This is an agreement (“Data Processing Agreement”) between the following parties:
The following words and phrases used in this Agreement, the Appendix or any Schedules shall have the following meanings except where the context otherwise requires:
available on request;
means a natural or legal person or organisation who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed;
in relation to Personal Data, means any person (other than an employee of the Controller) who processes Personal Data on behalf of the Controller;
means the EU's General Data Protection Regulation (2016/679), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, the UK GDPR and any mandatory guidance or codes of practice issued by the UK's Information Commissioner's Office from time to time;
means an individual to whom Personal Data relates;
means the patient’s medical record held by their registered GP. GP medical records include, but are not limited to, information about a patient’s medicine, allergies, vaccinations, previous illnesses and test results, hospital discharge summaries, appointment letters and referral letters;
any information related to an identifiable natural person which can identify that individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
means the provision of certain Software by Accurx to the Healthcare Organisation from time to time, including products currently offered and those offered in the future;
the software service provided by Accurx Ltd; this software consists of a range of products to support communication with and between healthcare organisations and their patients; and
has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK's Data Protection Act 2018
This Data Processing Agreement applies to all data processing activities undertaken by Accurx on behalf of the Healthcare Organisation, except those specific data processing activities within the scope of another agreement that both Accurx and the Healthcare Organisation are party to (such as the processing for services procured under the "NHS Digital Care Services Catalogue" suite of agreements).
This Data Processing Agreement constitutes the written instructions of the Healthcare Organisation to Accurx to process Personal Data in the manner described in the Schedule. Such instructions may be supplemented by the Healthcare Organisation from time to time if, for example, the Healthcare Organisation elects to use a new Service offering provided by Accurx or decides to no longer use a particular element of the Services.
This Data Processing Agreement shall remain in full force and effect for as long as the Healthcare Organisation continues to use the Services.
This Data Processing Agreement shall terminate automatically once the Healthcare Organisation no longer uses the Services.
This Data Processing Agreement is governed by and construed in accordance with the laws of England and Wales.
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Data Processing Agreement, or its subject matter or formation.
The Healthcare Organisation and Accurx acknowledge that, for the purpose of the Data Protection Legislation:
the Healthcare Organisation is the Controller and Accurx is the Processor;
the Healthcare Organisation retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the processing instructions it gives to Accurx.
The Healthcare Organisation warrants and represents that Accurx's processing of Personal Data as contemplated under this Data Processing Agreement will comply with the Data Protection Legislation.
The Healthcare Organisation acknowledges that:
it is responsible for ensuring its use of Accurx to communicate with Data Subjects is appropriate and complies with Data Protection Legislation; and
it must not use the Services in a manner which is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive.
The Schedule has been reviewed and approved by the Healthcare Organisation and sets out:
the types of Personal Data and categories of Data Subject whose Personal Data are Processed;
the categories of Processing carried out under this Data Processing Agreement; and
a description of the technical and organisational measures adopted by Accurx to protect the Personal Data.
Accurx shall create and maintain a register which includes the details set out in the Schedule, as well as each transfer of Personal Data to a territory outside of the UK and the European Economic Area and, where relevant, the documentation of suitable safeguards.
Accurx must only process the Personal Data to the extent, and in such a manner, as is necessary for the purpose of providing the Services and in accordance with the Healthcare Organisation's instructions. Accurx will not process the Personal Data in any other way or in a way that does not comply with this Data Processing Agreement or the Data Protection Legislation. Accurx will notify the Healthcare Organisation immediately if, in Accurx's opinion, the Healthcare Organisation's instructions infringe Data Protection Legislation.
Accurx must comply with any Healthcare Organisation instruction to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
Accurx must maintain the confidentiality of the Personal Data and not disclose the Personal Data to third parties, unless the Healthcare Organisation or this Data Processing Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Information Commissioner's Office). If a domestic law, court or regulator requires Accurx to process or disclose the Personal Data to a third party, Accurx must first inform the Healthcare Organisation of such legal or regulatory requirement and give the Healthcare Organisation an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
Accurx must delete or return all Personal Data to the Healthcare Organisation, at the choice of the Healthcare Organisation, as requested at the point of termination of this Data Processing Agreement and shall provide confirmation that all copies of the Personal Data have been deleted within 90 days after termination of this Data Processing Agreement.
Accurx must, at no additional cost to the Healthcare Organisation, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Healthcare Organisation as the Healthcare Organisation may reasonably require, to enable the Healthcare Organisation to comply with:
the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
information or assessment notices served on the Healthcare Organisation by the Information Commissioner's Office under the Data Protection Legislation.
Accurx must notify the Healthcare Organisation promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
Accurx must notify the Healthcare Organisation within 5 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation. Subject to clause 6.20, if Accurx receives a request or other correspondence from a Data Subject, and such communication relates to the Personal Data Accurx is processing on behalf of the Healthcare Organisation, Accurx shall be entitled to respond to the Data Subject directly, but only to the extent necessary to assist the Data Subject in raising their response directly with the Healthcare Organisation. The provisions of this clause requiring Accurx to notify the Healthcare Organisation do not apply in circumstances where Accurx is unable to identify which Healthcare Organisation the relevant Data Subject is linked to (such as where the only information Accurx has about that Data Subject following a communication from them is an email address or mobile phone number).
Accurx will give the Healthcare Organisation its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
Accurx must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with the Healthcare Organisation's written instructions, this Data Processing Agreement, or as required by domestic law.
Accurx must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display, or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure, or damage of Personal Data including, but not limited to, the security measures set out in the Schedule.
Accurx must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
the pseudonymisation and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
Accurx will reasonably assist the Healthcare Organisation with meeting the Healthcare Organisation's compliance obligations under the Data Protection Legislation, taking into account the nature of Accurx's processing and the information available to Accurx, including in relation to Data Subjects' rights, data protection impact assessments and reporting to and consulting with the Information Commissioner's Office under the Data Protection Legislation. Accurx shall appoint an individual within Accurx to act as a point of contact for any enquiries from the Healthcare Organisation relating to the Personal Data Accurx is processing on behalf of the Healthcare Organisation. They can be contacted at firstname.lastname@example.org.
Such assistance provided by Accurx under clause 6.12 may include:
the provision of all data reasonably requested by the Healthcare Organisation within the timescale reasonably specified by the Healthcare Organisation in each case, including full details and copies of any complaint, communication or request and any Personal Data it holds in relation to a Data Subject;
where applicable, providing such assistance as is reasonably requested by the Healthcare Organisation to enable them to comply with the relevant request within the Data Protection Legislation statutory timescales;
providing the Healthcare Organisation, at their request with any Personal Data it holds in relation to a Data Subject, such as may be required to assist the Healthcare Organisation to respond to a query from a Data Subject; and
assistance as requested by the Healthcare Organisation with respect to any request from a Supervisory Authority, or any consultation by the Healthcare Organisation with a Supervisory Authority (as such term is defined in the UK GDPR).
For assistance provided by Accurx in the preparation of any data protection impact assessment under clause 6.12, such assistance may include:
providing a systematic description of the envisaged processing operations and the purpose of the processing;
an assessment of the necessity and proportionality of the processing operations in relation to this Data Processing Agreement;
an assessment of the risks to the rights and freedoms of Data Subjects; and
describing the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
Accurx must permit the Healthcare Organisation and its third-party representatives to audit Accurx's compliance with its Data Processing Agreement obligations, on at least 30 days' notice. Accurx will give the Healthcare Organisation and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:
physical access (to the extent possible) to, remote electronic access to, and copies of the records and any other information held at Accurx's premises or on systems storing the Personal Data;
access to and meetings with any of Accurx's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
inspection of all records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.
The notice requirements in clause 6.15 will not apply if the Healthcare Organisation reasonably believes that a Personal Data breach occurred or is occurring, or Accurx is in breach of any of its obligations under this Data Processing Agreement or any Data Protection Legislation.
Accurx must within 48 hours and in any event without undue delay notify the Healthcare Organisation if it becomes aware of:
the loss, unintended destruction or damage, corruption, or un-usability of part or all of the Personal Data. Accurx will use its reasonable endeavours to restore such Personal Data at its own expense as soon as possible;
any accidental, unauthorised, or unlawful processing of the Personal Data; or
any Personal Data breach.
Where the Provider becomes aware of any event within clauses 6.19.1 – 6.19.3 above it shall, without undue delay, also use its reasonable endeavours to provide the Healthcare Organisation with the following information:
description of the nature of the event, including the categories of in-scope Personal Data and approximate number of Data Subjects and the Personal Data records concerned;
the likely consequences; and
a description of the measures taken or proposed to be taken to address the incident, including measures to mitigate its possible adverse effects.
Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data breach, the parties will co-ordinate with each other to investigate the matter. Further, Accurx will reasonably co-operate with the Healthcare Organisation in the Healthcare Organisation's handling of the matter, including but not limited to:
assisting with any investigation;
providing the Healthcare Organisation with physical access (to the extent possible) to any facilities and operations affected;
facilitating interviews with Accurx's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Healthcare Organisation; and
taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data breach or accidental, unauthorised or unlawful Personal Data processing.
Accurx will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data breach without first obtaining the Healthcare Organisation's written consent, except when required to do so by domestic law.
Accurx agrees that the Healthcare Organisation has the sole right to determine:
whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data breach to any Data Subjects, the Information Commissioner's Office, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Healthcare Organisation's discretion, including the contents and delivery method of the notice. Save that nothing in this clause shall prevent Accurx from making any notifications required to maintain any insurance cover, regulatory authorisations, or avoid being in contractual breach of any other agreement it has entered into; and
whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
Accurx must ensure that Accurx personnel processing the data on Accurx's behalf are subject to a duty of confidentiality ensuring in each case that access is strictly limited to those employees who need to access the relevant Personal Data, as strictly necessary to perform the Services in the context of that employee's duties to Accurx, ensuring that all such employees:
are aware of and comply with Accurx's duties under this Data Processing Agreement;
are informed of the confidential nature of the Personal Data and do not publish, disclose, or divulge any of the Personal Data to any third party unless directed in writing to do so by the Healthcare Organisation or as otherwise permitted by this Data Processing Agreement;
are subject to user authentication and log on processes when accessing the Personal Data; and
have undertaken appropriate training in relation to Data Protection Legislation and in the use, care, protection and handling of the Personal Data.
Accurx shall maintain up-to-date compliance with the NHS Data Security and Protection Toolkit (DSPT). Accurx's published report can be found under organisation code 8JT17.
The Healthcare Organisation gives Accurx a general written authorisation for the engagement of third-party sub-processors for the processing of Personal Data, subject to the terms of this Data Processing Agreement, Art. 32 of the UK GDPR, and the rules on transfers to third countries. The sub-processors currently used by Accurx are set out on Accurx's Sub-Processor Webpage.
Accurx shall carry out due diligence on each sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Data Processing Agreement. Accurx will include terms in the contract between Accurx and the sub-processor substantially similar to those set out in this Data Processing Agreement, and which are at a minimum compliant with the requirements of the Data Protection Legislation. Upon request, Accurx shall provide a copy of its agreements with sub-processors to the Healthcare Organisation (which may be redacted to remove confidential information not relevant to the requirements of this Data Processing Agreement).
Accurx will not change any sub-processor processing Personal Data under this Data Processing Agreement without first informing the Healthcare Organisation of any intended change concerning the addition or replacement of other processors by updating Accurx's Sub-Processor Webpage, thereby giving the Healthcare Organisation the opportunity to object to such changes. The Healthcare Organisation acknowledges that it is their responsibility to check regularly for any updates to Accurx's Sub-Processors, and that the Healthcare Organisation can subscribe to receive email updates by following the instructions on Accurx's Sub-Processor Webpage. Where an objection cannot be reconciled with the Service concept or technological requirements of Accurx, either party may terminate the applicable features of the Service with immediate effect.
The Healthcare Organisation approves the engagement of the entities listed at Accurx's Sub-Processor Webpage as sub-processors of Accurx for the processing of Personal Data. Accurx shall update the list of sub-processors at Accurx's Sub-Processor Webpage at least 10 days in advance of when a new sub-processor for the processing of Personal Data is engaged.
Where the sub-processor fails to fulfil its obligations under the written agreement with Accurx which contains terms substantially the same as those set out in this Data Processing Agreement, Accurx remains fully liable to the Healthcare Organisation for the sub-processor's performance of its agreement obligations.
The Healthcare Organisation consents to the Provider processing Personal Data outside the UK and/or the EEA provided that:
Accurx is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. Accurx must identify on Accurx's Sub-Processor Webpage the territory that is subject to such adequacy regulations; or
Accurx participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Accurx (and, where appropriate, the Healthcare Organisation) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR. Accurx must identify on Accurx's Sub-Processor Webpage the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and Accurx must promptly inform the Healthcare Organisation of any change to that status; or
the transfer otherwise complies with the Data Protection Legislation.
Nothing in this Data Processing Agreement limits any liability which cannot legally be limited, including but not limited to liability for:
death or personal injury caused by negligence; and
fraud or fraudulent misrepresentation.
Subject to clause 8.1, Accurx's total liability to the Healthcare Organisation under this Data Processing Agreement shall not exceed £1,000,000 (one million pounds).
If the party entering into this Data Processing Agreement with Accurx is an integrated care board or similar body acting on behalf of one or more Healthcare Organisations ("Contracting Authority"), the Contracting Authority represents that it is duly authorised to enter into this Data Processing Agreement on behalf of the Healthcare Organisations it represents and that such Healthcare Organisations will be bound by this Data Processing Agreement as if they were direct signatories to it.
Subject matter of the processing
To provide the Services (Accurx's patient communication and engagement platform), as adopted by the Healthcare Organisation from time to time.
Duration of the processing
The duration of this Data Processing Agreement.
Purposes and nature of the processing
The purposes and nature of the processing includes:
Type of personal data
Personal Data (relating to patients of the Data Controller):
Personal Data (relating to healthcare and/or social care professionals):
Sensitive Personal Data
Security Measures adopted by Accurx
As set out Accurx's Data Security Webpage
As set out on Accurx's Sub-Processor Webpage