PART 1 – DEFINITIONS AND CLAUSES
This Agreement is dated
1. PARTIES
A. Patients Know Best (“PKB”); and
B. (“Organisation”), each a “Party” and together the “Parties”.
2. BACKGROUND
A. The Organisation has contracted with PKB under the Commissioning Contract to provide patients with access to and some control of their health data. The PKB platform facilitates patient access to their health data contributed by the Organisation and facilitates the patient to add information which may be viewed by the Organisation and other people of their choosing.
B. Data received by PKB from the Organisation is here referred to as the Patient Record.
C. The Organisation is an Independent Controller and PKB are the Processor of the Patient Record.
D. Where a Patient has activated access to their health data, any personal data entered by them is referred to as the Patient Account.
E. PKB is the Controller for data within the Patient Account
F. Where personal data within the Patient Account is accessed by the Organisation, PKB and the accessing Organisation are Independent Controllers.
G. The Parties consider it is necessary to use certain Personal Data between them to give effect to the objectives of the Processing and the Data Processing Contract (“Agreement”) sets out the framework for such use, including the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other.
3 DEFINITIONS AND INTERPRETATION
3.1 Unless specifically provided for in this Agreement, the following terms shall have the following meanings:
“Agreed Purposes” | has the meaning given in clause 7; |
“Commencement Date” | has the meaning given in clause 5.1; |
“Controller”, , “Personal Data”, “Personal Data Breach”, “Processing” (including “Process” and “Processed”), and “Special Categories of Personal Data” | has the meaning given in the DPA 2018; |
“Commissioning Contract” | means the commercial arrangement between the Parties; |
“Data Protection Law” | means, for the periods in which they are in force in the United Kingdom, the DPA 2018, the GDPR, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to Processing of Personal Data and privacy; |
“Data-Subject” “Patient” | means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person in any PKB Data; |
“Data Subject Access Request” | means a request from a Data Subject under Data Protection Law in respect of PKB Data; |
“DPA 2018” | means the Data Protection Act 2018; |
“GDPR” | means the General Data Protection Regulation (Regulation (EU) 2016/679) and UK General Data Protection Regulation; |
“PKB data” | means all personal data held on the PKB platform, both patient Record and Patient Account; |
“Services”, “Platform”, “Solution” | means the PKB software and architecture, infrastructure and operations. |
“Third-Party Communication” | has the meaning given in clause 11.3. |
“UK GDPR” | means the GDPR as implemented into UK law by the DPA 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). |
3.2 The following rules of interpretation apply to this Agreement:
3.2.1 clause, schedule, and paragraph headings shall not affect the interpretation of this Agreement.
3.2.2 a person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
3.2.3 the Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules;
3.2.4 unless the context otherwise requires, words in the singular shall include the plural and, in the plural, shall include the singular;
3.2.5 a reference to a statute, statutory provision or other legal instrument is a reference to it as amended, extended, or re-enacted from time to time; and
3.2.6 any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
3.3 In the event and to the extent of a conflict between:
3.3.1 the main body of this Agreement and the Schedules, except as expressly stated otherwise, the main body of this Agreement shall prevail to the extent of such conflict
4. SCOPE AND APPLICATION
4.1 This Agreement applies to the processing of Personal Data on the PKB Platform. Any reference in this Agreement to PKB Data shall be interpreted as a reference to any Personal Data held on the PKB Platform.
4.2 For the purpose of Data Protection Laws, this Arrangement shall prevail in the event of a conflict with the Commissioning Contract and any other agreement between the Parties and PKB.
4.3 For the avoidance of doubt, PKB will comply with all necessary data protection obligations where acting as sole controller.
4.4 Where PKB Data under this Agreement is accessed by another Organisation, that organisation shall be considered a Third Party under Article 4 of UK GDPR.
5. COMMENCEMENT AND DURATION
5.1 This Agreement shall commence on the date set out at the top of it (the “Commencement Date”) and shall continue in accordance with its terms.
6. PATIENT AND REGULATORY ENGAGEMENT
6.1 Prior to the commencement of Processing, in respect of the activities contemplated by this Agreement, the Parties shall cooperate with each other to:
6.1.1 conduct patient engagement activities to assist the Parties in considering the views of patients; and
6.1.2 develop supporting materials for the provision of information to patients regarding the Processing of PKB Data;
6.1.3 Promote by all reasonably available and effective communication channels with patients and the public the proposed processing activity, purpose, risks and expected benefits using a layered approach and notifying and explaining the right and process for opting out.
6.2 Following the commencement of processing activity, the Organisation will continue to promote the proposed processing activity in accordance with their duty of transparency.
7. AGREED PURPOSES
7.1 The Parties agree to only Process PKB Data under this Agreement for:
7.1.1 The provision of health and social treatment and care [may not be applicable in all cases]
7.1.2 Provide a platform for patients to access and add to their PKB health record
7.1.3 Allow patients to determine which organisations can view their profile
7.1.4 Maintaining a patient level record for statutory period [may not be applicable in all cases]
7.1.5 The maintenance by PKB of the PKB platform and data held on it
7.1.6 [Add here other purpose agreed by the parties]
each of the above, an “Agreed Purpose”.
PART 2 – DATA PROCESSING SPECIFIC CLAUSES
8. The Parties acknowledge that for the purposes of the Data Protection Legislation that the Organisation is the Controller and PKB is the Processor. The only processing that the Processor is authorised to do is set out in Schedule 1, which is attached to and forms part of this agreement, by the Controller and may not be determined by the Processor.
8.1 The Processor shall notify the Controller within 72 hours if it considers that any of the Controller’s instructions infringe Data Protection Legislation.
8.2 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include:
(a) a systematic description of the envisaged processing operations and the purpose of the processing;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
(c) an assessment of the risks to the rights and freedoms of Data Subjects; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
8.3 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
(a) process that Personal Data only in accordance with Schedule 1, unless the Processor is required to do otherwise by Law. If it is so required, the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law;
(b) ensure that all measures in Schedule 2 are adhered to and met at all times of the processing and has in place all Protective Measures, which have been reviewed and approved by the Controller as appropriate to protect against a Data Loss Event having taken account of:
(i) the nature of the data to be protected;
(ii) the harm and risks that might result from a Data Loss Event;
(iii) assessment of the technical and non-technical controls to mitigate these risks; and
(iv) the cost of implementing any measures if required;
(v) ensuring that the Processor Personnel do not process Personal Data except in accordance with this Agreement, and in particular Schedule 1;
(vi) taking all reasonable steps further detailed in schedule 2, both technical and non-technical to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
(c) are aware of and comply with the Processor’s duties under this clause;
(d) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor. This includes but is not limited to commercially sensitive information and Personal Data;
(e) are informed of the confidential nature of the Personal Data and commercially sensitive information and do not publish, disclose or divulge any of the Personal Data or commercially sensitive information to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and
(f) have undergone adequate annual training in the use, care, protection and handling of Personal Data and are assessed as competent to undertake the processing activity or activities;
(g) keep personal data and commercially sensitive information confidential for the length of the contract and ensure that once the contract has ended or terminated that personal data and commercially sensitive information is kept confidential indefinitely.
(h) not transfer Personal Data outside of the European Economic Area (EEA) unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
(i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with UK GDPR Article 46) as determined by the Controller;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
(iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;
(v) the Processor notifies the Data Controller prior to any transformation of the Personal Data which is not part of this agreed processing but occurs due to the transfer of Personal Data from the service provider to or from another organisation party to this agreement.
(i) at the written direction of the Controller, delete or return the Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data.
8.4 The Processor shall notify the Controller within 72 hours if it:
(a) receives an Individual Rights Request or any Freedom of Information (FOI) / Environmental Information Regulations (EIR) request relating to this processing;
(b) receives a request to rectify, block or erase or transfer any Personal Data by the data subject;
(c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
(d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
(e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
(f) becomes aware of a Data Loss Event.
8.5 The Processor’s obligation to notify under clause 8.4 shall include the provision of further information to the Controller in phases, as details become available.
8.6 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 8.4 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing:
(a) the Controller with full details and copies of the complaint, communication, data loss event or request;
(b) such assistance as is reasonably requested by the Controller to enable the Controller to comply with an Individual Rights Request within the relevant timescales set out in the Data Protection Legislation;
(c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
(d) assistance as requested by the Controller following any data loss event;
(e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.
8.7 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor.
8.8 The Processor when ensuring that it has in place such Protective Measures, having been reviewed and approved by the Controller, shall follow the reasonable request of the Controller supply such evidence as requested by the Controller within 28 days.
8.9 The Processor shall designate a Data Protection Officer or where not required by Law, authorised responsible officer who is David Stone, Data Protection Officer, dpo@patientsknowbest.com .
8.10 Before any Personal Data is shared by the Organisation with PKB, the Organisation shall:
8.10.1 identify and remove the Personal Data of any Data Subjects who have opted out of data being loaded to the PKB platform through a locally operated and promoted Opt-Out scheme; and;
8.10.2 implement data minimisation measures as required by this clause 8 and as may be agreed by the Parties from time to time to ensure only approved data is loaded to the PKB platform.
8.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must:
(a) notify the Controller in writing of the intended Sub-processor and processing;
(b) obtain the written consent of the Controller;
(c) enter into a written agreement with the Sub-processor which gives effect to the terms set out in this clause 1 and associated schedules such that they apply to the Sub-processor; and
(d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require.
8.12 The Processor shall remain fully liable for all acts or omissions of any Sub-processor.
8.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
8.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
8.15 The Controller may immediately terminate this Agreement on written notice to the Processor. The Processor may not terminate this Agreement without the written consent of the Controller.
8.16 At the choice of the Controller, the Processor shall return or destroy all personal data to the Controller at the end of the provision of services relating to the processing and delete any existing copies.
8.17 The Processor warrants that it shall:
(i) Process the Personal Data in compliance with Law; and
(ii) take appropriate technical and organisational measures against Data Breach.
8.18 The Processor agrees to indemnify and keep indemnified and defend at its own expense the Controller against all costs, claims, damages or expenses incurred by the Controller or for which the Controller may become liable due to any failure by the Processor or its employees or agents to comply with any of its obligations under this Agreement.
8.19 This Agreement is subject to English law and the exclusive jurisdiction of the English Courts.
8.20 Any variation (change request) to this agreement must be agreed by the Data Controller in advance of the change. This request must be in writing to the data controller and must be authorised in writing back to the Processor before any variation can take place. The authorised officers who can approve, raise, reject or escalate variations to this agreement are detailed in Schedule 3 and can be updated from time to time in writing by either party. Any change that is authorised by the data controller must be acknowledged as a variation to this contract and parties who initially signed this agreement must also resign this agreement. This variation should be dated and clearly detailed within any subsequent agreement. If the variation is rejected and the Processor is unable to continue meeting its obligations as part of this agreement, then this must be escalated to the data controller who has the right to terminate this agreement with immediate effect.
8.21 Day to day management of this contract is undertaken by the parties as detailed in Schedule 3 which can be updated from time to time in writing by either party.
8.22 Where there is a dispute, the aggrieved Party shall notify the other Party in writing of the nature of the dispute with as much detail as possible about the deficient performance of the other party. A representative from senior management of each of the parties (together the "Representatives") shall meet in person or communicate by telephone within five Working Days of the date of the written notification in order to reach an agreement about the nature of the deficiency and the corrective action to be taken by the respective Parties. The Representatives shall produce a report about the nature of the dispute in detail to their respective boards and if no agreement is reached on corrective action, then the chief executives of each Party shall meet in person or communicate by telephone, to facilitate an agreement within five Working Days of a written notice by one to the other. If the dispute cannot be resolved at board level within a further five Working Days, or if the agreed upon completion dates in any written plan of corrective action are exceeded, either party may seek the legal remedies to which it is entitled under this agreement.
8.23 If the Processor listed in this Schedule is taken over, goes out of business or enters administration, then the representative of the Data Controller will decide on the next steps and endeavour to find an alternative data processor for the purposes of this project. However, in the event that there are no alternative Processor(s) (Data Processor(s), all data processing for the purposes of this project will come to an end and all relevant parties listed in this Data Processing Agreement will be notified accordingly.
8.24 The Processor will ensure adequate business continuity services and disaster recovery services are in place and regularly tested. Evidence of this testing will be required as part of the Controller's due diligence.
PART 3 – FURTHER CONTRACTUAL CLAUSES
9. RECORDS
9.1 Each Party shall maintain such records as required by Data Protection Law in respect of its Processing of PKB Data and as may be reasonably necessary to demonstrate its compliance with this Agreement.
10. REVIEW OF THIS AGREEMENT
10.1 The effectiveness of this Agreement shall be reviewed from time to time at such intervals as may be agreed by the Organisation, having consideration to the Permitted Purposes and whether any amendments may be necessary to this Agreement. This review will involve assessing whether:
10.1.1 this Agreement needs to be updated to comply with any amendments to Data Protection Law; and
10.1.2 Personal Data Breaches have been handled in accordance with this Agreement where PKB Data are involved.
11 WARRANTIES
11.1 Each Party represents and warrants to the other Party that:
11.1.1 it has full capacity to enter into and perform this Agreement which has been duly executed by the required corporate action;
11.1.2 entry into and performance of this Agreement does and will not violate or be subject to any restriction in or by any other agreement or obligation.
11.2 the use of PKB Data as permitted by this Agreement does not infringe the rights of any third party.
11.3 Each Party shall notify the other Parties in writing within five (5) Business Days if it receives a “Third Party Communication” including but not limited to:
11.3.1 any communication from the ICo or any other regulatory authority in connection with Personal Data covered by the Part 2 or;
11.3.2 a request from any third party for disclosure of Personal Data covered by this Part 2 where compliance with such request is required or purported to be required by Applicable Law.
12 LIMITATION AND EXCLUSION OF LIABILITY
12.1 Each Party’s liability arising out of or in connection with this Agreement, whether in contract, tort (including negligence) or otherwise shall be limited costs incurred by the other parties as a direct result of negligence of the Party, including failure to comply with this Agreement
12.1 Each Party is responsible for the cost of remedying any non-compliance with Data Protection Laws determined the responsibility of that Party by this Arrangement. Liability under this Arrangement for each Party is limited to that which arises from a breach of Data Protection Laws.
12.3 Any liability arising from processing activity undertaken under this Arrangement shall be determined by the roles and responsibilities of each Party in line with Article 82 of GDPR.
13 TERMINATION
13.1 Without affecting any other right or remedy available to it, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party:
13.1.1 if the other Party commits a material breach of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of ninety (90) days after being notified in writing to do so;
13.1.2 if the other Party repeatedly breaches any of the terms of this Agreement in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this Agreement;
13.1.3 if the other Party is subject to an Insolvency Event;
13.1.4 if there is a change of control of the other Party excluding any intra-group reorganisation (or similar) of such other Party; or
13.1.5 in accordance with clause 21.
13.2 If the Commissioning Contract terminates for any reason this Agreement shall terminate automatically at the same time as the effective date of termination of the Commissioning Contract without any further action required by either Party.
13.3 Each Party’s rights to terminate this Agreement set out in this clause 13 shall not affect any other right or remedy available to it including those arising under this Agreement prior to termination.
14 CONSEQUENCES OF TERMINATION
Upon termination or expiry of this Agreement:
14.1 PKB will permanently delete Patient Record data which has not been accessed by the Organisation
14.2 Return to the Organisation a copy of Patient Record data which has been accessed by the Organisation, after which it will be permanently deleted
14.3 For the absence of doubt, Patient Accounts will be retained by PKB in accordance with their role and responsibilities as a Controller termination or expiry of this Agreement shall not affect any rights, remedies, obligations or liabilities of the Parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination or expiry.
15 FORCE MAJEURE
15.1 Non-performance or delay of either Party will be excused to the extent that performance is caused by any circumstance beyond Party’s reasonable control, including strike, fire, natural disaster, governmental acts, orders or restrictions, failure of suppliers or subcontractors. In such circumstances the affected Party shall be entitled to a reasonable extension of time for performance. If the period of non-performance or delay continues for ninety (90) days, the Party not affected may terminate this Agreement immediately on written notice to the affected Party.
ASSIGNMENT AND OTHER DEALINGS
Neither Party may assign or otherwise transfer any of its rights or obligations under this Agreement without the prior written approval of the other Party, except as expressly permitted by clause 16.2.
A Party may, upon written notice to the other Party and subject to the prior written approval of the other Party (such approval not to be unreasonably withheld or delayed), assign or otherwise transfer this Agreement to any of its affiliates or in connection with a change of control transaction (whether by merger, consolidation, sale of equity interests, sale of all or substantially all assets, or otherwise). For clarity, where such assignment or transfer would give rise to a breach of obligations in relation to Data Protection Law or other Applicable Law or would not be expected in accordance with the common law duty of confidentiality, such grounds shall amongst other matters be considered reasonable for refusing approval to such assignment or transfer. Any assignment or other transfer in violation of this clause will be void.
This Agreement will be binding upon and inure to the benefit of the Parties hereto and their permitted successors and assigns.
VARIATION
No variation of this Agreement shall be effective unless it is in writing and signed by the Parties.
NOTICES
All notices required or permitted under this Agreement and all requests for approvals, consents and waivers must be delivered by a method providing for proof of delivery. Any notice or request will be deemed to have been given on the date of delivery. Notices and requests must be delivered to the Parties at the addresses on the first page of this Agreement until a different address has been designated by notice to the other Party.
SEVERANCE
If any provision of this Agreement is found to be unenforceable, such provision will be deemed to be deleted or narrowly construed to such extent as is necessary to make it enforceable and this Agreement will otherwise remain in full force and effect.
RELATIONSHIP OF THE PARTIES
The Parties are and will be independent contractors and neither Party has any right, power, or authority to act or create any obligation on behalf of the other Party.
RIGHTS AND REMEDIES
The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
WAIVER
No term or provision of this Agreement will be deemed waived and no breach will be deemed excused, unless such waiver is in writing and signed by the Party claimed to have waived.
COUNTERPARTS
This Agreement may be executed in counterparts (which may be exchanged by facsimile or .pdf copies), each of which will be deemed an original, but all of which together will constitute the same Agreement.
THIRD PARTY RIGHTS
This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
FURTHER ASSURANCE
Each Party shall use reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement.
COSTS
Each Party shall pay its own costs incurred in connection with the negotiation, preparation, and execution of this Agreement.
ENTIRE AGREEMENT
This Agreement constitutes the entire Data Processing Agreement between the Parties and supersedes and extinguishes all previous drafts, agreements, arrangements, and understandings between them, whether written or oral, relating to its subject matter.
Each Party acknowledges that in entering into this Agreement it does not rely upon, and shall have no remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in this Agreement. No Party shall have any claim for innocent or negligent misrepresentation based on any statement in this Agreement.
GOVERNING LAW AND DISPUTE RESOLUTION
Governing law
28.1.1 This Agreement and all matters arising out of or in connection with it, including any Dispute and any dispute resolution procedure provided for in this Agreement, shall be governed by, and construed in accordance with, the law of England and Wales.
Dispute resolution:
28.2.1 The Parties shall resolve any Disputes in accordance with the Commissioning Contract terms
SCHEDULES
29. SCHEDULE 1: DATA PROCESSING PARTICULARS
29.1 PERSONAL DATA TO BE PROCESSED
29.1.1 This Schedule describes the types of PKB Data that may be Processed under this Agreement. The Parties may agree to amend the descriptions in this clause at any time with the approval of the Parties.
29.1.2 For clarity, PKB Data Processed under this Agreement shall be subject to the data minimisation measures described in clause 8, including:
29.2 The Organisation applying data minimisation measures prior to sharing any data with PKB; and
29.3 The Parties continuing to review the data minimisation measures to ensure the minimisation of Personal Data within PKB Data as may be required by Data Protection Law.
29.3.1 PKB Data to be Processed under this Agreement may include data from the following sources:
Organisations Electronic Patient Record |
Patient Inputted Data |
Third Party Partners and Integrations (for purposes of care provision) |
29.4 The inclusion of personal data of any natural person under the age of 13 should be considered on a case by case basis.
30. SCHEDULE 2: PROCESSING OPERATIONS
2A PROCESSING OPERATION A
Processing Operation: Maintaining Patient Account
Performed by: PKB
Classification of Parties: PKB – Sole Controller
Lawful Bases for Processing: -Article 6(1)(f) and Article 9(2)(h)
Compliance with Principles
Principle 1 – Processing is lawful, fair and Transparent:
Individuals are invited to create an account by the organisation (who has commissioned PKB) where they are able to provide their own personal data. Where this is the case, PKB acts as Sole Controller and as such provides the individual with transparency information when registering.
Principle 2 – Collected for specific, explicit and legitimate purposes:
Personal data processed by PKB within the patient account is only used for the purposes of providing that service to the individual to help the individual manage their health and care. It is not used for further purposes.
Principle 3 – Adequate relevant and not excessive:
This processing will only involve personal data provided by the patient themselves, and as such will be limited to the personal data provided by the patient.
Principle 4 – Accurate and up to date:
Given the personal data is provided by the patient, PKB will have no determination as to the accuracy of that data. However, this will be marked within the PKB system as patient inputted data, so it will be clear to those accessing within the Patient Record (in the case it is transferred to the Patient Record).
Principle 5 – Kept for no longer than is necessary:
The Patient Account will be kept for up to 8 years after the last access date by the Organisation.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.
2B PROCESSING OPERATION B
Processing Operation: Service Evaluation and Improvement
Performed by: PKB
Classification of Parties: PKB as Independent Controller
Lawful Bases for Processing:
PKB - Article 6(1)(f)
Specific Responsibilities for Parties:
PKB will undertake service evaluation and improvement to improve the user experience for all users roles.
Principle 1 – Processing is lawful, fair and Transparent:
Processing for these purposes is detailed within the transparency information to inform individuals of the processing. No special category data will be used for these purposes, and any personal data will be pseudonymised and aggregated where necessary for this purpose.
Principle 2 – Collected for specific, explicit and legitimate purposes:
The purpose of service evaluation and improvement is considered a compatible purpose of processing against the original purpose of collection in order to support the original purpose Personal Data was collected.
Principle 3 – Adequate relevant and not excessive:
All Personal Data will undergo pseudonymisation and aggregation where necessary to ensure that only the minimum necessary personal data is used for this purpose.
Principle 4 – Accurate and up to date:
All Personal Data will be utilised directly from the PKB Account and Record to ensure it is accurate and up to date.
Principle 5 – Kept for no longer than is necessary:
Any Personal Data used for this purpose will be destroyed in line with standard PKB retention schedules. No Personal Data will be retained for longer for this specific purpose.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees.
2C PROCESSING OPERATION C
Processing Operation: Maintaining Patient Record (where data originates from Organisation)
Performed by: PKB and Organisation
Classification of Parties: Organisation as Controller, PKB as Processor
Lawful Bases for Processing:
Organisation - Article 6(1)(e) / Article 9(2)(h)
Specific Responsibilities for Parties:
PKB will only act under the following instruction of the Organisation for this processing operation
Description | Details |
Identity of Controller for each Category of Personal Data | Organisation is the Controller for all Personal Data categories. |
Duration of the Processing | Duration of the Data Processing Contract |
Nature and purposes of the Processing | PKB provides a software solution to allow Organisations to share patients records between themselves. PKB are considered a Processor for Organisation inputted data within the Patient Record For this personal data, PKB will only process this personal data in order to provide the service of the PKB platform. |
Type of Personal Data |
|
Categories of Data Subject | Controller’s patients Controller’s staff using PKB platform |
Plan for return and destruction of the data once the Processing is complete UNLESS requirement under Union or Member State law to preserve that type of data | At the end of the Agreement, all personal data will be destroyed or returned to the Controller, at the choice of the Controller |
Transfers of data outside the UK | There will be no transfers of personal data outside the UK |
31. SCHEDULE 3: SECURITY CONTROLS
31.1 SECURITY RESPONSIBILITIES
31.1.1 PKB shall maintain appropriate information security arrangements for all forms of Data held in any format and expressed or relayed in any communication (oral or written) in a manner consistent with the principles of the most current version of the NHS Data Security and Protection Toolkit (DSPT) and ISO 27002 - Code of Practice for Information Security Management (with the principles of the DSPT prevailing in case of any conflict). In particular:
31.1.2 PKB shall have management arrangements in place for the management of information security;
31.1.3 PKB shall comply with the DSPT assessment, reporting and audit requirements relevant to its organisation type; and
31.1.4 PKB shall have appropriate operational risk assessment and management processes in place for the identification, mitigation and management of operational security risks.
31.1.5 PKB shall ensure an appropriate level of protection for data at rest commensurate with the risks to rights and freedoms, including encryption to the latest available industry standard.
31.1.6 PKB shall comply with the requirements of Article 32 of GDPR and ensure that all data is held and processed according to the risk attached to the category of data processed
31.1.7 The Parties shall agree, and PKB shall have in place, an information security policy that is supported by appropriate organisational, security and technical security standards (the “Security Policy”).
31.1.8 PKB shall propose changes to the Security Policy on an on-going basis to reflect good industry practice or changes necessitated by any changes in applicable law. Material changes to the management of information relating to the Controller's business shall be agreed in writing by both parties, and the requirement for all such changes shall be promptly notified to the other party.
31.1.9 PKB shall create, design, establish, provide, implement, manage and maintain safeguards (including security architecture) that reflect the Security Policy and shall ensure that any changes to the Security Policy from time to time are reflected in the secure environment provided to Controller as soon as practicable.
31.1.10 PKB shall be equally responsible for managing information security risk should the Data, or access to the Data, be made available to any third parties or Processors (as may be permitted elsewhere). Such engagements will be preceded by a satisfactory due diligence process, contractual documentation being signed, and the establishment of monitoring, auditing and incident handling procedures so that the Data is no less secure under the third party’s management.
31.1.11 PKB shall ensure that all transfers of the Data undertaken by it or on its behalf will be in accordance with Secure File Transfer Protocols within the Health and Social Care Network (HSCN) and/or in accordance with the NHS Digital Good Practice Guidelines (which are, as of the date of this Contract, published at www.digital.nhs.uk).
31.2 SECURITY MANAGEMENT
31.2.1 PKB shall plan, determine, create, implement, manage, review and maintain security control over the technology and physical storage infrastructure, and respond appropriately to security events. This includes the implementation of secure technical infrastructures, technologies and physical controls (including firewalls, encryption, authentication services and swipe access) appropriate to the UK public health sector.
31.2.2 PKB shall implement control, technologies and procedures to limit the risk of unauthorised access to the environment used to provide the Services (the "Services Environment") appropriate to the UK health and social care sector.
31.2.3 PKB shall inform and make recommendations to the Organisation if it becomes aware of any products, methods or services that would result in required improvements to the security procedures in operation.
31.2.4 PKB shall create, acquire, provide, install, implement, manage and maintain any such improvements reasonably requested by the Organisation that reflect Good Industry Practice.
31.3 SECURITY ADMINISTRATION
31.3.1 PKB shall track, co-ordinate, implement, manage and maintain all security changes across the Services.
31.3.2 PKB shall limit the risk of unauthorised access to the Services Environment including content filtering to prevent objectionable material, virus protection, password controls and physical security. PKB shall have regard to the confidentiality and sensitivity contained within the Services Environment and shall ensure that measures applicable to the UK health and social care sector are in place to prevent unauthorised access.
31.4 SECURITY AUDIT
31.4.1 PKB shall provide to the Organisation any information that the Organisation reasonably requires for the purpose of allowing the Organisation to have assurance with PKB’s compliance with the provisions of this Clause 31 within a reasonable time from the Organisation’s request. PKB shall provide this information in such format as the Organisation may reasonably require.
31.5 NON-COMPLIANCE REPORTING
31.5.1 PKB shall monitor, on an ongoing basis, computer and network security configurations.
31.5.2 PKB shall create and issue reports to the Organisation on incidents of non-compliance with the Security Policy according to their severity within a reasonable time after such incidents occur.
31.6 SYSTEM ACCESS CONTROL
31.6.1 PKB shall administer the provision of access to the Services Environment (by both the Organisation’s Personnel and PKB's Personnel), Data and any other applicable data in accordance with Good Industry Practice.
31.6.2 PKB shall restrict access to the Services Environment to appropriately identified authenticated and authorised personnel and shall keep records of which personnel have access to the Services Environment and the reasons for such personnel being given such access. PKB shall also keep records of which personnel have accessed the Services Environment (including details of login and logout times).
31.6.3 PKB shall restrict user access to information and data held on external networks.
31.7 CRYPTOGRAPHY MANAGEMENT
31.7.1 PKB shall ensure that Data is encrypted as appropriate in accordance with Good Industry Practice and the most current version of the Data Security and Protection Toolkit and ISO 27002 - Code of Practice for Information Security Management (with the principles of the Data Security and Protection Toolkit prevailing in case of any conflict).
31.7.2 PKB shall manage all processes and procedures pertaining to the administration of the encryption keys, including secure key storage, periodic changing of keys, destruction of old keys, and registration of keys with the appropriate authorities.
31.8 ASSET PROTECTION
31.8.1 PKB shall acquire, create, provide, manage and maintain mechanisms to prevent or mitigate destruction, loss, alteration, disclosure or misuse of equipment used within the Services Environment, Data and Organisations assets, having regard to Good Industry Practice. This includes annual Penetration testing and the satisfactory completion of remedial actions identified following that testing.
31.8.2 All Data shall be appropriately backed up and stored in a secure facility which in line with industry practice would be off site.
31.8.3 PKB will ensure adequate business continuity services and disaster recovery services are in place and regularly tested. Evidence of this testing may be required as part of the Organisation’s due diligence.
31.8.4 PKB shall ensure that no-one, other than properly authorised Processor Personnel, has physical access to any servers in scope under this Contract or used to deliver the Services, including any servers located at PKB's facilities without formal documented approval from the Organisation.
31.8.5 In relation to PKB’s facilities, PKB shall, at a minimum, acquire, create, provide, manage and maintain mechanisms to prevent or mitigate destruction, loss, alteration, disclosure or misuse of Data, having regard to Good Industry Practice.
31.8.6 PKB will fully and regularly assess the physical security risk for all premises and ensure reasonable controls are in place to prevent inappropriate access as would be expected for the National Health Service.
31.8.7 Implement National Cyber Security Centre (NCSC) guidelines (e.g. Cyber Essentials) as agreed with the Controller so that assets are protected.
31.9 SECURITY AWARENESS
PKB shall ensure that all its Personnel working on the Organisations account are screened and security checked to an appropriate standard, trained in the Security Policy and any other requirements of this Contract, undertake annual training and are deemed competent to undertake processing activities and are individually accountable for their actions. All PKB Personnel shall, as at the commencement of the Services, be deemed to be appropriately screened and trained to a level befitting the UK health and care sector.
31.10 DOCUMENTATION AND RECORD PRESERVATION
31.10.1 PKB shall protect all Data held by its employees, agents or Processors in a physical form by adopting a “clear desk” policy in respect of such Data and disposing of such information securely by treating it as confidential waste.
31.10.2 PKB shall ensure that any documentation or records relating to the Services being disposed of by or on behalf of PKB are treated in an appropriate manner having regard to their confidentiality including, where appropriate, being securely destroyed or shredded prior to disposal.
31.10.3 PKB will classify the security of documentation and information to limit distribution and to ensure adequate controls are in place to protect more sensitive content.
32. SCHEDULE 4: SIGNATORIES
Party A
Patients Know Best Ltd
PATIENTS KNOW BEST LIMITED, a company limited by shares and registered in the United Kingdom with company registration number 06517382, whose registered office is at St John's Innovation Centre, Cowley Road, Cambridge CB4 0WS.
Executed by:
Mohammad Al-Ubaydli
Director
Ian Bastow
Director
____________________________
Party B
NAME OF ORGANISATION
NAME OF ORGANISATION, whose registered office is at Registered Office.
Executed by:
NAME OF SIGNATORY
TITLE OF SIGNATORY
Add Comment