This Data Processing Agreement (“Agreement“) forms part of and is considered agreed upon signing of the Contract for Services between:
(the “Health Organisation”) acting as the “Data Controller” and
Capri Healthcare Ltd, 20 Widney Lane, Solihull, B91 3LS acting as the “Data Processor”) (together as the “Parties”)
(A) Health Organisation acts as a Data Controller.
(B) The health organisation wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
- Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “health organisation Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of health organisation pursuant to or in connection with the Principal Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
126.96.36.199 a transfer of health organisation Personal Data from the health organisation to a Contracted Processor; or
188.8.131.52 an onward transfer of health organisation Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 “Services” means the healthcare services the health organisation provides.
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the health organisation in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- Processing of Personal Data
2.1 Both the Health Organisation and the Data Processor shall comply with all applicable Data Protection Laws in the Processing of the Health Organisations Personal Data. The Personal Data that may be processed includes:
- Patient Name; Address; Postcode; Date of Birth; Sex; Gender; Racial/Ethnic Origin; NHS No.; Phone No.; Email Address and Health Data
- Health Organisation staff Name; Work Address; Phone No and Email Address
2.2 The Health Organisation instructs the Data Processor to process Personal Data where this is necessary to deliver the Services provided by the Data Processor.
2.3 The Data Processor shall not process Personal Data for other purposes other than on the relevant Health Organisations documented instructions.
2.4 The Data Processor shall process Personal Data for the duration of the Contract between the Health Organisation and the Data Processor and any subsequent Terms.
3.1 The Data Processor shall not appoint (or disclose any Personal Data to) any Subcontracted Processor unless authorised by the Health Organisation.
3.2 The Data Processor shall ensure that any Subcontracted Processor is required to meet equivalent terms to those set out in this Agreement and in particular shall ensure that any Subcontracted Processors provide adequate assurance that they have also implemented appropriate technical and organisational measures to ensure a level of security appropriate to the assessed risk, in particular the risk of a Personal Data Breach, as required by the GDPR.
3.3 The Data Processor currently has in place the following Subcontracted Processors, which the Health Organisation is deemed to have authorised when signing this Agreement, for the purpose of assisting the Processor with Processing of Personal Data.
Web Hosting, Storage and Email
Amazon Web Services
Web Hosting and Storage
Service Desk, Ticketing and Task Management
Documents and File Storage
Finance and accounting
TalkTalk, Virgin and Sky
- Processor Personnel
The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5.1 The Data Processor shall ensure a level of security appropriate to the risk.
5.2 All Personal Data is encrypted to NHS encryption standards. All Personal Data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are Processed. If the Processing activity requires it the Data Processor can anonymise Personal Data.
5.3 The Data Processor has a number of internal policies that address the confidentiality, integrity, availability and resilience of Processing systems and Services including our network security policy. These policies are reviewed and updated regularly. The Data Processor is working towards achieving a satisfactory compliance level with the Data Security & Protection Toolkit to ensure NHS standards are met; the Personal Data is stored in a data centre which is ISO 27001 compliant and the Data Processor has achieved Cyber Essentials as specified by the NHS.
5.4 Data Processors internal policies are regularly reviewed and updated as necessary. A programme of maintenance is ongoing including regular penetration testing, risk assessment, system updates, access control audits, change control management, self-assessment and external assessment including Cyber Essentials.
- Data Subject Rights
6.1 The Data Processor shall assist the Health Organisation by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Health Organisations obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 The Data Processor shall promptly notify the Health Organisation if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and ensure that it does not respond to that request except on the documented instructions of the Health Organisation or as required by Applicable Laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by Applicable Laws inform the Health Organisation of that legal requirement before responding to the request.
- Personal Data Breach
7.1 The Data Processor shall notify the Health Organisation without undue delay upon becoming aware of a Personal Data Breach affecting the Personal Data, providing the Health Organisation with sufficient information to allow the Health Organisation to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 The Data Processor shall co-operate with the Health Organisation and take reasonable commercial steps as are directed by the Health Organisation to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Data Protection Impact Assessment and Prior Consultation
The Data Processor shall provide reasonable assistance to the Health Organisation with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the Health Organisation reasonably considers to be required.
- Deletion or return of Health Organisation Personal Data
9.1 The Data Processor shall at the choice of the Health Organisation, delete or return all the Personal Data to the Health Controller after the end of the provision of Services relating to Processing, and delete existing copies unless Union or Member State law requires the storage of the Personal Data.
- Audit rights
The Data Processor shall make available to the Health Organisation on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Health Organisation or an auditor mandated by the Health Organisation in relation to the Processing of the Health Organisations Personal Data. The Data Processor shall immediately inform the Health Organisation if, in its opinion, an instruction infringes this Regulation (Article 28 GDPR) or other Union Member State data protection provisions.
- Data Transfer outside of the EEA
The Data Processor may not transfer or authorize the transfer of Personal Data to countries outside the European Economic Area (EEA) without the prior written consent of the Health Organisation and any such agreed transfer shall meet the requirements specified in the GDPR.
12.1 Each Party must keep this Agreement and any information it receives about the other Party and its business in connection with this Agreement confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
- Data Retention
13.1 In accordance with the Records Management Code of Practice for Health and Social Care 2016 the Data Processor has adopted the following retention periods for Personal Data:
(a) 90 days for data backups
(b) 2 years for data held on the servers
14.1 All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement or at such other address as notified from time to time by the Parties in writing.