This is an agreement (“Data Processing Agreement”) between the following parties:
the healthcare and/or social care organisation that uses accuRx's Services to process datapertaining to patients (the "Healthcare Organisation"); and
accuRx Ltd, whose registered office is at 27 Downham Road, London, N1 5AA (CompanyRegistration Number: 10184077; ICO Registration Number: ZA202115; DSP ToolkitOrganisation Code: 8JT17) ("accuRx").
accuRx is a software application that consists of a range of products to support healthcare organisations. accuRx is used to communicate with and between Patients, healthcare and/or social care professionals involved in the Patient’s care.
The Healthcare Organisation is the Data Controller in respect of certain Personal Data & Special Categories of Personal Data and appoints accuRx Ltd as a Data Processor in relation to the provision of its Services agreed upon to process the data pertaining to Patients, healthcare or social care professionals involved in the Patient’s care.
In order to provide the Services, accuRx requires certain Personal Data & Special Categories of Personal Data to be made available by the Data Controller.
This Agreement regulates the provision and use of Personal Data, including Special categories of Personal Data, and ensures both accuRx and the Healthcare Organisation meet their obligations under the Data Protection Act 2018 and General Data Protection Regulation (GDPR).
1 Definitions and interpretations
The following words and phrases used in this Agreement, the Appendix or any Schedules shall have the following meanings except where the context otherwise requires:
the software service provided by AccuRx Ltd; this software consists of a range of products to support communication with and between healthcare organisations and their patients;
means information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous (e.g. through aggregation) insuch a manner that the data subject is not or no longer identifiable;
means a Person or Organisation who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed, in the case of this Agreement, the Healthcare Organisation;
in relation to Personal Data, means any Person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller which in the case of this Agreement is accuRx;
means the General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any guidance or codes of practice issued by any Supervisory Authority (as defined in the GDPR) from time to time;
means an individual to whom Personal Data, including Special Categories of Personal Data, pertains;
means any person to whom the data are disclosed during the course of the data processing;
means the clinical system that holds the patient's electronic patient record, such as EMIS Web or TPP SystmOne;
means the patient’s medical record held by their registered GP. GP medical records include information about a patient’s medicine, allergies, vaccinations, previous illnesses and test results, hospital discharge summaries, appointment letters and referral letters;
is the healthcare and/or social care organisation providing direct care that uses accuRx Services to process data pertaining to Patients in their care;
means the Personal Demographics Service, the national electronic database of NHS patient details such as name, address, date of birth and NHS number;
recognised in law, that is to say individuals; organisations; and other corporated and unincorporated bodies of persons;
means any information relating to an identified or identifiable natural Person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
means revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
means the Services to be carried out by the Data Processor in order toprovide AccuRx, and any other services that may from time to time be provided bythe Data Processor, to the Data Controller.
This Agreement and its parts constitute written instructions of the Data Controller to the Data Processor to process personal data in the manner described in Schedule 1.
The Healthcare Organisation, the Data Controller, wishes to use AccuRx’s services and AccuRx has agreed to provide these services according to instructions in this Agreement.
AccuRx, the Data Processor, is a software application that consists of a range of products to support healthcare or social care organisations. AccuRx is used to communicate with and between Patients, healthcare and/or social care professionals involved in the Patient’s care.
3. Duration and termination
This Agreement shall remain in full force and effect while the Healthcare Organisationcontinues to use the Services.
This Agreement is governed by and construed in accordance with the laws of England and Wales.
The Data Controller is responsible for the lawful basis for the processing of personal data, in particular with Schedule 1 of the Data Protection Act 2018.
The Data Controller must use AccuRx or another safe communications channel to communicate Personal Data and/or Special Categories of Personal Data to the Data Processor. The security of the channel used must correspond to the privacy risk involved.
The Data Controller must accept responsibility for use of content that it produces.
The Data Controller is responsible for the validity of any mobile numbers or emails entered by the Data Controller's staff.
The Data Controller must not rely on AccuRx for the communication of vital information. SMS messages
should only be used to support and enhance communication. AccuRx provide no guarantees or assurances that SMS messages have been delivered or read by the recipient.
The instructions given by the Data Controller to the Data Processor in respect of the Personal Data/Special Categories of Personal Data disclosed to it by patients of the Data Controller or generated in respect of such patients shall at all times be in accordance with the laws of England and Wales.
The Data Controller must ensure that all data fields in AccuRx are correctly filled in and do not contain patient identifiable information where they are not supposed to.
The Data Controller, by entering into this Agreement, instructs the Data Processor to process the Personal Data/Special Categories of Personal Data on its behalf for the purpose of providing the Services, including the purpose of usage data reports in anonymised form.
The Data Controller, by entering into this Agreement, instructs the Data Processor to engage in reasonable monitoring of messages to prevent abuse, fraud or harm to patients through technical or user errors. This monitoring shall be proportionate and carried out through a person acting as a clinical lead.
Only process the Personal Data & Special Categories of Personal Data for the purpose of providing the Services and in accordance with the Data Controller’s instructions, unless the Data Processor is required to do otherwise by law.
Only process the Personal Data & Special Categories of Personal Data only to the extent and in such a manner as is necessary for the provision of the services.
Only process the Personal Data & Special Categories of Personal Data in compliance with the Data Protection Act 2018 and the GDPR.
Rights of the data subject
Assist the Data Controller in providing subject access and allowing data subjects to exercise all their other rights under the GDPR. The response to all subject information and other GDPR requests that may be received from the data subjects shall be provided within 14 days. All such requests must be received by the Data Controller and all communication with the Data Subjects must be via the Data Controller. If any requests are received by the Data Processor, the Data Subject would normally be instructed to contact the Data Controller.
Implement appropriate technical and organisational measures to protect the Personal Data,
and any other Confidential Information, against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and/or other Confidential Information. As a minimum all data shall be encrypted in transit (with HTTPS via TLS 1.2 or higher) and at rest via Transparent Data Encryption (TDE);
Assist the Data Controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments.
Make available to the Data Controller all information necessary to demonstrate compliance with the obligations according to Article 28 of the GDPR and to allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
Delete or return all personal data to the Data Controller, at the choice of the Data Controller, as requested at the point of termination of the Agreement.
Notify all Customers of any information security breach or incident that may compromise the Personal Data & Special Categories of Personal Data covered by this agreement without undue delay after becoming aware of any such incident, taking into consideration the statutory breach reporting requirements and deadlines. The Data Processor shall work with the Data Controller to carry out a risk assessment and allow them to oversee and assess any corrective action.
To maintain up-to-date compliance with the NHS Data Security and Protection Toolkit (DSPT). AccuRx’s
published report can be found under organisation code 8JT17.
To ensure that people processing the data are subject to a duty of confidentiality.
To only use the sub-processors listed in Schedule 2 of this Agreement. Schedule 2 may be modified unilaterally by the Data Processor as long as this complies with the requirements of Article 32 of the GDPR and the rules on transfers to third countries. Such changes to sub-processors shall be made available to the Data Controller. Where the change includes the change or an addition of a sub-processor, the Data Controller shall be given the opportunity to object. Where this objection cannot be reconciled with the Service concept or technological requirements of the Data Processor, the Data Processor may terminate the Agreement with immediate effect.
Not to store or directly transfer the Personal Data/Special Categories of Personal Data outside of the EEA without appropriate safeguards. However, we draw your attention to the fact that that:
If either party to a communication (AccuRx users that send them, and their Patients) uses a device outside the EEA, then it may result in data being processed outside of the EEA.
Identity of the Data Controller and Data Processor
The Healthcare Organisation shall be the Data Controller and AccuRx Ltd shall be the Data Processor
Subject matter of the processing
To provide the Services.
The AccuRx software requires certain Personal Data & Special Categories of Personal Data to be made available by the Data Controller.
Duration of the processing
The duration of the processing will be the duration of this agreement.
Purposes and nature of the processing
The purposes of processing are health and social care purposes only.
For the purpose of processing above, the nature of the processing may include, but is not limited to:
Legal basis for processing
The Data Processor will process Personal Data for the purposes of the performance of the Agreement between the Data Controller and Data Processor.
The Data Controller will ensure that they have the lawful basis to instruct the Data Processor to Process any Personal Data under this Agreement.
Type of personal data
A third-party SMS gateway for the delivery of SMS messages
A third-party SMS gateway for the delivery of SMS messages
Secure cloud hosting in accordance with NHS Digital guidance
Process communications between healthcare and/or social care organisations
Process communications between healthcare and/or social care organisations
Host video consultations betweenhealthcare and/or social care staff andtheir patients. See Appendix I for details.
We use SendGrid for sending emails that don't contain patient identifiable information [UK GDPR Compliant]
To gain remote access and support over the internet [UK GDPR compliant]
As a CRM solution [UK GDPR Compliant]
The video consultation service provided through the accuRx platform is hosted by Whereby who are compliant with GDPR and based in the European Economic Area (EEA). A unique URL to the video consultation is generated and all participants are visible in the consultation, no third party can 'listen in'. The video and audio communication of the video consultation is only visible to participants on the call, and is not recorded or stored on any server (not accuRx’s, not Whereby’s and not on any third party's servers).
All communication between participants’ devices and Whereby’s service is transmitted over an encrypted connection (secure web traffic using HTTPS and TLS or secure websocket traffic or secure WebRTC). The video consultation connection either:
In both cases, as long as the participants are using their devices in the European Economic Area, it is guaranteed that any data is hosted and processed within the EEA, in line with NHS best practice guidelines on health and social care cloud security.
The data collected about patients is limited to that necessary to provide the meeting room service, and includes:
Technical logs are purged after 90 days, sufficient to allow AccuRx as the Data Processor to assist the Data Controller to complete investigations into data protection or clinical safety incidents.
Whereby’s Data Processing Agreement (available on their Data Storage and Security page) details the commitments it makes to us when we contract with them as a sub-processor.
The Vaccine Solutions provided through the accuRx platform enable Healthcare Organisations to work together to deliver Covid-19 vaccination services. The use of accuRx and agreement to its Terms and Conditions and this Data Processing Agreement is a prerequisite for enabling the Vaccine Solution.
Covid-19 vaccination services can include fulfilling the Covid-19 vaccination Enhanced Service for NHS England. This requires them to work together with other Healthcare Organisations in groups known as Primary Care Network Groupings (‘PCN Groupings’). As a condition of the Enhanced Service Specification: COVID-19 vaccination programme 2020/21 published by NHS England, Healthcare Organisations must sign a Collaboration Agreement containing provision for data sharing necessary to carry out the Enhanced Service. The Healthcare Organisations who use the vaccine solution(s) are Data Controllers for any personal information that they upload or access through the solution. It is the Healthcare Organisation’s responsibility to ensure that they have a valid Collaboration Agreement or alternative arrangements (where they are not delivering the Enhanced Service) for data sharing in place.
By enabling the Vaccine Solution, Data Controllers are confirming to accuRx that they comply with: the above requirements; have a valid Collaboration Agreement or Data Sharing Agreement in place; the Data Protection Act 2018; and, all other relevant Data Protection legislation and standards.
For the avoidance of any doubt that the data processing necessary for an Organisation to use accuBook is covered by a valid agreement, this Data Processing Agreement is in place with every Healthcare Organisation using the vaccine solution(s) as an instruction for accuRx’s processing of data in the solution.
The Healthcare Organisation as a Data Controller will only upload patients who are eligible for the Covid-19 vaccination and whom they intend to vaccinate either alone, or working in a network of linked Healthcare Organisations (such as a PCN Grouping). Uploaded patient information is accessible to users at other Healthcare Organisations linked to the same network, for the purposes of collaborative appointment management and recording of vaccinations. The ODS code of the Healthcare Organisation who invited a patient may be visible to others who attempt to invite them, to allow practices to communicate about duplicate invitations or bookings.
accuBook is built with a limit of a single live invitation from a Healthcare Organisation per NHS number. When another organisation uploads identical patient details to their accuBook system, with a matched NHS number and no future booking, the organisation will be provided with the option to send that patient a new invite from their own network. In the original Healthcare Organisation’s accuBook network, the patient’s status will be updated to reflect that a more recent invite has been sent by another network. The patient will only be able to use the most recent invitation.
The individual-level patient data processed in the booking solution is limited to:
The following patient-level data is shared for the following purposes: