Data Processing Agreement
Data Processing Agreement (“Agreement”)
This Agreement forms part of and is considered agreed upon signing of the Contract for Services between (the “Contracting Authority”) acting as the “Data Controller” and
SCHAPPIT LIMITED
Trading as Silicon Practice
A Company registered in England, number 09084187
Whose registered office is:
Unit 2, 79-93 Ratcliffe Road
Sileby, Loughborough
Leicestershire
England
LE12 7PU
(the “Supplier”) acting as the “Data Processor” on behalf of the Data Controller.
(together as the “Parties”)
The Contracting Authority as a Data Controller wishes to subcontract certain Services, which require the processing of personal data, to the Supplier as a Data Processor.
The Definitions in Clause 1 apply to the use of all capitalised terms in this Agreement.
1. Definitions and Interpretation
“Agreement” means this Data Processing Agreement
“Personal Data” means any Personal Data processed by the Supplier or a Subcontracted Processor on behalf of the Contracting Authority
“Subcontracted Processor” means any person or company appointed by or on behalf of the Supplier to process Personal Data on behalf of the Contracting Authority in connection with the Agreement
“Data Protection Laws” means the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
“EEA” means the European Economic Area
“Data Transfer” means a transfer of Personal Data from the Contracting Authority to the Supplier; or an onward transfer of Personal Data from the Supplier to a Subcontracted Processor
“Services” means all services and features as described in the Order Form
“Contract” means the Contract for Services
“Term” a period of one year beginning on the Commencement Date or Renewal Date of the Contract
“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the UK GDPR
“Confidential Information” means all information, in whatever form, however disclosed, from one party to another that was not already in the public domain on completion of this Agreement
2. Processing of Personal Data
2.1. Both the Contracting Authority and the Supplier shall comply with all applicable Data Protection Laws in the Processing of the Contracting Authority’s Personal Data. The Personal Data that may be processed includes:
i. Patient Name; Address; Postcode; Date of Birth; Sex; Gender; Racial/Ethnic Origin; NHS No.; Phone No.; Email Address and Health Data
ii. Contracting Authority staff Name; Work Address; Phone No and Email Address
2.2. The Contracting Authority instructs the Supplier to process Personal Data where this is necessary to deliver the Services provided by the Supplier. The processing required and the purposes are set out in Appendix A.
2.3 The Supplier shall not process Personal Data for other purposes other than on the relevant Contracting Authority’s documented instructions.
2.4 The Supplier shall process Personal Data for the duration of the Contract between the Contracting Authority and the Supplier and any subsequent Terms.
3. Sub-processing
4. Processor Personnel
3.1. The Supplier shall not appoint (or disclose any Personal Data to) any Subcontracted Processor unless authorised by the Contracting Authority.
3.2. The Supplier shall ensure that any Subcontracted Processor is required to meet equivalent terms to those set out in this Agreement and in particular shall ensure that any Subcontracted Processors provide adequate assurance that they have also implemented appropriate technical and organisational measures to ensure a level of security appropriate to the assessed risk, in particular the risk of a Personal Data Breach, as required by the UK GDPR.
3.3. The Supplier currently has in place the following Subcontracted Processors, which the Contracting Authority is deemed to have authorised when signing this Agreement, for the purpose of assisting the Processor with Processing of Personal Data.
Sub-Processor | Purpose | Location of Processing |
Amazon | Web Hosting and Storage | UK |
4D | Web Hosting and Storage | UK |
Atlassian | Service Desk, Ticketing and Task Management | EU (Ireland) |
Google Suite | Email, Documents and File Storage | UK |
Redcentric | HSCN Connection | UK |
Docman | Data Handler | UK |
Brinkworth Virtual Business Centre | Disaster Recovery/Out of Hours Telephony | UK |
OpenTok | Video Consultation | EU (Ireland) – Using end to end encryption |
BT Soprano | SMS Messaging | UK |
CareIS | Clinical System Integration | UK |
Amazon SES | Email Messaging | UK |
Zoho Corporation | CRM System, Finance, Email | UK with occasional processing in the EU |
The Supplier shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5. Security
5.1. The Supplier shall ensure a level of security appropriate to the risk.
5.2. All Personal Data is encrypted to NHS encryption standards. All Personal Data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are Processed. If the Processing activity requires it the Supplier can anonymise Personal Data.
5.3. The Supplier has a number of internal policies that address the confidentiality, integrity, availability and resilience of Processing systems and Services including our network security policy. These policies are reviewed and updated regularly. The Supplier will ensure that it is compliant with the NHS Data Security & Protection Toolkit to at least the “Standards Met” level; the Personal Data is stored in a data centre which is ISO 27001 compliant and the Supplier has achieved Cyber Essentials as specified by the NHS.
5.4. The Supplier stores encrypted backups in a London Data Centre, the encrypted Personal Data automatically deletes after 90 days and is only accessible to authorised staff. In the event that the Contracting Authority requires restoration of Personal Data this can be done in a timely manner upon written request within these 90 days.
5.5. The Supplier’s internal policies are regularly reviewed and updated as necessary. A programme of maintenance is ongoing including regular penetration testing, risk assessment, system updates, access control audits, change control management, self-assessment and external assessment including Cyber Essentials.
6. Data Subject Rights
6.1. The Supplier shall assist the Contracting Authority by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Contracting Authority’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. The Supplier shall endeavour to notify Data Controller within 3 working days if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and ensure that it does not respond to that request except on the documented instructions of the Data Controller or as required by Data Protection Laws to which the Supplier is subject, in which case the Supplier shall to the extent permitted by Data Protection Laws inform the Data Controller of that legal requirement before responding to the request.
7. Personal Data Breach
7.1. The Supplier shall notify the Contracting Authority without undue delay upon becoming aware of a Personal Data Breach affecting the Personal Data, providing the Contracting Authority with sufficient information to allow the Contracting Authority to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2. The Supplier shall co-operate with the Contracting Authority and take reasonable commercial steps as are directed by the Contracting Authority to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
The Supplier shall provide reasonable assistance to the Contracting Authority with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the Contracting Authority reasonably considers to be required.
9. Deletion or Return of the Contracting Authority’s Personal Data
The Supplier shall at the choice of the Contracting Authority, delete or return all the Personal Data to the Data Controller after the end of the provision of Services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
10. Audit Rights
The Supplier shall make available to the Contracting Authority on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Contracting Authority or an auditor mandated by the Contracting Authority in relation to the Processing of the Contracting Authority’s Personal Data. The Supplier shall immediately inform the Contracting Authority if, in its opinion, an instruction infringes this Regulation (Article 28 UK GDPR) or other Union Member State data protection provisions.
11. Data Transfer Outside of the EEA
The Supplier may not transfer or authorize the transfer of Personal Data to countries outside the European Economic Area (EEA) without the prior written consent of the Contracting Authority and any such agreed transfer shall meet the requirements specified in the UK GDPR.
12. Confidentiality
12.1. Each Party must keep this Agreement and keep any information it receives about the other Party and its business in connection with this Agreement confidential. Neither party shall use or disclose to a third party (and shall use their best endeavours to prevent the publication or disclosure of), any Confidential Information without the prior written consent of the other Party except to the extent that:
a) Disclosure is required by law;
b) The relevant information is already in the public domain
13. Data Retention
13.1. In alignment with the Records Management Code of Practice for Health and Social Care 2021 recommendations for transactional records that are not themselves part of a care record, the Supplier has adopted the following retention periods for Personal Data:
a) 90 days for data backups
b) 2 years for data held on the servers
14. Notices
All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement or at such other address as notified from time to time by the Parties in writing.
Appendix A
Sub-processor | Type of data | Data Subject | Purpose of processing |
Amazon AWS | Name, date of birth, email, phone number, sex, address, ethnicity, photographs, letters, documents, medical data | NHS Patients, their carers and NHS staff | Web Hosting, Storage and Transmission |
4D | Name, date of birth, email, phone number, sex, address, ethnicity, photographs, letters, documents, medical data. All this data is encrypted in transmission and in storage | Patients, their carers and GP practice staff | Web Hosting, Storage and Transmission |
Atlassian | Names, addresses, emails, phone numbers | NHS Staff and Silicon Practice Staff | Service Desk, Ticketing and Task Management |
Google Suite | Names, email addresses, phone numbers | Silicon Practice Customers, Suppliers, Staff | Email, Documents and File Storage |
Redcentric | Names, addresses, emails, phone numbers, medical data | NHS patients, NHS Staff, Silicon Practice Staff | HSCN Connection |
Docman | Name, email, phone number, sex, address, medical data | NHS Patients | Data Handler |
Brinkworth Virtual Business Centre | Name, email, phone number | Silicon Practice Customers, Suppliers | Telephony |
OpenTok | Name, date of birth, email address, medical details, image of patients, image of clinicians | NHS Patients, NHS Staff | Video Consultation |
BT Soprano | Phone number, health data | NHS Patients | Sending text messages to patients |
CareIS | Health data | NHS Patients | To transfer patient data from FootFall to the patient record in SystmOne |
Amazon SES | Name, email | NHS Patients, NHS Staff | Emailing messages to patients and NHS Staff |
Zoho Corporation | Names, addresses, emails, phone numbers | NHS Staff and Silicon Practice Staff | CRM system, Finance, Email |