Data Processing Agreement

The following words and phrases used in this Agreement, the Appendix or any Schedules shall have the following meanings except where the context otherwise requires:

accuRx

the software service provided by AccuRx Ltd; this software consists of a range ofproducts to support communication with and between healthcare organisationsand their patients;

Anonymised data

means information which does not relate to an identified or identifiable naturalperson or to personal data rendered anonymous (e.g. through aggregation) insuch a manner that the data subject is not or no longer identifiable;

Data Controller

means a Person or Organisation who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed, in the case of this Agreement, the Healthcare Organisation;

Data Processor

in relation to Personal Data, means any Person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller which in the case of this Agreement is accuRx;

Data Subject

means an individual to whom Personal Data, including Special Categories of Personal Data, pertains;

Data Recipient

means any person to whom the data are disclosed during the course of the data processing;

Electronic Patient Record System (EPR)

means the clinical system that holds the patient's electronic patient record, such as EMIS Web or TPP SystmOne;

The GDPR

means the General Data Protection Regulations (EU) 2016/679, a regulation in EU law on data protection and privacy for all individuals within the European Union;

GP Medical Record

means the patient’s medical record held by their registered GP. GP medical records include information about a patient’s medicine, allergies, vaccinations, previous illnesses and test results, hospital discharge summaries, appointment letters and referral letters;

Healthcare Organisation

is the healthcare and/or social care organisation providing direct care that uses accuRx Services to process data pertaining to Patients in their care;

PDS

means the Personal Demographics Service, the national electronic database of NHS patient details such as name, address, date of birth and NHS number;

Person

recognised in law, that is to say individuals; organisations; and other corporated and unincorporated bodies of persons;

Personal Data

means any information relating to an identified or identifiable natural Person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Special Categories of Personal Data

means revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;

Services

means the Services to be carried out by the Data Processor in order toprovide AccuRx, and any other services that may from time to time be provided bythe Data Processor, to the Data Controller.

This Agreement and its parts constitute written instructions of the Data Controller to the Data Processor to process personal data in the manner described in Schedule 1.

The Healthcare Organisation, the Data Controller, wishes to use AccuRx’s services and AccuRx has agreed to provide these services according to instructions in this Agreement.

AccuRx, the Data Processor, is a software application that consists of a range of products to support healthcare or social care organisations. AccuRx is used to communicate with and between Patients, healthcare and/or social care professionals involved in the Patient’s care.

This Agreement shall remain in full force and effect while the Healthcare Organisation continues to use the Services.

This Agreement is governed by and construed in accordance with the law of the United Kingdom

The Data Controller is responsible for the lawful basis for the processing of personal data, in particular with Schedule 1 of the Data Protection Act 2018.

The Data Controller must use AccuRx or another safe communications channel to communicate Personal Data and/or Special Categories of Personal Data to the Data Processor. The security of the channel used must correspond to the privacy risk involved.

The Data Controller must accept responsibility for use of content that it produces.

The Data Controller is responsible for the validity of any mobile numbers or emails entered by the Data Controller's staff.

The Data Controller must not rely on AccuRx for the communication of vital information. SMS messages should only be used to support and enhance communication. AccuRx provide no guarantees or assurances that SMS messages have been delivered or read by the recipient.

The instructions given by the Data Controller to the Data Processor in respect of the Personal Data/Special Categories of Personal Data disclosed to it by patients of the Data Controller or generated in respect of such patients shall at all times be in accordance with the laws of the United Kingdom.

The Data Controller must ensure that all data fields in AccuRx are correctly filled in and do not contain patient identifiable information where they are not supposed to.

The Data Controller, by entering into this Agreement, instructs the Data Processor to process the Personal Data/Special Categories of Personal Data on its behalf for the purpose of providing the Services, including the purpose of usage data reports in anonymised form.

The Data Controller, by entering into this Agreement, instructs the Data Processor to engage in reasonable monitoring of messages to prevent abuse, fraud or harm to patients through technical or user errors. This monitoring shall be proportionate and carried out through a person acting as a clinical lead.

Only process the Personal Data & Special Categories of Personal Data for the purpose of providing the Services and in accordance with the Data Controller’s instructions.

Only process the Personal Data & Special Categories of Personal Data only to the extent and in such a manner as is necessary for the provision of the services.

Only process the Personal Data & Special Categories of Personal Data in compliance with the Data Protection Act 2018 and the GDPR.

Assist the Data Controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR. The response to all subject information and other GDPR requests that may be received from the data subjects shall be provided within 14 days. All such requests must be received by the Data Controller and all communication with the Data Subjects must be via the Data Controller. If any requests are received by the Data Processor, the Data Subject would normally be instructed to contact the Data Controller.

Implement appropriate technical and organisational measures to protect the Personal Data, and any other Confidential Information, against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and/or other Confidential Information. As a minimum all data shall be encrypted in transit (with HTTPS via TLS 1.2 or higher) and at rest via Transparent Data Encryption (TDE);

Assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments.

Make available to the Data Controller all information necessary to demonstrate compliance with the obligations according to Article 28 of the GDPR and to allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

Delete or return all personal data to the Data Controller, at the choice of the Data Controller, as requested at the point of termination of the Agreement.

Notify all Customers of any information security breach or incident that may compromise the Personal Data & Special Categories of Personal Data covered by this agreement without undue delay after becoming aware of any such incident, taking into consideration the statutory breach reporting requirements and deadlines. The Data Processor shall work with the Data Controller to carry out a risk assessment and allow them to oversee and assess any corrective action.

To maintain up-to-date compliance with the NHS Data Security and Protection Toolkit (DSPT). 5
AccuRx’s published report can be found under organisation code 8JT17.

To ensure that people processing the data are subject to a duty of confidentiality.

To only use the sub-processors listed in Schedule 2 of this Agreement. Schedule 2 may be modified unilaterally by the Data Processor as long as this complies with the requirements of Article 32 of the GDPR and the rules on transfers to third countries. Such changes to sub-processors shall be made available to the Data Controller. Where the change includes the change or an addition of a sub-processor, the Data Controller shall be given the opportunity to object. Where this objection cannot be reconciled with the Service concept or technological requirements of the Data Processor, the Data Processor may terminate the Agreement with immediate effect.

Not to store or directly transfer the Personal Data/Special Categories of Personal Data outside of the EEA without appropriate safeguards. However, we draw your attention to the fact that that: