This is an agreement between the following parties:
accuRx is a software application that consists of a range of products to support healthcare organisations. accuRx is used to communicate with and between Patients, healthcare and/or social care professionals involved in the Patient’s care.
The Healthcare Organisation is the Data Controller in respect of certain Personal Data & Special Categories of Personal Data and appoints accuRx Ltd as a Data Processor in relation to the provision of its Services agreed upon to process the data pertaining to Patients, healthcare or social care professionals involved in the Patient’s care.
In order to provide the Services, accuRx requires certain Personal Data & Special Categories of Personal Data to be made available by the Data Controller.
This Agreement regulates the provision and use of Personal Data, including Special categories of Personal Data, and ensures both accuRx and the Healthcare Organisation meet their obligations under the Data Protection Act 2018 and General Data Protection Regulation (GDPR).
The following words and phrases used in this Agreement, the Appendix or any Schedules shall have the following meanings except where the context otherwise requires:
the software service provided by AccuRx Ltd; this software consists of a range ofproducts to support communication with and between healthcare organisationsand their patients;
means information which does not relate to an identified or identifiable naturalperson or to personal data rendered anonymous (e.g. through aggregation) insuch a manner that the data subject is not or no longer identifiable;
means a Person or Organisation who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed, in the case of this Agreement, the Healthcare Organisation;
in relation to Personal Data, means any Person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller which in the case of this Agreement is accuRx;
means the General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any guidance or codes of practice issued by any Supervisory Authority (as defined in the GDPR) from time to time;
means an individual to whom Personal Data, including Special Categories of Personal Data, pertains;
means any person to whom the data are disclosed during the course of the data processing;
means the clinical system that holds the patient's electronic patient record, such as EMIS Web or TPP SystmOne;
means the patient’s medical record held by their registered GP. GP medical records include information about a patient’s medicine, allergies, vaccinations, previous illnesses and test results, hospital discharge summaries, appointment letters and referral letters;
is the healthcare and/or social care organisation providing direct care that uses accuRx Services to process data pertaining to Patients in their care;
means the Personal Demographics Service, the national electronic database of NHS patient details such as name, address, date of birth and NHS number;
recognised in law, that is to say individuals; organisations; and other corporated and unincorporated bodies of persons;
means any information relating to an identified or identifiable natural Person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
means revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
means the Services to be carried out by the Data Processor in order toprovide AccuRx, and any other services that may from time to time be provided bythe Data Processor, to the Data Controller.
This Agreement and its parts constitute written instructions of the Data Controller to the Data Processor to process personal data in the manner described in Schedule 1.
The Healthcare Organisation, the Data Controller, wishes to use AccuRx’s services and AccuRx has agreed to provide these services according to instructions in this Agreement.
AccuRx, the Data Processor, is a software application that consists of a range of products to support healthcare or social care organisations. AccuRx is used to communicate with and between Patients, healthcare and/or social care professionals involved in the Patient’s care.
This Agreement shall remain in full force and effect while the Healthcare Organisation continues to use the Services.
This Agreement is governed by and construed in accordance with the laws of England and Wales.
The Data Controller is responsible for the lawful basis for the processing of personal data, in particular with Schedule 1 of the Data Protection Act 2018.
The Data Controller must use AccuRx or another safe communications channel to communicate Personal Data and/or Special Categories of Personal Data to the Data Processor. The security of the channel used must correspond to the privacy risk involved.
The Data Controller must accept responsibility for use of content that it produces.
The Data Controller is responsible for the validity of any mobile numbers or emails entered by the Data Controller's staff.
The Data Controller must not rely on AccuRx for the communication of vital information. SMS messages should only be used to support and enhance communication. AccuRx provide no guarantees or assurances that SMS messages have been delivered or read by the recipient.
The instructions given by the Data Controller to the Data Processor in respect of the Personal Data/Special Categories of Personal Data disclosed to it by patients of the Data Controller or generated in respect of such patients shall at all times be in accordance with the laws of England and Wales.
The Data Controller must ensure that all data fields in AccuRx are correctly filled in and do not contain patient identifiable information where they are not supposed to.
The Data Controller, by entering into this Agreement, instructs the Data Processor to process the Personal Data/Special Categories of Personal Data on its behalf for the purpose of providing the Services, including the purpose of usage data reports in anonymised form.
The Data Controller, by entering into this Agreement, instructs the Data Processor to engage in reasonable monitoring of messages to prevent abuse, fraud or harm to patients through technical or user errors. This monitoring shall be proportionate and carried out through a person acting as a clinical lead.
Only process the Personal Data & Special Categories of Personal Data for the purpose of providing the Services and in accordance with the Data Controller’s instructions, unless the Data Processor is required to do otherwise by law.
Only process the Personal Data & Special Categories of Personal Data only to the extent and in such a manner as is necessary for the provision of the services.
Only process the Personal Data & Special Categories of Personal Data in compliance with the Data Protection Act 2018 and the GDPR.
Assist the Data Controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR. The response to all subject information and other GDPR requests that may be received from the data subjects shall be provided within 14 days. All such requests must be received by the Data Controller and all communication with the Data Subjects must be via the Data Controller. If any requests are received by the Data Processor, the Data Subject would normally be instructed to contact the Data Controller.
Implement appropriate technical and organisational measures to protect the Personal Data, and any other Confidential Information, against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and/or other Confidential Information. As a minimum all data shall be encrypted in transit (with HTTPS via TLS 1.2 or higher) and at rest via Transparent Data Encryption (TDE);
Assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments.
Make available to the Data Controller all information necessary to demonstrate compliance with the obligations according to Article 28 of the GDPR and to allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
Delete or return all personal data to the Data Controller, at the choice of the Data Controller, as requested at the point of termination of the Agreement.
Notify all Customers of any information security breach or incident that may compromise the Personal Data & Special Categories of Personal Data covered by this agreement without undue delay after becoming aware of any such incident, taking into consideration the statutory breach reporting requirements and deadlines. The Data Processor shall work with the Data Controller to carry out a risk assessment and allow them to oversee and assess any corrective action.
To maintain up-to-date compliance with the NHS Data Security and Protection Toolkit (DSPT). AccuRx’s published report can be found under organisation code 8JT17.
To ensure that people processing the data are subject to a duty of confidentiality.
To only use the sub-processors listed in Schedule 2 of this Agreement. Schedule 2 may be modified unilaterally by the Data Processor as long as this complies with the requirements of Article 32 of the GDPR and the rules on transfers to third countries. Such changes to sub-processors shall be made available to the Data Controller. Where the change includes the change or an addition of a sub-processor, the Data Controller shall be given the opportunity to object. Where this objection cannot be reconciled with the Service concept or technological requirements of the Data Processor, the Data Processor may terminate the Agreement with immediate effect.
Not to store or directly transfer the Personal Data/Special Categories of Personal Data outside of the EEA without appropriate safeguards. However, we draw your attention to the fact that that:
Identity of the Data Controller and Data Processor
The Healthcare Organisation shall be the Data Controller and AccuRx Ltdshall be the Data Processor
Subject matter of the processing
To provide the Services.
The AccuRx software requires certain Personal Data & SpecialCategories of Personal Data to be made available by the Data Controller.
Duration of the processing
The duration of the processing will be the duration of this agreement.
Purposes and nature of the processing
The purposes of processing are health and social care purposes only.
For the purpose of processing above, the nature of the processing mayinclude, but is not limited to:
Legal basis for processing
The Data Processor will process Personal Data for the purposes of theperformance of the Agreement between the Data Controller and DataProcessor.
The Data Controller will ensure that they have the lawful basis to instructthe Data Processor to Process any Personal Data under this Agreement.
Legal basis for processing
A third-party SMS gateway for the delivery of SMS messages
Secure cloud hosting in accordance with NHS Digital guidance
Host video consultations betweenhealthcare and/or social care staff andtheir patients. See Appendix I for details.
We use SendGrid for sending emails that don't contain patient identifiable information [UK GDPR Compliant]
To gain remote access and support over the internet [UK GDPR compliant]
A messaging application for providing online user support [UK GDPR Compliant]
The video consultation service provided through the accuRx platform is hosted by Whereby who are compliant with GDPR and based in the European Economic Area (EEA). A unique URL to the video consultation is generated and all participants are visible in the consultation, no third party can 'listen in'. The video and audio communication of the video consultation is only visible to participants on the call, and is not recorded or stored on any server (not accuRx’s, not Whereby’s and not on any third party's servers).
All communication between participants’ devices and Whereby’s service is transmitted over an encrypted connection (secure web traffic using HTTPS and TLS or secure websocket traffic or secure WebRTC). The video consultation connection either:
In both cases, as long as the participants are using their devices in the European Economic Area, it is guaranteed that any data is hosted and processed within the EEA, in line with NHS best practice guidelines on health and social care cloud security.
The data collected about patients is limited to that necessary to provide the meeting room service, and includes:
Technical logs are purged after 90 days, sufficient to allow AccuRx as the Data Processor to assist the Data Controller to complete investigations into data protection or clinical safety incidents.
Whereby’s Data Processing Agreement (available on their Data Storage and Security page) details the commitments it makes to us when we contract with them as a sub-processor.
The Vaccine Solution provided through the accuRx platform enables Healthcare Organisations to work together to fulfil the Covid-19 vaccination Enhanced Service for NHS England. This requires them to work together with other practices in groups known as Primary Care Network Groupings ‘PCN Groupings’. As a condition of the Enhanced Service Specification published by NHS England, they must sign a Collaboration Agreement defined in the same Specification, which contains provision for data sharing necessary to carry out this service. The Collaboration Agreement document provides space for a Data Sharing Agreement between the practices. It is the Healthcare Organisation’s responsibility to ensure that they have a valid Collaboration Agreement in place.
The use of accuRx (and therefore agreement to its Terms and Conditions and this Data Processing Agreement) is a prerequisite for enabling the Vaccine Solution. This means that this Data Processing Agreement is in place with every Healthcare Organisation with access to the data processed in the Vaccine Solution for their PCN Grouping.
The Healthcare Organisations who enable the Vaccine Solution from accuRx are Data Controllers. In enabling the Vaccine Solution, the Data Controllers assure accuRx that they comply with the above requirements and have a valid Collaboration Agreement and Data Sharing Agreement in place, and comply with the Data Protection Act 2018 and all other relevant Data Protection legislation and standards.
For the avoidance of doubt, this Data Processing Agreement will also set out the limited instructions from Data Controller to accuRx as Data Processor should the Vaccine Solution be enabled.
The only patient information processed through the Vaccine Solution - and therefore accessible to other Organisations within the grouping - are those patients whose demographic information is uploaded by Healthcare Organisations. The Data Controller should therefore only upload patients who are eligible for the Covid-19 vaccination administered by their PCN Grouping.
The lead Healthcare Organisation for the PCN Grouping sets up the designated site (at which vaccinations are to be delivered) and associates other Healthcare Organisations in their PCN Grouping using their ODS codes. Each Healthcare Organisation (and therefore Data Controller) uploads the information about patients they wish to invite to vaccination at their PCN Grouping’s site.
The individual-level patient data processed in the booking solution is limited to:
User accounts for each of the Organisations in the PCN Grouping are able to access the individual patient data booked in for vaccination at the designated site.
For the personal data processed within the booking solution and displayed to the users at the designated site, accuRx remains the Data Processor for the practices collaborating as part of the PCN Grouping.. Information about appointments booked in and appointment capacity may be extracted nightly from the solution and shared regularly with NHS Digital.
The documenting of vaccinations carried out at these appointments is expected to be captured in a separate system to accuRx, known as Pinnacle, and extracts shared onwards with NHS Digital under the terms of the Enhanced Service. accuRx’s booking solution does not process this vaccination event or adverse reaction information.