This is an agreement (“Data Processing Agreement”) between the following parties:
- the healthcare and/or social care organisation that uses CareIQ’s Services to process data pertaining to patients (the "Healthcare Organisation"); and
- CareIQ Limited, whose registered office is at 103 Cranley Drive, Newbury Park, Ilford, Essex, England, IG2 6AA
- Company Registration Number: 12558417;
- ICO Registration Number: ZA781066;
- DSP Toolkit Organisation Code: 8KM74
Recitals
- CareIQ has developed a range of software services and software applications to support healthcare organisations. CareIQ is used to enable healthcare intelligence for patients, healthcare and/or social care professionals involved in the patient’s care.
- The Healthcare Organisation is the Controller of, and appoints CareIQ as its Processor to process Personal Data in order to provide the Services.
- This Data Processing Agreement regulates the provision and use of Personal Data and ensures both CareIQ and the Healthcare Organisation meet their obligations under the Data Protection Legislation.
The following words and phrases used in this Agreement, the Appendix or any Schedules shall have the following meanings except where the context otherwise requires:
1.
Definitions and interpretations
CareIQ’s Sub-Processor Webpage
CareIQ’s Security Measures Webpage
Data Protection Legislation
means the EU's General Data Protection Regulation (2016/679), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, the UK GDPR and any mandatory guidance or codes of practice issued by the UK's Information Commissioner's Office from time to time;
in relation to Personal Data, means any person (other than an employee of the Controller) who processes Personal Data on behalf of the Controller;
means a natural or legal person or organisation who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed;
means an individual to whom Personal Data relates;
means the patient’s medical record held by their registered GP. GP medical records include, but are not limited to, information about a patient’s medicine, allergies, vaccinations, previous illnesses and test results, hospital discharge summaries, appointment letters and referral letters;
any information related to an identifiable natural person which can identify that individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special Categories of Personal Data
means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK's Data Protection Act 2018
the software service provided by CareIQ Limited; this software consists of a range of products to support healthcare intelligence for healthcare organisations and their patients; and
means the provision of certain Software by CareIQ to the Healthcare Organisation from time to time, including products currently offered and those offered in the future;
2.
Scope of this Data Processing Agreement
This Data Processing Agreement applies to all data processing activities undertaken by CareIQ on behalf of the Healthcare Organisation, except those specific data processing activities within the scope of another agreement that both CareIQ and the Healthcare Organisation are party to (such as the processing for services procured under the "NHS Digital Care Services Catalogue" suite of agreements).
This Data Processing Agreement constitutes the written instructions of the Healthcare Organisation to CareIQ to process Personal Data in the manner described in the Schedule. Such instructions may be supplemented by the Healthcare Organisation from time to time if, for example, the Healthcare Organisation elects to use a new Service offering provided by CareIQ or decides to no longer use a particular element of the Services.
3.
Duration and termination
This Data Processing Agreement shall remain in full force and effect for as long as the Healthcare Organisation continues to use the Services.
This Data Processing Agreement shall terminate automatically once the Healthcare Organisation no longer uses the Services.
4.
Governing law
This Data Processing Agreement is governed by and construed in accordance with the laws of England and Wales.
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Data Processing Agreement, or its subject matter or formation.
5.
Obligations of the Data Controller
The Healthcare Organisation and CareIQ acknowledge that, for the purpose of the Data Protection Legislation:
The Healthcare Organisation and CareIQ acknowledge that, for the purpose of the Data Protection Legislation:
the Healthcare Organisation retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, and for the processing instructions it gives to CareIQ.
The Healthcare Organisation warrants and represents that CareIQ’s processing of Personal Data as contemplated under this Data Processing Agreement will comply with the Data Protection Legislation.
The Healthcare Organisation acknowledges that:
it is responsible for ensuring its use of CareIQ to communicate with Data Subjects is appropriate and complies with Data Protection Legislation; and
it must not use the Services in a manner which is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive.
The Schedule has been reviewed and approved by the Healthcare Organisation and sets out:
the types of Personal Data and categories of Data Subject whose Personal Data are Processed;
a description of the technical and organisational measures adopted by CareIQ to protect the Personal Data.
the categories of Processing carried out under this Data Processing Agreement; and
CareIQ shall create and maintain a register which includes the details set out in the Schedule, as well as each transfer of Personal Data to a territory outside of the UK and the European Economic Area and, where relevant, the documentation of suitable safeguards.
Processing Instructions
6.
Obligations of CareIQ
CareIQ must only process the Personal Data to the extent, and in such a manner, as is necessary for the purpose of providing the Services and in accordance with the Healthcare Organisation's instructions. CareIQ will not process the Personal Data in any other way or in a way that does not comply with this Data Processing Agreement or the Data Protection Legislation. CareIQ will notify the Healthcare Organisation immediately if, in CareIQ’s opinion, the Healthcare Organisation's instructions infringe Data Protection Legislation.
CareIQ must delete or return all Personal Data to the Healthcare Organisation, at the choice of the Healthcare Organisation, as requested at the point of termination of this Data Processing Agreement and shall provide confirmation that all copies of the Personal Data have been deleted within 90 days after termination of this Data Processing Agreement.
CareIQ must comply with any Healthcare Organisation instruction to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
CareIQ must maintain the confidentiality of the Personal Data and not disclose the Personal Data to third parties, unless the Healthcare Organisation or this Data Processing Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Information Commissioner's Office). If a domestic law, court or regulator requires CareIQ to process or disclose the Personal Data to a third party, CareIQ must first inform the Healthcare Organisation of such legal or regulatory requirement and give the Healthcare Organisation an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
Rights of the Data Subject
CareIQ must, at no additional cost to the Healthcare Organisation, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Healthcare Organisation as the Healthcare Organisation may reasonably require, to enable the Healthcare Organisation to comply with:
the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
information or assessment notices served on the Healthcare Organisation by the Information Commissioner's Office under the Data Protection Legislation.
CareIQ must notify the Healthcare Organisation promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
CareIQ must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with the Healthcare Organisation's written instructions, this Data Processing Agreement, or as required by domestic law.
CareIQ must notify the Healthcare Organisation within 5 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation. Subject to clause 6.20, if CareIQ receives a request or other correspondence from a Data Subject, and such communication relates to the Personal Data CareIQ is processing on behalf of the Healthcare Organisation, CareIQ shall be entitled to respond to the Data Subject directly, but only to the extent necessary to assist the Data Subject in raising their response directly with the Healthcare Organisation. The provisions of this clause requiring CareIQ to notify the Healthcare Organisation do not apply in circumstances where CareIQ is unable to identify which Healthcare Organisation the relevant Data Subject is linked to (such as where the only information CareIQ has about that Data Subject following a communication from them is an email address or mobile phone number).
CareIQ will give the Healthcare Organisation its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request.
CareIQ must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display, or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure, or damage of Personal Data including, but not limited to, the security measures set out in the Schedule.
CareIQ must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
the pseudonymisation and encryption of Personal Data;
a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
CareIQ will reasonably assist the Healthcare Organisation with meeting the Healthcare Organisation's compliance obligations under the Data Protection Legislation, taking into account the nature of CareIQ's processing and the information available to CareIQ, including in relation to Data Subjects' rights, data protection impact assessments and reporting to and consulting with the Information Commissioner's Office under the Data Protection Legislation. CareIQ shall appoint an individual within CareIQ to act as a point of contact for any enquiries from the Healthcare Organisation relating to the Personal Data CareIQ is processing on behalf of the Healthcare Organisation. They can be contacted at dpo@careiq.health
Such assistance provided by CareIQ under clause 6.12 may include:
the provision of all data reasonably requested by the Healthcare Organisation within the timescale reasonably specified by the Healthcare Organisation in each case, including full details and copies of any complaint, communication or request and any Personal Data it holds in relation to a Data Subject;
assistance as requested by the Healthcare Organisation with respect to any request from a Supervisory Authority, or any consultation by the Healthcare Organisation with a Supervisory Authority (as such term is defined in the UK GDPR).
providing the Healthcare Organisation, at their request with any Personal Data it holds in relation to a Data Subject, such as may be required to assist the Healthcare Organisation to respond to a query from a Data Subject; and
where applicable, providing such assistance as is reasonably requested by the Healthcare Organisation to enable them to comply with the relevant request within the Data Protection Legislation statutory timescales;
For assistance provided by CareIQ in the preparation of any data protection impact assessment under clause 6.12, such assistance may include:
providing a systematic description of the envisaged processing operations and the purpose of the processing;
describing the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
an assessment of the risks to the rights and freedoms of Data Subjects; and
an assessment of the necessity and proportionality of the processing operations in relation to this Data Processing Agreement;
CareIQ must permit the Healthcare Organisation and its third-party representatives to audit CareIQ’s compliance with its Data Processing Agreement obligations, on at least 30 days' notice. CareIQ will give the Healthcare Organisation and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:
physical access (to the extent possible) to, remote electronic access to, and copies of the records and any other information held at CareIQ’s premises or on systems storing the Personal Data;
inspection of all records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.
access to and meetings with any of CareIQ’s personnel reasonably necessary to provide all explanations and perform the audit effectively; and
The notice requirements in clause 6.15 will not apply if the Healthcare Organisation reasonably believes that a Personal Data breach occurred or is occurring, or CareIQ is in breach of any of its obligations under this Data Processing Agreement or any Data Protection Legislation.
CareIQ must within 48 hours and in any event without undue delay notify the Healthcare Organisation if it becomes aware of:
the loss, unintended destruction or damage, corruption, or un-usability of part or all of the Personal Data. CareIQ will use its reasonable endeavours to restore such Personal Data at its own expense as soon as possible;
any Personal Data breach.
any accidental, unauthorised, or unlawful processing of the Personal Data; or
Where the Provider becomes aware of any event within clauses 6.19.1 – 6.19.3 above it shall, without undue delay, also use its reasonable endeavours to provide the Healthcare Organisation with the following information:
description of the nature of the event, including the categories of in-scope Personal Data and approximate number of Data Subjects and the Personal Data records concerned;
a description of the measures taken or proposed to be taken to address the incident, including measures to mitigate its possible adverse effects.
the likely consequences; and
Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data breach, the parties will coordinate with each other to investigate the matter. Further, CareIQ will reasonably cooperate with the Healthcare Organisation in the Healthcare Organisation's handling of the matter, including but not limited to:
assisting with any investigation;
taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data breach or accidental, unauthorised or unlawful Personal Data processing.
making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Healthcare Organisation; and
facilitating interviews with CareIQ’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
providing the Healthcare Organisation with physical access (to the extent possible) to any facilities and operations affected;
CareIQ will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data breach without first obtaining the Healthcare Organisation's written consent, except when required to do so by domestic law.
CareIQ agrees that the Healthcare Organisation has the sole right to determine:
whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data breach to any Data Subjects, the Information Commissioner's Office, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Healthcare Organisation's discretion, including the contents and delivery method of the notice. Save that nothing in this clause shall prevent CareIQ from making any notifications required to maintain any insurance cover, regulatory authorisations, or avoid being in contractual breach of any other agreement it has entered into; and
whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
CareIQ must ensure that CareIQ personnel processing the data on CareIQ’s behalf are subject to a duty of confidentiality ensuring in each case that access is strictly limited to those employees who need to access the relevant Personal Data, as strictly necessary to perform the Services in the context of that employee's duties to CareIQ, ensuring that all such employees:
are aware of and comply with CareIQ’s duties under this Data Processing Agreement;
have undertaken appropriate training in relation to Data Protection Legislation and in the use, care, protection and handling of the Personal Data.
are subject to user authentication and log on processes when accessing the Personal Data; and
are informed of the confidential nature of the Personal Data and do not publish, disclose, or divulge any of the Personal Data to any third party unless directed in writing to do so by the Healthcare Organisation or as otherwise permitted by this Data Processing Agreement;
CareIQ shall maintain up-to-date compliance with the NHS Data Security and Protection Toolkit (DSPT). CareIQ’s published report can be found under organisation code 8KM74.
7.
Sub-Processors
The Healthcare Organisation gives CareIQ a general written authorisation for the engagement of third-party sub-processors for the processing of Personal Data, subject to the terms of this Data Processing Agreement, Art. 32 of the UK GDPR, and the rules on transfers to third countries. The sub-processors currently used by CareIQ are set out on CareIQ’s Sub-Processor Webpage.
Where the sub-processor fails to fulfil its obligations under the written agreement with CareIQ which contains terms substantially the same as those set out in this Data Processing Agreement, CareIQ remains fully liable to the Healthcare Organisation for the sub-processor's performance of its agreement obligations.
The Healthcare Organisation approves the engagement of the entities listed at CareIQ’s Sub-Processor Webpage as sub-processors of CareIQ for the processing of Personal Data. CareIQ shall update the list of sub-processors at CareIQ’s Sub-Processor Webpage at least 10 days in advance of when a new sub-processor for the processing of Personal Data is engaged.
CareIQ will not change any sub-processor processing Personal Data under this Data Processing Agreement without first informing the Healthcare Organisation of any intended change concerning the addition or replacement of other processors by updating CareIQ’s Sub-Processor Webpage, thereby giving the Healthcare Organisation the opportunity to object to such changes. The Healthcare Organisation acknowledges that it is their responsibility to check regularly for any updates to CareIQ’s Sub-Processors, and that the Healthcare Organisation can use webpage monitoring services to receive email updates by following the instructions on CareIQ’s Sub-Processor Webpage. Where an objection cannot be reconciled with the Service concept or technological requirements of CareIQ, either party may terminate the applicable features of the Service with immediate effect.
CareIQ shall carry out due diligence on each sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Data Processing Agreement. CareIQ will include terms in the contract between CareIQ and the sub-processor substantially similar to those set out in this Data Processing Agreement, and which are at a minimum compliant with the requirements of the Data Protection Legislation. Upon request, CareIQ shall provide a copy of its agreements with sub-processors to the Healthcare Organisation (which may be redacted to remove confidential information not relevant to the requirements of this Data Processing Agreement).
The Healthcare Organisation consents to the Provider processing Personal Data outside the UK and/or the EEA provided that:
CareIQ is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. CareIQ must identify on CareIQ’s Sub-Processor Webpage the territory that is subject to such adequacy regulations; or
the transfer otherwise complies with the Data Protection Legislation.
CareIQ participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that CareIQ (and, where appropriate, the Healthcare Organisation) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR. CareIQ must identify on CareIQ’s Sub-Processor Webpage the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and CareIQ must promptly inform the Healthcare Organisation of any change to that status; or
8.
Liability
Nothing in this Data Processing Agreement limits any liability which cannot legally be limited, including but not limited to liability for:
death or personal injury caused by negligence; and
fraud or fraudulent misrepresentation.
Subject to clause 8.1, CareIQ’s total liability to the Healthcare Organisation under this Data Processing Agreement shall not exceed £25,000 (twenty five thousand pounds).
Schedule - Processing, Personal Data and Data Subjects
Subject matter of the processing
Purposes and nature of the processing
Security Measures adopted by CareIQ
Personal Data (relating to patients of the Data Controller):
- Patient demographic details (name; date of birth; gender)
- NHS number
- Mobile phone number
- Email address
Personal Data (relating to healthcare and/or social care professionals):
- Name
- Email address
- Mobile phone number
- Affiliated organisations
- Job role
Sensitive Personal Data
- Content of the communications with – or regarding - patients sent via the Services (which may include patient images or documents and contain data concerning health).
- Other types of data, including third party data, (which may include location data, contents of the patient’s GP Medical Record and data concerning health that may from time to time be required to provide the Services).
Duration of the processing
The duration of this Data Processing Agreement.
The purposes and nature of the processing includes:
- Communication between patients, healthcare and/or other consenting professionals, via SMS, email, or other electronic communication, which may include images or documents
- Video and audio communication for the purposes of video consultation
- Appointment booking and recording
- Data subject consent based access for viewing /sharing GP Medical Records
- Research study participation
- Healthcare and/or social care professionals may disclose patient data to CareIQ when receiving technical support and from time-to-time CareIQ’s technical team may have access to patient data when they are fixing a technical issue for example via remote support, which may include screen sharing.
- Compilation of anonymised statistics about the patient population processed by CareIQ’s platform, such as the total number of high severity diabetic patients. These statistics may be used for CareIQ’s own analytics and improvement purposes. CareIQ may also share these anonymised statistics publicly or with third parties. These third parties include:
- national bodies, including NHS Digital and NHS England;
- local NHS bodies, including ICBs and Primary Care Networks;
- partners of CareIQ, including commercial organisations, charities and academic institutions.
- Compilation of anonymised statistics about the use of CareIQ’s platform, such as the use of its functions by its users in communication with patients. These statistics may be used for CareIQ’s own analytics and improvement purposes. CareIQ may also share these anonymised statistics publicly or with third parties. These third parties include:
- national bodies, including NHS Digital and NHS England;
- local NHS bodies, including ICBs and Primary Care Networks;
- partners of CareIQ, including commercial organisations, charities and academic institutions.
To provide the Services (CareIQ’s health intelligence platform), as adopted by the Healthcare Organisation from time to time.
