sub-processor; and
provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require.
The Processor shall remain fully liable for all acts or omissions of any Sub-processor.
The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
The Controller may immediately terminate this Agreement on written notice to the Processor. The Processor may not terminate this Agreement without the written consent of the Controller.
...
GOVERNING LAW AND DISPUTE RESOLUTION
Governing law
This Agreement and all matters arising out of or in connection with it, including any Dispute and any dispute resolution procedure provided for in this Agreement, shall be governed by, and construed in accordance with, the law of England and Wales.
Dispute resolution:
The Parties shall resolve any Disputes in accordance with the Commissioning Contract terms.
SCHEDULE 1: DATA PROCESSING PARTICULARS
PERSONAL DATA TO BE PROCESSED
This Schedule describes the types of PKB Data that may be Processed under this Agreement. The Parties may agree to amend the descriptions in this clause at any time with the approval of the Parties.
For clarity, PKB Data Processed under this Agreement shall be subject to the data minimisation measures described in clause 10, including:
Providers applying data minimisation measures prior to sharing any data with PKB; and
the Parties continuing to review the data minimisation measures to ensure the minimisation of Personal Data within PKB Data as may be required by Data Protection Law.
PKB Data to be Processed under this Agreement may include data from the following sources:
Providers Electronic Patient Record (structured coded data only) |
Patient Inputted Data |
Third Party Partners and Integrations (for purposes of care provision) |
The inclusion of personal data of any natural person under the age of 13 should be considered on a case by case basis.
...
PKB will only act under the following instruction of the Provider for this Processing operation
Description | Detail |
Identity of Controller for each Category of Personal Data | Provider is Controller for all Personal Data categories. |
Duration of the Processing | Duration of the Joint Controller Agreement and Data Processing Contract. |
Nature and purposes of the Processing | PKB provides a software solution to allow Providers to share patient records between themselves. PKB is considered a Processor for Provider inputted data within the Patient Record. For this personal data, PKB will only process this personal data in order to provide the service of the PKB platform. |
Type of Personal Data |
|
Categories of Data Subject | Controller’s patients Controller’s staff using PKB platform |
Plan for return and destruction of the data once the Processing is complete UNLESS requirement under Union or Member State law to preserve that type of data | At the end of the Agreement, all personal data will be destroyed or returned to the Controller, at the choice of the Controller. |
Transfers of data outside the UK | There will be no transfers of personal data outside the UK |
39. SCHEDULE 3: SECURITY CONTROLS
...