Joint Data Controller Agreement

 

Patients Know Best, 

of St John's Innovation Centre, Cowley Road Milton, Cambridge, CB4 0WS

–and – 

Providers 

(see Schedule 4 for a list of Provider parties to this arrangement) 

 

_______________________________________ 

JOINT CONTROLLER AGREEMENT 

_______________________________________

 

This Agreement is dated [ 31st OCTOBER ] 2022. 

1. Parties

  1. Patients Know Best (“PKB”); and 

  2.  

The Providers (listed in Schedule 4), (“Providers”), 

each a “Party” and together the “Parties”. 

2. BACKGROUND 

A. The Providers have partnered with PKB to provide patients with access to and some control of their health data. The PKB platform facilitates patient to access their health data contributed by the Providers and facilitates the patient to add information which may be viewed by their health and care providers and other people of their choosing. These Providers are all organisations with a legal duty to provide free at the point of delivery care to individuals (as part of the NHS), to which PKB supports the facilitation of this duty. 

B. Data received by PKB from the Providers, and prior to the patient accessing their health data, is here referred to as the Patient Record. PKB, the Providers are Joint Controllers for all personal data within the Patient Record

C. Where a Patient has activated access to their health data, any personal data entered by them but not viewed by a clinician is referred to as the Patient Account

D. Data entered by a Patient and viewed by a clinician becomes a part of the Patient Record

E. For the absence of doubt, PKB is solely the Controller for data within the Patient Account 

F. The Parties consider it necessary to use certain Personal Data between them to give effect to the objectives of the Processing and this Joint Controller Agreement (“Agreement”) sets out the framework for such use, including the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other. 

3. DEFINITIONS AND INTERPRETATION 

3.1 Terms

Unless specifically provided for in this Agreement, the following terms shall have the following meanings: 

Term

Meaning

Term

Meaning

Agreed Purposes

has the meaning given in clause 7; 

Commencement Date

has the meaning given in clause5.1; 

Controller”, “Joint Controllers”, “Personal Data”, “Personal Data Breach”, “Processing(including “Process” and “Processed”), and Special Categories of Personal Data” 

have the meaning given in the DPA 2018; 

”Commissioning Contract” 

means the commercial arrangement between the Parties;

Data Protection Impact Assessment” 

means an assessment by a Controller of the impact of the envisaged Processing on the protection of Personal Data; 

Data Protection Law

means, for the periods in which they are in force in the United Kingdom, the DPA 2018, the GDPR, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to Processing of Personal Data and privacy; 

Data Subject” or “Patient” 

means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person in any PKB Data; 

Data Subject Request

means a request from a Data Subject under Data Protection Law in respect of PKB Data; 

DPA 2018

means the Data Protection Act 2018; 

GDPR

means the General Data Protection Regulation (Regulation (EU) 2016/679); 

ICO

means the Information Commissioner’s Office, which is the UK’s supervisory authority, as of the date of this Agreement, based at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; 

National Data Opt-Out” 

means the opt-out mechanism operated by the NHS that allows NHS patients to opt-out of the use of their data for research or planning purposes; 

Responsible Controller” 

has the meaning given in clause11.7;

Third Party Communication” 

has the meaning given in clause 11.5;

“PKB data”

means all personal data held on the PKB platform, both patient Record and Patient Account.

 

3.2 Rules of Interpretation

The following rules of interpretation apply to this Agreement: 

3.2.1 clause, Schedule, and paragraph headings shall not affect the interpretation of this Agreement. 
3.2.2 a person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality). 
3.2.3 the Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules; 
3.2.4 unless the context otherwise requires, words in the singular shall include the plural and, in the plural, shall include the singular; 
3.2.5 a reference to a statute, statutory provision or other legal instrument is a reference to it as amended, extended, or re-enacted from time to time; and 
3.2.6 any words following the terms including, include, in particular, for example, or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms. 

3.3 In the event and to the extent of a conflict between: 

3.3.1 the main body of this Agreement and the Schedules, except as expressly stated otherwise, the main body of this Agreement shall prevail to the extent of such conflict 

4. SCOPE AND APPLICATION 

4.1 Application of Agreement

This Agreement applies to the processing of Personal Data on the PKB Platform. Any reference in this Agreement to PKB Data shall be interpreted as a reference to any Personal Data held on the PKB Platform. 

4.2 Scope

For the purpose of Data Protection Laws, this Arrangement shall prevail in the event of a conflict with the Commissioning Contract and any other agreement between the Parties and PKB. 

5. COMMENCEMENT AND DURATION 

5.1 Commencement

This Agreement shall commence on the date set out at the top of it (the “Commencement Date”) and shall continue in accordance with its terms. 

6. PATIENT AND REGULATORY ENGAGEMENT 

6.1 Commencement of Processing

Prior to the commencement of Processing, in respect of the activities contemplated by this Agreement, the Parties shall cooperate with each other to: 

6.1.1 Patient Enagement

Conduct patient engagement activities to assist the Parties in considering the views of patients; and 

6.1.2 Supporting Materials

Develop supporting materials for the provision of information to patients regarding the Processing of PKB Data; 

6.1.3 Promotion

For a period of not less than eight weeks, promote by all reasonably available and effective communication channels with patients and the public the proposed processing activity, purpose, risks and expected benefits using a layered approach and notifying and explaining the right and process for opting out. 

6.2 Commencement of Processing Activity

Following the commencement of the processing activity, the Providers will continue to promote the proposed processing activity in accordance with their duty of transparency.

7. AGREED PURPOSES 

7.1 Process PKB Data

The Parties agree to only Process PKB Data under this Agreement for: 7.1.1 The provision of health and social treatment and care 

7.1.2 Provide the Platform

Provide a platform for patients to access and add to their PKB health record 7.1.3 Allow patients to determine which organisations can view their profile 7.1.4 Maintaining a patient level record for statutory period 

7.1.5 Maintain the Platform

The maintenance by PKB of the PKB platform and data held on it 

7.1.6 Other Agreed Purposes

[Add here other purpose agreed by the parties] 

each of the above, an “Agreed Purpose”. 

8. LAWFUL BASES FOR PROCESSING AND CLASSIFICATION OF PARTIES 

8.1 Lawful Basis for Each Party

The lawful bases for each Party’s Processing of Personal Data and the classification of the Parties for the purposes of Data Protection Law under this Agreement is set out in Schedule 2. 

9. Provider’s Responsibility for Patient-Facing Communications 

9.1 Generally 

9.1.1 Responsibility

Except where expressly stated in this Agreement or agreed by the Parties in writing, Providers shall be responsible for all communications with Data Subjects relating to PKB Data, including prior to the creation of the Patient Account: 

(a) the provision of information to Data Subjects in accordance with Article 13 and 14 of the GDPR; 

(b) responding to Data Subject Requests as set out in clause 9.2; 

(c) notifying Data Subjects of a Personal Data Breach where such notification is required by Data Protection Law. 

9.1.2 Exercise of Rights

Notwithstanding the above, each of the Parties acknowledges that a Data Subject may exercise its rights under Data Protection Law against and of the Parties in respect of PKB Data processed under this Agreement and nothing in this Agreement shall prevent either Party from complying with its obligations under Data Protection Law. 

9.2 Data Subject Requests 

9.2.1 Data Subject Request

If either Party receives a Data Subject Request related to PKB data: 

(a) it shall notify the other within five (5) Business Days of receiving the Data Subject Request; 

(b) Each Provider shall be responsible for responding to the Data Subject Request received by them; 

(c) PKB shall provide Providers with reasonable assistance in responding to the Data Subject Request including, taking into account the nature of the Processing, assisting Providers by appropriate technical and organisational measures, insofar as this is possible to respond to requests from Data Subjects exercising their rights under Data Protection Law; and 

(d) Providers shall keep PKB reasonably informed as to the status and resolution of the Data Subject Request. 

10. DATA MINIMISATION (INCLUDING OPT-OUT) AND PSEUDONYMISATION

10.1 Technical and Organisations Measures

Taking into the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects each Party shall implement appropriate technical and organisational measures, including pseudonymisation, to ensure that the use of Personal Data in relation to the processing is minimised. 

10.2 Before Data is Shared

Before any Personal Data is shared by the Providers with PKB, the Providers shall: 

10.2.1 Identify and Remove

identify and remove the Personal Data of any Data Subjects who have opted out of data being loaded to the PKB platform through a locally operated and promoted Opt-Out scheme; 

10.2.2 Data Minimisation

implement data minimisation measures as required by this clause 8 and as may be agreed by the Parties from time to time to ensure only approved data is loaded to the PKB platform; and 

10.3 Minimisation Review

Each Party shall periodically review data minimisation measures implemented in accordance with this clause 8, and may agree with the other Party further steps to be taken to ensure the minimisation of Personal Data within PKB Data as may be required by Data Protection Law and in any case no less than every three years. 

11. GENERAL OBLIGATIONS OF THE PARTIES 

11.1 Technical and Organisational Measures

Each Party shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or accidental access, loss, alteration, disclosure, destruction or other unauthorised or unlawful forms of Processing (such measures may include, where appropriate, the pseudonymisation and encryption of PKB Data and other measures referred to in Article 32(1) of the GDPR). 

11.2 Perfromance of Agreement

Each Party shall ensure that its personnel who have access to PKB Data for the performance of this Agreement are under an obligation of confidentiality and ensure that such access is limited to those individuals who need to know and access PKB Data . 

11.3 Data Breach

Upon becoming aware of a Personal Data Breach relating to PKB Data, each Party shall: 

11.3.1 Notify Without Undue Delay

notify the other Party in writing without undue delay, and in any event within forty-eight (48) hours, (such notification to include the provision of information as is required under Data Protection Law in respect of the Personal Data Breach); 

11.3.2 Inviestigate, Mitigate and Remediate

promptly take reasonable steps to investigate, mitigate and remediate the Personal Data Breach; and 

11.3.3 Assistance to Other Party

provide reasonable assistance to the other Party, in relation the other Party’s efforts to investigate, mitigate and remediate the Personal Data Breach. 

11.4 No Transfers

PKB shall not transfer PKB Data from the United Kingdom to another jurisdiction without the prior written approval of the Providers and without putting in place appropriate safeguards where required for compliance with Data Protection Law. 

11.5 Third-Party Communication

Each Party shall notify the other Parties in writing within five (5) Business Days if it receives a “Third Party Communication” including but not limited to: 

11.5.1 Authority Communication

any communication from the ICO or any other regulatory authority in connection with PKB Data or; 

11.5.2 Third-Party Disclosures

a request from any third party for disclosure of PKB Data where compliance with such request is required or purported to be required by Applicable Law, 

11.6 Reasonable Assistance

Each Party shall provide the other Party with reasonable assistance in responding to any Third Party Communication and shall work with the other Party to determine the most appropriate Controller to respond to any Third Party Communication (the “Responsible Controller”) provided that nothing in this Agreement shall prevent a Party from responding to a Third Party Communication to the extent required by Applicable Law. 

11.7 Keep Other Party Informed

The Responsible Controller shall keep the other Party informed as to the status of the resolution of any Third-Party Communication, and the Parties shall provide all such assistance to one another as may be reasonably requested in respect of the same. 

11.8 Data Protection Compliance

Each Party shall provide reasonable assistance to the other Party in ensuring compliance with its obligations under Data Protection Law taking into account the nature of the Processing for the purposes of this Agreement and the information available to it, including in respect of each Party’s obligations as set out in this Agreement relating to: 

11.8.1 security of Processing; 
11.8.2 notification of a Personal Data Breach to the ICO; 
11.8.3 communication of a Personal Data Breach to the affected Data Subjects; and
11.8.4 Data Protection Impact Assessments and any subsequent consultations with the ICO. 

11.9 Compliance with Agreement; Audits and Inspections

Each Party shall provide the other Party with such information as the other Party may reasonably request to demonstrate compliance with this Agreement, and if the requesting Party (acting reasonably) considers that such information does not demonstrate the other Party’s compliance with this Agreement, to allow for audits, including inspections, by the requesting Party or an auditor mandated by the requesting Party to verify the other Party’s compliance with this Agreement subject to: 

11.9.1 such audit or inspection being conducted during the other Party’s usual business hours and on reasonable advance notice; and 
11.9.2 the Party conducting the audit and any third-party auditor: 
11.9.3 using reasonable endeavours to minimise any disruption on the other Party’s business; and 
11.9.4 complying with any reasonable requirements imposed by the other Party to protect the safety, integrity and security of its premises and systems, and the confidentiality of the other Party’s or third-party confidential information. 

11.10 Bear Costs of Audit

Each Party shall bear its own costs of any audit or inspection under clause 11.9, unless the audit or inspection was conducted by an independent third party and such third party determines the audited Party has materially breached its obligations under this Agreement in which case the audited Party shall reimburse the auditing Party in respect of its reasonable and properly incurred costs of engaging such third party to conduct such audit or inspection. 

11.11 Agreement Review

The Parties shall keep this Agreement under review and either Party may request a change to this Agreement as may be reasonably required to comply with Data Protection Law. Upon receipt of such request from a Party, the Parties shall discuss and consider such request in good faith and do all things reasonably necessary to comply with Data Protection Law, including varying this Agreement or entering into any subsequent agreements. 

12. JOINT CONTROLLERS 

12.1 Common Objective

Each Party acknowledges and agrees that there is a common objective in respect of the Processing and are Joint Controllers for the purpose of Data Protection Law in respect of such Processing. 

12.2 Perform the Obligations

Each of the Parties shall perform the obligations allocated to it the table below following allocation of responsibilities in accordance with Article 26 of the GDPR: 

Compliance obligation Responsible Party

Publicise a contact point for Data Subjects to facilitate the exercise 

Providers

of their rights in relation to the Processing under this Agreement. 

Upon request, make available to Data Subjects a summary of the 

Providers and 

arrangement between the Parties under this Agreement, such 

PKB

summary to be in a form agreed by the Parties. 

Maintaining the PKB platform PKB

Supplying initial dataset on Data Subject Providers

Maintaining transparency material online to meet A13 and A14 

Providers and 

requirements 

PKB

13. USE OF PROCESSORS 

13.1 Where PKB uses a Processor to Process PKB Data, PKB shall: 

13.2 Provide Information Regarding Processor(s)

provide Providers with such information regarding such Processor as Providers may reasonably request. For clarity, PKB shall not be required to provide Providers with details of any commercial terms between PKB and any Processor; 

13.3 Article 28(3)

ensure that such Processing is subject to an agreement as required by Article 28(3) of the GDPR; and 

13.4 Transfers

where Providers has provided its prior written approval to the international transfer of PKB Data conduct such international transfer in accordance with Data Protection Law. 

14. COMBINATION WITH OTHER DATA 

14.1 Combine Data

Providers acknowledge and agree that PKB may combine Providers Data to external sources of health data (including other Trusts, patient inputted data and third-party application data) with the objective of increasing the quality and breadth of the PKB Data. 

15. DATA RETENTION AND DELETION 

15.1 Retention

The Parties shall not retain or Process PKB Data under this Agreement for longer than is necessary to carry out the Agreed Purposes. PKB will retain data for 8 years after the last access to the Patient Record by Providers. 

16. RECORDS 

16.1 ROPA

Each Party shall maintain such records as required by Data Protection Law in respect of its Processing of PKB Data and as may be reasonably necessary to demonstrate its compliance with this Agreement. 

17. REVIEW OF THIS AGREEMENT 

17.1 Review Effectiveness

The effectiveness of this Agreement shall be reviewed from time to time at such intervals as may be agreed by the Governance Committee, having consideration to the Permitted Purposes and whether any amendments may be necessary to this Agreement. This review will involve assessing whether: 

17.1.1 Agreement Update

this Agreement needs to be updated to comply with any amendments to Data Protection Law; and 

17.1.2 Handling Data Breaches

Personal Data Breaches have been handled in accordance with this Agreement where PKB Data are involved. 

18. WARRANTIES 

18.1 Each Party represents and warrants to the other Party that: 

18.1.1 Capacity

it has full capacity to enter into and perform this Agreement which has been duly executed by the required corporate action; 

18.1.2 Restrictions

entry into and performance of this Agreement does and will not violate or be subject to any restriction in or by any other agreement or obligation. 

18.2 No Infringement of Rights

the use of PKB Data as permitted by this Agreement does not infringe the rights of any third party. 

19. LIMITATION AND EXCLUSION OF LIABILITY 

19.1 Liability and Tort

Each Party’s liability arising out of or in connection with this Agreement, whether in contract, tort (including negligence) or otherwise shall be limited costs incurred by the other parties as a direct result of the negligence of the Party, including failure to comply with this Agreement 

19.2 Non-compliance Costs

Each Party is responsible for the cost of remedying any non-compliance with Data Protection Laws determined the responsibility of that Party by this Arrangement. Liability under this Arrangement for each Party is limited to that which arises from a breach of Data Protection Laws. 

19.3 Article 82

Any liability arising from processing activity undertaken under this Arrangement shall be determined by the roles and responsibilities of each Party in line with Article 82 of GDPR. 

20. TERMINATION 

20.1 Termination

Without affecting any other right or remedy available to it, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party: 

20.1.1 Material Breach

if the other Party commits a material breach of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of ninety (90) days after being notified in writing to do so; 

20.1.2 Repeated Breaches

if the other Party repeatedly breaches any of the terms of this Agreement in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this Agreement; 

20.1.3 Insolvency Event

if the other Party is subject to an Insolvency Event; 

20.1.4 Change of Control

if there is a change of control of the other Party excluding any intra-group reorganisation (or similar) of such other Party; or 

20.1.5 in accordance with clause 21. 

20.2 Coterminous with Commercial Contract

If the Commissioning Contract terminates for any reason this Agreement shall terminate automatically at the same time as the effective date of termination of the Commissioning Contract without any further action required by either Party. 

20.3 Rights to Terminate

Each Party’s rights to terminate this Agreement set out in this clause 20 shall not affect any other right or remedy available to it including those arising under this Agreement prior to termination. 

21. CONSEQUENCES OF TERMINATION 

Upon termination or expiry of this Agreement: 

21.1 Deletion of PKB Record

PKB will permanently delete Patient Record data which has not been accessed by the Providers 

21.2 Return [data] to Provider

Return to the Providers a copy of Patient Record data which has been accessed by the Providers, after which it will be permanently deleted 

21.3 Retention of PKB Accounts

For the absence of doubt, Patient Accounts will be retained by PKB in accordance with their role and responsibilities as a Controller 

Termination or expiry of this Agreement shall not affect any rights, remedies, obligations or liabilities of the Parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination or expiry. 

22. FORCE MAJEURE 

22.1 Force Majeure

Non-performance or delay of either Party will be excused to the extent that performance is caused by any circumstance beyond Party’s reasonable control, including strike, fire, natural disaster, governmental acts, orders or restrictions, failure of suppliers or subcontractors. In such circumstances the affected Party shall be entitled to a reasonable extension of time for performance. If the period of non-performance or delay continues for ninety (90) days, the Party not affected may terminate this Agreement immediately on written notice to the affected Party. 

23. ASSIGNMENT AND OTHER DEALINGS 

23.1 Assignment or Transfer

Neither Party may assign or otherwise transfer any of its rights or obligations under this Agreement without the prior written approval of the other Party, except as expressly permitted by clause 23.2. 

23.2 Assignment with Written Approval

A Party may, upon written notice to the other Party and subject to the prior written approval of the other Party (such approval not to be unreasonably withheld or delayed), assign or otherwise transfer this Agreement to any of its affiliates or in connection with a change of control transaction (whether by merger, consolidation, sale of equity interests, sale of all or substantially all assets, or otherwise).

For clarity, where the assignment or transfer would give rise to a breach of obligations in relation to Data Protection Law or other Applicable Law or may already affect any research ethics approvals or would not be expected in accordance with the common law duty of confidentiality, such grounds shall amongst other matters be considered reasonable for refusing approval to such assignment or transfer. Any assignment or other transfer in violation of this clause will be void. 

23.3 Agreement Will be Binding

This Agreement will be binding upon and inure to the benefit of the Parties hereto and their permitted successors and assigns. 

24. VARIATION 

24.1 Variation

No variation of this Agreement shall be effective unless it is in writing and signed by the Parties. 

25. NOTICES 

25.1 Notices

All notices required or permitted under this Agreement and all requests for approvals, consents and waivers must be delivered by a method providing for proof of delivery. Any notice or request will be deemed to have been given on the date of delivery. Notices and requests must be delivered to the Parties at the addresses on the first page of this Agreement until a different address has been designated by notice to the other Party. 

26. SEVERANCE 

26.1 Severance

If any provision of this Agreement is found to be unenforceable, such provision will be deemed to be deleted or narrowly construed to such extent as is necessary to make it enforceable and this Agreement will otherwise remain in full force and effect. 

27. RELATIONSHIP OF THE PARTIES 

27.1 Relationship of the Parties

The Parties are and will be independent contractors and neither Party has any right, power, or authority to act or create any obligation on behalf of the other Party. 

28. RIGHTS AND REMEDIES 

28.1 Rights and Remedies

The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law. 

29. WAIVER 

29.1 Waiver

No term or provision of this Agreement will be deemed waived and no breach will be deemed excused, unless such waiver is in writing and signed by the Party claimed to have waived. 

30. COUNTERPARTS 

30.1 Counterparts

This Agreement may be executed in counterparts (which may be exchanged by facsimile or .pdf copies), each of which will be deemed an original, but all of which together will constitute the same Agreement. 

31. THIRD-PARTY RIGHTS 

31.1 Third-Party Rights

This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement. 

32. FURTHER ASSURANCE 

32.1 Further Assurance

Each Party shall use reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement. 

33. COSTS 

33.1 Incurred Costs

Each Party shall pay its own costs incurred in connection with the negotiation, preparation, and execution of this Agreement. 

34. ENTIRE AGREEMENT 

34.1 Entire Agreement

This Agreement constitutes the entire agreement between the Parties and supersedes and extinguishes all previous drafts, agreements, arrangements, and understandings between them, whether written or oral, relating to its subject matter. 

34.2 Warranties

Each Party acknowledges that in entering into this Agreement it does not rely upon, and shall have no remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in this Agreement. No Party shall have any claim for innocent or negligent misrepresentation based on any statement in this Agreement. 

35. GOVERNING LAW AND DISPUTE RESOLUTION 

35.1 Governing law 

35.1.1 Dispute Resolution

This Agreement and all matters arising out of or in connection with it, including any Dispute and any dispute resolution procedure provided for in this Agreement, shall be governed by, and construed in accordance with, the law of England and Wales. 

35.2 Dispute resolution: 

35.2.1 In Accordance with Contract Terms

The Parties shall resolve any Disputes in accordance with the Commissioning Contract terms 

 


 

36. SCHEDULE 1:

DATA PROCESSING PARTICULARS 

 

1. PERSONAL DATA TO BE PROCESSED 

1.1 Processed Under This Agreement

This Schedule describes the types of PKB Data that may be Processed under this Agreement. The Parties may agree to amend the descriptions in this clause at any time with the approval of the Parties. 

1.2 Data Minimisation

For clarity, PKB Data Processed under this Agreement shall be subject to the data minimisation measures described in clause 7, including: 

1.2.1 Apply Minimisation Measures

Providers applying data minimisation measures prior to sharing any data with PKB; and 

1.2.2 Review Minimisation Measures

the Parties continue to review the data minimisation measures to ensure the minimisation of Personal Data within PKB Data as may be required by Data Protection Law. 

1.3 Data to be Processed

PKB Data to be Processed under this Agreement may include data from the following sources: 

Providers Electronic Patient Record (structured coded data only)

Patient Inputted Data

Third Party Partners and Integrations (for purposes of care provision)

1.4 Under 16’s

The inclusion of personal data of any natural person under the age of 16 should be considered on a case by case basis. 

 


 

37. SCHEDULE 2:

PROCESSING OPERATIONS 

 

2A PROCESSING OPERATION A 

Processing Operation: Maintaining Patient Account 

Performed by: PKB 

Classification of Parties: PKB – Sole Controller 

Lawful Bases for Processing: -Article 6(1)(f) and Article 9(2)(h) 

Specific Responsibilities for Parties: N/A as no Joint processing 

Compliance with Principles 

Principle 1 – Processing is lawful, fair and Transparent: 

Individuals are invited to create an account by their healthcare provider (who has commissioned PKB) where they are able to provide their own personal data. Where this is the case, PKB act as Sole Controller and as such provides the individual with transparency information when registering. 

Principle 2 – Collected for specific, explicit and legitimate purposes: 

Personal data processed by PKB within the patient account is only used for the purposes of providing that service to the individual to help the individual manage their health and care. It is not used for further purposes. 

Principle 3 – Adequate relevant and not excessive: 

This processing will only involve personal data provided by the patient themselves, and as such will be limited to the personal data provided by the patient. 

Principle 4 – Accurate and up to date: 

Given the personal data is provided by the patient, PKB will have no determination as to the accuracy of that data. However, this will be marked within the PKB system as patient-inputted data, so it will be clear to those accessing within the Patient Record (in the case it is transferred to the Patient Record). 

Principle 5 – Kept for no longer than is necessary: 

The Patient Account will be kept for up to 8 years after the last access date by Providers. Principle 6 – Processed securely 

PKB implement strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees. 

 

2B PROCESSING OPERATION B 

Processing Operation: Maintaining Patient Record 

Performed by: PKB and Providers 

Classification of Parties: PKB and the Providers act as Joint Controllers 

Lawful Bases for Processing: 

Providers – Article 6(1)(e) and Article 9(2)(h) 

PKB - Article 6(1)(e) and Article 9(2)(h)/(g) 

Specific Responsibilities for Parties

PKB provide the platform 

PKB are responsible for providing security around the platform 

The Providers are responsible for the data quality of the personal data uploaded to PKB including ensuring the correct privacy labels are with the associated data 

The Providers are responsible for only providing access to those in the organisation who require it Principle 1 – Processing is lawful, fair and Transparent: 

Processing for the Patient Record is considered necessary in order to support the care of the individual and allows the individual to have more choice and engagement with regard to their health and care information. Providers will be responsible for informing individuals that PKB is the provider of their system, and that this allows patients to have access. 

Principle 2 – Collected for specific, explicit and legitimate purposes: 

Personal data processed within the Patient Record will only be used for the purposes of providing care to the individual in line with the original purpose of collection. 

Principle 3 – Adequate relevant and not excessive: 

The Providers are responsible for providing only relevant information to KB which will consist of structured data only. Confirmation of the dataset will be provided to PKB before any transfer of personal data. 

Principle 4 – Accurate and up to date: 

The personal data will be extracted directly from Providers electronic patient record to ensure only the most up to date available data is processed by PKB. This will be periodically updated to ensure the latest version of the record is available in PKB. 

Principle 5 – Kept for no longer than is necessary: 

The Patient Record will be kept for up to 8 years after the contract with Providers ends to maintain the integrity of the record. 

Principle 6 – Processed securely 

PKB implement strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the Data Security and Protection Toolkit and a role-based training programme for all employees. 

 


 

38. Schedule 3:

Security Controls 

 

1. SECURITY RESPONSIBILITIES 

1.1 Security Arrangements

PKB shall maintain appropriate information security arrangements for all forms of Data held in any format and expressed or relayed in any communication (oral or written) in a manner consistent with the principles of the most current version of the NHS Data Security and Protection Toolkit (DSPT) and ISO 27002 - Code of Practice for Information Security Management (with the principles of the DSPT prevailing in case of any conflict). In particular: 

1.1.1 Management Arrangements

PKB shall have management arrangements in place for the management of information security; 

1.1.2 DSPT Assessment

PKB shall comply with the DSPT assessment, reporting and audit requirements relevant to its organisation type; and 

1.1.3 Operational Risk

PKB shall have appropriate operational risk assessment and management processes in place for the identification, mitigation and management of operational security risks. 

1.1.4 Protection for Data

PKB shall ensure an appropriate level of protection for data at rest commensurate with the risks to rights and freedoms, including encryption to the latest available industry standard 

1.2 Article 32

PKB shall comply with the requirements of Article 32 of GDPR and ensure that all data is held and processed according to the risk attached to the category of data processed 

1.3 Information Security Policy

The Parties shall agree, and PKB shall have in place, an information security policy that is supported by appropriate organisational, security and technical security standards (the “Security Policy”). 

1.4 Proposed Changes to Security Policy

PKB shall propose changes to the Security Policy on an ongoing basis to reflect good industry practice or changes necessitated by any changes in applicable law. Material changes to the management of information relating to the Controller's business shall be agreed upon in writing by both parties, and the requirement for all such changes shall be promptly notified to the other party. 

1.5 Maintain Safeguards

PKB shall create, design, establish, provide, implement, manage and maintain safeguards (including security architecture) that reflect the Security Policy and shall ensure that any changes to the Security Policy from time to time are reflected in the secure environment provided to Controller as soon as practicable. 

1.6 Managing Security Risk

PKB shall be equally responsible for managing information security risk should the Data, or access to the Data, be made available to any third parties or Processors (as may be permitted elsewhere). Such engagements will be preceded by a satisfactory due diligence process, contractual documentation being signed, and the establishment of monitoring, auditing and incident handling procedures so that the Data is no less secure under the third party’s management. 

1.7 Secure File Transfer Protocols

PKB shall ensure that all transfers of the Data undertaken by it or on its behalf will be in accordance with Secure File Transfer Protocols within the Health and Social Care Network (HSCN) and/or in accordance with the NHS Digital Good Practice Guidelines (which are, as of the date of this Contract, published at Data security and information governance - NHS England Digital ). 

2. SECURITY MANAGEMENT 

2.1 Secure Technical Infrastructure

PKB shall plan, determine, create, implement, manage, review and maintain security control over the technology and physical storage infrastructure, and respond appropriately to security events. This includes the implementation of secure technical infrastructures, technologies and physical controls (including firewalls, encryption, authentication services and swipe access) appropriate to the UK public health sector. 

2.2 Secure Controls

PKB shall implement control, technologies and procedures to limit the risk of unauthorised access to the environment used to provide the Services (the "Services Environment") appropriate to the UK health and social care sector. 

2.3 Security Recommendations

PKB shall inform and make recommendations to the Providers if it becomes aware of any products, methods or services that would result in required improvements to the security procedures in operation. 

2.4 Good Practice

PKB shall create, acquire, provide, install, implement, manage and maintain any such improvements reasonably requested by the Providers that reflect Good Industry Practice. 

3. SECURITY ADMINISTRATION 

3.1 Security Changes

PKB shall track, coordinate, implement, manage and maintain all security changes across the Services Environment. 

3.2 Unauthorised Access

PKB shall limit the risk of unauthorised access to the Services Environment including content filtering to prevent objectionable material, virus protection, password controls and physical security. PKB shall have regard to the confidentiality and sensitivity contained within the Services Environment and shall ensure that measures applicable to the UK health and social care sector are in place to prevent unauthorised access. 

4. SECURITY AUDIT 

4.1 Assurance of Compliance

PKB shall provide to the Providers any information that the Providers reasonably require for the purpose of allowing the Providers to have the assurance of PKB’s compliance with the provisions of this Clause 4 within a reasonable time from the Provider’s request. PKB shall provide this information in such format as the Providers may reasonably require. 

5. NON-COMPLIANCE REPORTING 

5.1 Monitor Security Configurations

PKB shall monitor, on an ongoing basis, computer and network security configurations. 

5.2 Incidents of Non-compliance

PKB shall create and issue reports to the Providers on incidents of non-compliance with the Security Policy according to their severity within a reasonable time after such incidents occur. 

6. SYSTEM ACCESS CONTROL 

6.1 Provision of Access

PKB shall administer the provision of access to the Services Environment (by both the Provider’s Personnel and PKB's Personnel), Data and any other applicable data in accordance with Good Industry Practice. 

6.2 Restrict Access

PKB shall restrict access to the Services Environment to appropriately identify authenticated and authorised personnel and shall keep records of which personnel have access to the Services Environment and the reasons for such personnel being given such access. PKB shall also keep records of which personnel have accessed the Services Environment (including details of login and logout times). 

6.3 Restrict External Networks

PKB shall restrict user access to information and data held on external networks.

7. CRYPTOGRAPHY MANAGEMENT 

7.1 Encryption Methods

PKB shall ensure that Data is encrypted as appropriate in accordance with Good Industry Practice and the most current version of the Data Security and Protection Toolkit and ISO 27002 - Code of Practice for Information Security Management (with the principles of the Data Security and Protection Toolkit prevailing in case of any conflict). 

7.2 Encryption Management

PKB shall manage all processes and procedures pertaining to the administration of the encryption keys, including secure key storage, periodic changing of keys, destruction of old keys, and registration of keys with the appropriate authorities. 

8. ASSET PROTECTION 

8.1 Penetration Testing

PKB shall acquire, create, provide, manage and maintain mechanisms to prevent or mitigate the destruction, loss, alteration, disclosure or misuse of equipment used within the Services Environment, Data and Providers assets, having regard to Good Industry Practice. This includes annual Penetration testing and the satisfactory completion of remedial actions identified following that testing. 

8.2 Backups

All Data shall be appropriately backed up and stored in a secure facility which in line with industry practice would be off-site. 

8.3 Business Continuity

PKB will ensure adequate business continuity services and disaster recovery services are in place and regularly tested. Evidence of this testing may be required as part of the Provider’s due diligence. 

8.4 Physical Access

PKB shall ensure that no one, other than properly authorised Processor Personnel, has physical access to any servers in scope under this Contract or used to deliver the Services, including any servers located at PKB's facilities without formal documented approval from the Providers. 

8.5 Facilities

In relation to PKB’s facilities, PKB shall, at a minimum, acquire, create, provide, manage and maintain mechanisms to prevent or mitigate the destruction, loss, alteration, disclosure or misuse of Data, having regard to Good Industry Practice. 

8.6 Assess Physical Security

PKB will fully and regularly assess the physical security risk for all premises and ensure reasonable controls are in place to prevent inappropriate access as would be expected for the National Health Service. 

8.7 Implement National Guidelines

Implement National Cyber Security Centre (NCSC) guidelines (e.g. cyber essentials) as agreed with the Controller so that assets are protected. 

9. SECURITY AWARENESS 

9.1 Security Awareness and Training

PKB shall ensure that all its Personnel working on the Providers account are screened and security checked to an appropriate standard, trained in the Security Policy and any other requirements of this Contract, undertake annual training and are deemed competent to undertake processing activities and are individually accountable for their actions. All PKB Personnel shall, as at the commencement of the Services, be deemed to be appropriately screened and trained to a level befitting the UK health and care sector. 

10. DOCUMENTATION AND RECORD PRESERVATION 

10.1 Protection of Data

PKB shall protect all Data held by its employees, agents or Processors in a physical form by adopting a “clear desk” policy in respect of such Data and disposing of such information securely by treating it as confidential waste. 

10.2 Secure Disposal

PKB shall ensure that any documentation or records relating to the Services being disposed of by or on behalf of PKB are treated in an appropriate manner having regard to their confidentiality including, where appropriate, being securely destroyed or shredded prior to disposal. 

10.3 Security Classification

PKB will classify the security of documentation and information to limit distribution and to ensure adequate controls are in place to protect more sensitive content. 

 


39. Schedule 4:

Signatories to Joint Controller Arrangement 

 

  1. [Party A] 

  2. [Party B] 

  3. [Party C] 

  4. [Party D]