Security & Privacy

Data Processing Agreement

Download as PDF
Our current Data Processing Agreement will be replaced with the following version effective as of 13 September 2021. This update is to reflect upcoming products and deliver even more trust for users.


This is an agreement (“Data Processing Agreement”) between the following parties:

the healthcare and/or social care organisation that uses accuRx's Services to process datapertaining to patients (the "Healthcare Organisation"); and

accuRx Ltd, whose registered office is at 27 Downham Road, London, N1 5AA (CompanyRegistration Number: 10184077; ICO Registration Number: ZA202115; DSP ToolkitOrganisation Code: 8JT17) ("accuRx").


accuRx is a software application that consists of a range of products to support healthcare organisations. accuRx is used to communicate with and between Patients, healthcare and/or social care professionals involved in the Patient’s care.

The Healthcare Organisation is the Data Controller in respect of certain Personal Data & Special Categories of Personal Data and appoints accuRx Ltd as a Data Processor in relation to the provision of its Services agreed upon to process the data pertaining to Patients, healthcare or social care professionals involved in the Patient’s care.

In order to provide the Services, accuRx requires certain Personal Data & Special Categories of Personal Data to be made available by the Data Controller.

This Agreement regulates the provision and use of Personal Data, including Special categories of Personal Data, and ensures both accuRx and the Healthcare Organisation meet their obligations under the Data Protection Act 2018 and General Data Protection Regulation (GDPR).

1 Definitions and interpretations

The following words and phrases used in this Agreement, the Appendix or any Schedules shall have the following meanings except where the context otherwise requires:


the software service provided by AccuRx Ltd; this software consists of a range of products to support communication with and between healthcare organisations and their patients;

Anonymised data

means information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous (e.g. through aggregation) insuch a manner that the data subject is not or no longer identifiable;

Data Controller

means a Person or Organisation who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed, in the case of this Agreement, the Healthcare Organisation;

Data Processor

in relation to Personal Data, means any Person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller which in the case of this Agreement is accuRx;

Data Protection Legislation

means the General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any guidance or codes of practice issued by any Supervisory Authority (as defined in the GDPR) from time to time;

Data Subject

means an individual to whom Personal Data, including Special Categories of Personal Data, pertains;

Data Recipient

means any person to whom the data are disclosed during the course of the data processing;

Electronic Patient Record System (EPR)

means the clinical system that holds the patient's electronic patient record, such as EMIS Web or TPP SystmOne;

GP Medical Record

means the patient’s medical record held by their registered GP. GP medical records include information about a patient’s medicine, allergies, vaccinations, previous illnesses and test results, hospital discharge summaries, appointment letters and referral letters;

Healthcare Organisation

is the healthcare and/or social care organisation providing direct care that uses accuRx Services to process data pertaining to Patients in their care;


means the Personal Demographics Service, the national electronic database of NHS patient details such as name, address, date of birth and NHS number;


recognised in law, that is to say individuals; organisations; and other corporated and unincorporated bodies of persons;

Personal Data

means any information relating to an identified or identifiable natural Person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Special Categories of Personal Data

means revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;


means the Services to be carried out by the Data Processor in order toprovide AccuRx, and any other services that may from time to time be provided bythe Data Processor, to the Data Controller.

2. The Agreement


This Agreement and its parts constitute written instructions of the Data Controller to the Data Processor to process personal data in the manner described in Schedule 1.


The Healthcare Organisation, the Data Controller, wishes to use AccuRx’s services and AccuRx has agreed to provide these services according to instructions in this Agreement.


AccuRx, the Data Processor, is a software application that consists of a range of products to support healthcare or social care organisations. AccuRx is used to communicate with and between Patients, healthcare and/or social care professionals involved in the Patient’s care.

3. Duration and termination


This Agreement shall remain in full force and effect while the Healthcare Organisationcontinues to use the Services.

4. Governing law


This Agreement is governed by and construed in accordance with the laws of England and Wales.

5. Obligations of the Data Controller


The Data Controller is responsible for the lawful basis for the processing of personal data, in particular with Schedule 1 of the Data Protection Act 2018.


The Data Controller must use AccuRx or another safe communications channel to communicate Personal Data and/or Special Categories of Personal Data to the Data Processor. The security of the channel used must correspond to the privacy risk involved.


The Data Controller must accept responsibility for use of content that it produces.


The Data Controller is responsible for the validity of any mobile numbers or emails entered by the Data Controller's staff.


The Data Controller must not rely on AccuRx for the communication of vital information. SMS messages
should only be used to support and enhance communication. AccuRx provide no guarantees or assurances that SMS messages have been delivered or read by the recipient.


The instructions given by the Data Controller to the Data Processor in respect of the Personal Data/Special Categories of Personal Data disclosed to it by patients of the Data Controller or generated in respect of such patients shall at all times be in accordance with the laws of England and Wales.


The Data Controller must ensure that all data fields in AccuRx are correctly filled in and do not contain patient identifiable information where they are not supposed to.


The Data Controller, by entering into this Agreement, instructs the Data Processor to process the Personal Data/Special Categories of Personal Data on its behalf for the purpose of providing the Services, including the purpose of usage data reports in anonymised form.


The Data Controller, by entering into this Agreement, instructs the Data Processor to engage in reasonable monitoring of messages to prevent abuse, fraud or harm to patients through technical or user errors. This monitoring shall be proportionate and carried out through a person acting as a clinical lead.

6. Obligations of the Data Processor


Data Processing

Only process the Personal Data & Special Categories of Personal Data for the purpose of providing the Services and in accordance with the Data Controller’s instructions, unless the Data Processor is required to do otherwise by law.


Only process the Personal Data & Special Categories of Personal Data only to the extent and in such a manner as is necessary for the provision of the services.


Only process the Personal Data & Special Categories of Personal Data in compliance with the Data Protection Act 2018 and the GDPR.

Rights of the data subject


Assist the Data Controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR. The response to all subject information and other GDPR requests that may be received from the data subjects shall be provided within 14 days. All such requests must be received by the Data Controller and all communication with the Data Subjects must be via the Data Controller. If any requests are received by the Data Processor, the Data Subject would normally be instructed to contact the Data Controller.

Security Measures


Implement appropriate technical and organisational measures to protect the Personal Data,
and any other Confidential Information, against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and/or other Confidential Information. As a minimum all data shall be encrypted in transit (with HTTPS via TLS 1.2 or higher) and at rest via Transparent Data Encryption (TDE);



Assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments.


Make available to the Data Controller all information necessary to demonstrate compliance with the obligations according to Article 28 of the GDPR and to allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.


Delete or return all personal data to the Data Controller, at the choice of the Data Controller, as requested at the point of termination of the Agreement.


Notify all Customers of any information security breach or incident that may compromise the Personal Data & Special Categories of Personal Data covered by this agreement without undue delay after becoming aware of any such incident, taking into consideration the statutory breach reporting requirements and deadlines. The Data Processor shall work with the Data Controller to carry out a risk assessment and allow them to oversee and assess any corrective action.


To maintain up-to-date compliance with the NHS Data Security and Protection Toolkit (DSPT). AccuRx’s
published report can be found under organisation code 8JT17.



To ensure that people processing the data are subject to a duty of confidentiality.



To only use the sub-processors listed in Schedule 2 of this Agreement. Schedule 2 may be modified unilaterally by the Data Processor as long as this complies with the requirements of Article 32 of the GDPR and the rules on transfers to third countries. Such changes to sub-processors shall be made available to the Data Controller. Where the change includes the change or an addition of a sub-processor, the Data Controller shall be given the opportunity to object. Where this objection cannot be reconciled with the Service concept or technological requirements of the Data Processor, the Data Processor may terminate the Agreement with immediate effect.


Not to store or directly transfer the Personal Data/Special Categories of Personal Data outside of the EEA without appropriate safeguards. However, we draw your attention to the fact that that:
If either party to a communication (AccuRx users that send them, and their Patients) uses a device outside the EEA, then it may result in data being processed outside of the EEA.

                         Schedule 1 - Processing, Personal Data and Data Subjects



Identity of the Data Controller and Data Processor

The Healthcare Organisation shall be the Data Controller and AccuRx Ltd shall be the Data Processor

Subject matter of the processing

To provide the Services.
The AccuRx software requires certain Personal Data & Special Categories of Personal Data to be made available by the Data Controller.

Duration of the processing

The duration of the processing will be the duration of this agreement.

Purposes and nature of the processing

The purposes of processing are health and social care purposes only.

For the purpose of processing above, the nature of the processing may include, but is not limited to:

  • Communication between patients, healthcare and/or social care professionals, via SMS, email, or other electronic communication, which may include images or documents
  • Sending links to surveys for patients to complete regarding their care.
  • Video and audio communication for the purposes of video consultation, as outlined in Appendix 1.
  • Healthcare and/or social care professionals using AccuRx may disclose patient data to the Data Processor when receiving technical support and from time to time the Data Processor’s Technical Team may have access to patient data when they are fixing a technical issue for example via remote support, which may include screen sharing.
  • Compilation of anonymised statistics about the use of Data Processor’s platform, such as the use of its functions by its users in communication with patients. These statistics may be used for the Data Processor’s own analytics and improvement purposes. The Data Processor may also share these anonymised statistics publicly or with third parties. These third parties include:
  • partners of the Data Processor, including commercial organisations, charities and academic institutions.
  • local NHS bodies, including CCGs and Primary Care Networks;
  • national bodies, including NHS Digital, NHS England, and relevant government departments;
  • In exceptional circumstances, the Data Processor may send a message to patients directly. For example in the event that the Data Controller has cancelled its agreement for accuRx but patients remain using live Services, the Data Processor may text the patients to ask them to contact the Healthcare and/or Social Care Organisation for advice regarding next steps, prior to deleting or returning all the data according to Data Controller’s instructions.
  • Where applicable (in the case of a commercial agreement), the Data Processor may process personal data about the use of the platform and its features by the Data Controller’s employees to determine billing amounts in line with such agreements.
  • Where applicable (in the case of an agreement to provide services), and upon use of the relevant software service, the Data Processor will process the Data Controller’s patient and user data to provide an appointment management, invitation and booking service to Healthcare Providers part of delivering the Covid-19 vaccination, as described in Appendix 2.

Legal basis for processing

The Data Processor will process Personal Data for the purposes of the performance of the Agreement between the Data Controller and Data Processor.

The Data Controller will ensure that they have the lawful basis to instruct the Data Processor to Process any Personal Data under this Agreement.

Type of personal data

Personal Data (relating to patients of the Data Controller):

  • Patient demographic details (name; date of birth; gender)
  • NHS number
  • Mobile phone number
  • Email address

Personal Data (relating to healthcare and/or social care professionals):

  • Name
  • Email address
  • Mobile phone number
  • Affiliated organisations
  • Job role

Sensitive Personal Data

  • Content of the communications with – or regarding - patients sent via AccuRx (which may include patient images or documents and contain data concerning health).
  • Other types of data (which may include contents of the patient’s GP medical record and data concerning health that may from time to time be required to provide the Services).

                         Schedule 2 - Sub-Processors



Entity country (processing locations if different)

Contact info available in PDF download above

The Data Processor uses the following sub-processors as integral parts of the software platform:
Firetext Communications Ltd.

A third-party SMS gateway for the delivery of SMS messages

BT Ltd.

A third-party SMS gateway for the delivery of SMS messages

Microsoft Azure

Secure cloud hosting in accordance with NHS Digital guidance


Process communications between healthcare and/or social care organisations

Process communications between healthcare and/or social care organisations

Whereby Ltd.

Host video consultations betweenhealthcare and/or social care staff andtheir patients. See Appendix I for details.


We use SendGrid for sending emails that don't contain patient identifiable information [UK GDPR Compliant]

To provide support and communicate with its users, the Data Processor uses:
TeamViewer UK Ltd.

To gain remote access and support over the internet [UK GDPR compliant]


As a CRM solution [UK GDPR Compliant]

Intercom UK Ltd.

A messaging application for providing online user support [UK GDPR Compliant]



The video consultation service provided through the accuRx platform is hosted by Whereby who are compliant with GDPR and based in the European Economic Area (EEA). A unique URL to the video consultation is generated and all participants are visible in the consultation, no third party can 'listen in'. The video and audio communication of the video consultation is only visible to participants on the call, and is not recorded or stored on any server (not accuRx’s, not Whereby’s and not on any third party's servers).

All communication between participants’ devices and Whereby’s service is transmitted over an encrypted connection (secure web traffic using HTTPS and TLS or secure websocket traffic or secure WebRTC). The video consultation connection either:

  • connects participants to one another, relaying the encrypted data content through Whereby’s TURN server, where it is not retained beyond this relay operation; or
  • connects devices using ‘peer-to-peer’ connections between devices.

In both cases, as long as the participants are using their devices in the European Economic Area, it is guaranteed that any data is hosted and processed within the EEA, in line with NHS best practice guidelines on health and social care cloud security.

The data collected about patients is limited to that necessary to provide the meeting room service, and includes:

  • Display name (if enabled and the user chooses to set one)
  • Video meeting URL accessed
  • Technical logs - information will be recorded in technical logs when the service is used. These logs will contain information such as, but not restricted to
  • IP address
  • Time of registered actions
  • Browser type and version

Technical logs are purged after 90 days, sufficient to allow AccuRx as the Data Processor to assist the Data Controller to complete investigations into data protection or clinical safety incidents.

Whereby’s Data Processing Agreement (available on their Data Storage and Security page) details the commitments it makes to us when we contract with them as a sub-processor.


The Vaccine Solutions provided through the accuRx platform enable Healthcare Organisations to work together to deliver Covid-19 vaccination services. The use of accuRx and agreement to its Terms and Conditions and this Data Processing Agreement is a prerequisite for enabling the Vaccine Solution.

Covid-19 vaccination services can include fulfilling the Covid-19 vaccination Enhanced Service for NHS England. This requires them to work together with other Healthcare Organisations in groups known as Primary Care Network Groupings (‘PCN Groupings’). As a condition of the Enhanced Service Specification: COVID-19 vaccination programme 2020/21 published by NHS England, Healthcare Organisations must sign a Collaboration Agreement containing provision for data sharing necessary to carry out the Enhanced Service. The Healthcare Organisations who use the vaccine solution(s) are Data Controllers for any personal information that they upload or access through the solution. It is the Healthcare Organisation’s responsibility to ensure that they have a valid Collaboration Agreement or alternative arrangements (where they are not delivering the Enhanced Service) for data sharing in place. 

By enabling the Vaccine Solution, Data Controllers are confirming to accuRx that they comply with: the above requirements; have a valid Collaboration Agreement or Data Sharing Agreement in place; the Data Protection Act 2018; and, all other relevant Data Protection legislation and standards. 

For the avoidance of any doubt that the data processing necessary for an Organisation to use accuBook is covered by a valid agreement, this Data Processing Agreement is in place with every Healthcare Organisation using the vaccine solution(s) as an instruction for accuRx’s processing of data in the solution.

The Healthcare Organisation as a Data Controller will only upload patients who are eligible for the Covid-19 vaccination and whom they intend to vaccinate either alone, or working in a network of linked Healthcare Organisations (such as a PCN Grouping). Uploaded patient information is accessible to users at other Healthcare Organisations linked to the same network, for the purposes of collaborative appointment management and recording of vaccinations. The ODS code of the Healthcare Organisation who invited a patient may be visible to others who attempt to invite them, to allow practices to communicate about duplicate invitations or bookings.

accuBook is built with a limit of a single live invitation from a Healthcare Organisation per NHS number. When another organisation uploads identical patient details to their accuBook system, with a matched NHS number and no future booking, the organisation will be provided with the option to send that patient a new invite from their own network. In the original Healthcare Organisation’s accuBook network, the patient’s status will be updated to reflect that a more recent invite has been sent by another network. The patient will only be able to use the most recent invitation.

The individual-level patient data processed in the booking solution is limited to:

  • Demographic and contact data (typically name, identifiers, contact details [mobile], demographic data [DoB; gender])
  • Message content and vaccination appointment booking information (time/date, invite and booking status, booking notes, and arrival status)
  • Vaccination status (dates of flu and covid-19 vaccinations obtained from the National Immunisation Management Service)
  • Records of vaccinations and adverse events (including vaccination type and dose, clinical codes for adverse reactions, ethnic category and health/care worker status) - defined in the NHS Digital ‘Vaccination and Adverse Recording’ capability requirement.

The following patient-level data is shared for the following purposes:

  • NHS number to request patient vaccination status from the National Immunisation Management Service (NIMS)
  • records of vaccination, adverse events, and extended attributes to update the NIMS
  • appointment bookings to be used to de-duplicate vaccine invitations to be sent out via the National Booking Service, processed by NIMS
  • vaccination messages sent to the GP’s clinical system, by the NHS Digital Data Processing Services
  • records of vaccination for payment calculation to the NHS Business Services Authority
  • any other data sharing requirements of the Covid-19 vaccination programme added as ‘MUST’ to the ‘Vaccination and Adverse Recording’ capability requirements.