Page Comparison

...

18.1.2 Personal Data Breaches have been handled in accordance with this Agreement where PKB Data are involved.

19. WARRANTIES 

19.1 Each Party represents and warrants to the other Party that:

...

Termination or expiry of this Agreement shall not affect any rights, remedies, obligations or liabilities of the Parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination or expiry.

23. FORCE MAJEURE

23.1 Non-performance or delay of either Party will be excused to the extent that performance is caused by any circumstance beyond Party’s reasonable control, including strike, fire, natural disaster, governmental acts, orders or restrictions, failure of suppliers or subcontractors. In such circumstances the affected Party shall be entitled to a reasonable extension of time for performance. If the period of non-performance or delay continues for ninety (90) days, the Party not affected may terminate this Agreement immediately on written notice to the affected Party. 

24. ASSIGNMENT AND OTHER DEALINGS 

24.1 Neither Party may assign or otherwise transfer any of its rights or obligations under this Agreement without the prior written approval of the other Party, except as expressly permitted by clause 24.2. 

24.2 A Party may, upon written notice to the other Party and subject to the prior written approval of the other Party (such approval not to be unreasonably withheld or delayed), assign or otherwise transfer this Agreement to any of its affiliates or in connection with a change of control transaction (whether by merger, consolidation, sale of equity interests, sale of all or substantially all assets, or otherwise). For clarity, where such assignment or transfer would give rise to a breach of obligations in relation to Data Protection Law or other Applicable Law or may already affect any research ethics approvals or would not be expected in accordance with the common law duty of confidentiality, such grounds shall amongst other matters be considered reasonable for refusing approval to such assignment or transfer. Any assignment or other transfer in violation of this clause will be void. 

24.3 This Agreement will be binding upon and inure to the benefit of the Parties hereto and their permitted successors and assigns.

25. VARIATION 

25.1 No variation of this Agreement shall be effective unless it is in writing and signed by the Parties.

26. NOTICES 

26.1 All notices required or permitted under this Agreement and all requests for approvals, consents and waivers must be delivered by a method providing for proof of delivery. Any notice or request will be deemed to have been given on the date of delivery. Notices and requests must be delivered to the Parties at the addresses on the first page of this Agreement until a different address has been designated by notice to the other Party.

27. SEVERANCE 

27.1 If any provision of this Agreement is found to be unenforceable, such provision will be deemed to be deleted or narrowly construed to such extent as is necessary to make it enforceable and this Agreement will otherwise remain in full force and effect. 

28. RELATIONSHIP OF THE PARTIES

28.1 The Parties are and will be independent contractors and neither Party has any right, power, or authority to act or create any obligation on behalf of the other Party.

29. RIGHTS AND REMEDIES 

29.1 The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

30. WAIVER 

30.1 No term or provision of this Agreement will be deemed waived and no breach will be deemed excused, unless such waiver is in writing and signed by the Party claimed to have waived.

31. COUNTERPARTS 

31.1 This Agreement may be executed in counterparts (which may be exchanged by facsimile or .pdf copies), each of which will be deemed an original, but all of which together will constitute the same Agreement.

32. THIRD PARTY RIGHTS 

32.1 This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.

33. FURTHER ASSURANCE 

33.1 Each Party shall use reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement.

34. COSTS 

34.1 Each Party shall pay its own costs incurred in connection with the negotiation, preparation, and execution of this Agreement.

35. ENTIRE AGREEMENT 

35.1 This Agreement constitutes the entire agreement between the Parties and supersedes and extinguishes all previous drafts, agreements, arrangements, and understandings between them, whether written or oral, relating to its subject matter.

35.2 Each Party acknowledges that in entering into this Agreement it does not rely upon, and shall have no remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in this Agreement. No Party shall have any claim for innocent or negligent misrepresentation based on any statement in this Agreement.

36. GOVERNING LAW AND DISPUTE RESOLUTION

36.1 Governing law

36.1.1 This Agreement and all matters arising out of or in connection with it, including any Dispute and any dispute resolution procedure provided for in this Agreement, shall be governed by, and construed in accordance with, the law of England and Wales.

36.2 Dispute resolution:

36.2.1 The Parties shall resolve any Disputes in accordance with the Commissioning Contract terms.

37. SCHEDULE 1: DATA PROCESSING PARTICULARS

37.1 PERSONAL DATA TO BE PROCESSED

37.1.1 This Schedule describes the types of PKB Data that may be Processed under this Agreement. The Parties may agree to amend the descriptions in this clause at any time with the approval of the Parties.

37.1.2 For clarity, PKB Data Processed under this Agreement shall be subject to the data minimisation measures described in clause 10, including:

37.2 Providers applying data minimisation measures prior to sharing any data with PKB; and 

37.3 the Parties continuing to review the data minimisation measures to ensure the minimisation of Personal Data within PKB Data as may be required by Data Protection Law.

37.3.1 PKB Data to be Processed under this Agreement may include data from the following sources: 

37.4 The inclusion of personal data of any natural person under the age of 13 should be considered on a case by case basis.

38. SCHEDULE 2: PROCESSING OPERATIONS

2A PROCESSING OPERATION A

Processing Operation: Maintaining Patient Account

Performed by: PKB

Classification of Parties: PKB – Sole Controller

Lawful Bases for Processing: -Article 6(1)(f) and Article 9(2)(h)

Specific Responsibilities for Parties: N/A as no Joint Processing

Compliance with Principles

Principle 1 – Processing is lawful, fair and Transparent:

Individuals are invited to create an account by their healthcare provider (who has commissioned PKB) where they are able to provide their own personal data. Where this is the case, PKB acts as Sole Controller and as such provides the individual with transparency information when registering. 

Principle 2 – Collected for specific, explicit and legitimate purposes:

Personal data Processed by PKB within the patient account is only used for the purposes of providing that service to the individual to help the individual manage their health and care. It is not used for further purposes. 

Principle 3 – Adequate relevant and not excessive:

This Processing will only involve personal data provided by the patient themselves, and as such will be limited to the personal data provided by the patient.

Principle 4 – Accurate and up to date:

Given the personal data is provided by the patient, PKB will have no determination as to the accuracy of that data. However, this will be marked within the PKB system as patient inputted data, so it will be clear to those accessing within the Patient Record (in the case it is transferred to the Patient Record).

Principle 5 – Kept for no longer than is necessary:

The Patient Account will be kept for up to 8 years after the last access date by Providers.

Principle 6 – Processed securely

PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this Processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.

...

2B PROCESSING OPERATION B

Processing Operation: Maintaining Patient-Inputted Data as part of the Patient Account where accessed by Provider.

Performed by: PKB and Providers

Classification of Parties: PKB and the Providers act as Joint Controllers.

Lawful Bases for Processing: 

Providers – Article 6(1)(e) and Article 9(2)(h)

PKB - Article 6(1)(e) and Article 9(2)(h)/(g)

Specific Responsibilities for Parties:

PKB provides the platform. 

PKB are responsible for providing the security around the platform.

The Providers are responsible for only providing access to those in their own organisation who require it.

Principle 1 – Processing is lawful, fair and Transparent:

Processing of the patient-inputted data is considered necessary in order to support the care of the individual and allows the individual to have more choice and engagement with regard to their health and care information. 

Principle 2 – Collected for specific, explicit and legitimate purposes:

Personal data Processed which is provided directly by the patient is Processed in line with the original purpose of collection.

Principle 3 – Adequate relevant and not excessive:

Patients will be responsible for the information provided by themselves and they are able to decide what is shared with the healthcare providers. 

Principle 4 – Accurate and up to date:

The accuracy of the information provided directly by patients is the responsibility of those patients which choose to do so, but all self-uploaded records are notified to clinicians as such to enable clinicians to make decisions based on the knowledge these are self-uploaded data items.

Principle 5 – Kept for no longer than is necessary:

The Patient-Inputted data will be kept for up to 8 years after the contract with Providers ends to maintain the integrity of the health record. 

Principle 6 – Processed securely

PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this Processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees. 

2C PROCESSING OPERATION C

Processing Operation: Service Evaluation and Improvement

Performed by: PKB 

Classification of Parties: PKB as Independent Controller

Lawful Bases for Processing: 

PKB - Article 6(1)(f) 

Specific Responsibilities for Parties:

PKB will undertake service evaluation and improvement to improve the user experience for both clinicians and patients.

Principle 1 – Processing is lawful, fair and Transparent:

Processing for these purposes is detailed within the transparency information to inform individuals of the Processing. No special category data will be used for these purposes, and any personal data will be pseudonymised and aggregated where necessary for this purpose.

Principle 2 – Collected for specific, explicit and legitimate purposes:

The purpose of service evaluation and improvement is considered a compatible purpose of Processing against the original purpose of collection in order to support the original purpose Personal Data was collected.

Principle 3 – Adequate relevant and not excessive:

All Personal Data will undergo pseudonymisation and aggregation where necessary to ensure that only the minimum necessary personal data is used for this purpose.

Principle 4 – Accurate and up to date:

All Personal Data will be utilised directly from the PKB Account and Record to ensure it is accurate and up to date.

Principle 5 – Kept for no longer than is necessary:

Any Personal Data used for this purpose will be destroyed in line with standard PKB retention schedules. No Personal Data will be retained for longer for this specific purpose.

Principle 6 – Processed securely

PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this Processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees. 

2D PROCESSING OPERATION D

Processing Operation:

Maintaining Patient Record (where data originates from Provider)

Performed by:

PKB and Providers

Classification of Parties:

Provider as Controller, PKB as Processor

Lawful Bases for Processing: 

Providers - Article 6(1)(e) / Article 9(2)(h)

Specific Responsibilities for Parties:

PKB will only act under the following instruction of the Provider for this Processing operation 

...