Data Processing Agreement

This Agreement forms part of and is considered agreed upon signing of the Contract for Services between:

(the “Health Organisation”) acting as the “Data Controller” and

SILICON PRACTICE LIMITED is a Company registered in England, number 4174491, whose registered office is Wesbury Court, Church Road, Wesbury-on-Trym, BS9 3EF

(“The Manufacturer” acting as the “Data Processor” on behalf of the Data Controller.)

(together as the “Parties”)

The Health Organisation as a Data Controller wishes to subcontract certain Services, which require the processing of personal data, to the Manufacturer as a Data Processor.

The Definitions in Clause 1 apply to the use of all capitalised terms in this Agreement.

  1. Definitions and Interpretation

“Agreement” means this Data Processing Agreement

“Personal Data” means any Personal Data processed by the Manufacturer or a Subcontracted Processor on behalf of the Health Organisation

“Subcontracted Processor” means any person or company appointed by or on behalf of the Manufacturer to process Personal Data on behalf of the Health Organisation in connection with the Agreement

“Data Protection Laws” means the General Data Protection Regulation 2018 (GDPR) and the Data Protection Act 2018

“EEA” means the European Economic Area

“Data Transfer” means a transfer of Personal Data from the Health Organisation to The Manufacturer; or an onward transfer of Personal Data from the Manufacturer to a Subcontracted Processor

“Services” means all services and features as described in the Order Form 

“Contract” means the Contract for Services 

“Term” a period of one year beginning on the Commencement Date or Renewal Date of the Contract

“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the GDPR

“Confidential Information” means all information, in whatever form, however disclosed, from one party to another that was not already in the public domain on completion of this Agreement

  1. Processing of Personal Data

2.1 Both the Health Organisation and the Manufacturer shall comply with all applicable Data Protection Laws in the Processing of the Health Organisations Personal Data. The Personal Data that may be processed includes:

  1. Patient Name; Address; Postcode; Date of Birth; Sex; Gender; Racial/Ethnic Origin; NHS No.; Phone No.; Email Address and Health Data
  2. Health Organisation staff Name; Work Address; Phone No and Email Address

2.2 The Health Organisation instructs the Manufacturer to process Personal Data where this is necessary to deliver the Services provided by the Manufacturer. 

2.3 The Manufacturer shall not process Personal Data for other purposes other than on the relevant Health Organisations documented instructions.

2.4 The Manufacturer shall process Personal Data for the duration of the Contract between the Health Organisation and the Manufacturer and any subsequent Terms.

  1. Sub-processing

3.1 The Manufacturer shall not appoint (or disclose any Personal Data to) any Subcontracted Processor unless authorised by the Health Organisation.

3.2 The Manufacturer shall ensure that any Subcontracted Processor is required to meet equivalent terms to those set out in this Agreement and in particular shall ensure that any Subcontracted Processors provide adequate assurance that they have also implemented appropriate technical and organisational measures to ensure a level of security appropriate to the assessed risk, in particular the risk of a Personal Data Breach, as required by the GDPR.

3.3 The Manufacturer currently has in place the following Subcontracted Processors, which the Health Organisation is deemed to have authorised when signing this Agreement, for the purpose of assisting the Processor with Processing of Personal Data.

Sub-Processor Purpose
Amazon  Web Hosting and Storage 
4D Web Hosting and Storage 
Atlassian Service Desk, Ticketing and Task Management
Google Suite Email, Documents and File Storage 
Wirehive  Web Hosting and Storage 
A1 Book Keepers Ltd. Finance
Redcentric HSCN Connection
Docman Data Handler
Brinkworth Virtual Business Centre Disaster Recovery/Out of Hours Telephony
OpenTok Video Consultation 
Rombourne  Serviced Offices and Internet Connection 

 

  1. Processor Personnel


The Manufacturer shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

  1. Security

5.1 The Manufacturer shall ensure a level of security appropriate to the risk. 

5.2 All Personal Data is encrypted to NHS encryption standards. All Personal Data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are Processed. If the Processing activity requires it the Manufacturer can anonymise Personal Data.

5.3 The Manufacturer has a number of internal policies that address the confidentiality, integrity, availability and resilience of Processing systems and Services including our network security policy. These policies are reviewed and updated regularly. The Manufacturer achieved a satisfactory compliance level with the NHS IG Toolkit and continues to work with the replacement Data Security & Protection Toolkit to ensure NHS standards are met; the Personal Data is stored in a data centre which is ISO 27001 compliant and the Manufacturer has achieved Cyber Essentials as specified by the NHS.

5.4 The Manufacturer stores encrypted backups in a London Data Centre, the encrypted Personal Data automatically deletes after 90 days and is only accessible to authorised staff. In the event that the Health Organisation requires restoration of Personal Data this can be done in a timely manner upon written request within these 90 days.

5.5 The Manufacturers internal policies are regularly reviewed and updated as necessary. A programme of maintenance is ongoing including regular penetration testing, risk assessment, system updates, access control audits, change control management, self-assessment and external assessment including Cyber Essentials. 

  1. Data Subject Rights

6.1 The Manufacturer shall assist the Health Organisation by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Health Organisations obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws. 

6.2 The Manufacturer shall promptly notify the Health Organisation if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and ensure that it does not respond to that request except on the documented instructions of the Health Organisation or as required by Applicable Laws to which the Manufacturer is subject, in which case the Manufacturer shall to the extent permitted by Applicable Laws inform the Health Organisation of that legal requirement before responding to the request.

  1. Personal Data Breach

7.1 The Manufacturer shall notify the Health Organisation without undue delay upon becoming aware of a Personal Data Breach affecting the Personal Data, providing the Health Organisation with sufficient information to allow the Health Organisation to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 The Manufacturer shall co-operate with the Health Organisation and take reasonable commercial steps as are directed by the Health Organisation to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

  1. Data Protection Impact Assessment and Prior Consultation 

The Manufacturer shall provide reasonable assistance to the Health Organisation with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the Health Organisation reasonably considers to be required.

  1. Deletion or return of Health Organisation Personal Data

9.1 The Manufacturer shall at the choice of the Health Organisation, delete or return all the Personal Data to the Health Controller after the end of the provision of Services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. 

  1. Audit rights

The Manufacturer shall make available to the Health Organisation on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Health Organisation or an auditor mandated by the Health Organisation in relation to the Processing of the Health Organisations Personal Data. The Manufacturer shall immediately inform the Health Organisation if, in its opinion, an instruction infringes this Regulation (Article 28 GDPR) or other Union Member State data protection provisions.

  1. Data Transfer outside of the EEA

The Manufacturer may not transfer or authorize the transfer of Personal Data to countries outside the European Economic Area (EEA) without the prior written consent of the Health Organisation and any such agreed transfer shall meet the requirements specified in the GDPR.

  1. Confidentiality 

12.1 Each Party must keep this Agreement and any information it receives about the other Party and its business in connection with this Agreement confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.

  1. Data Retention 

13.1 In accordance with the Records Management Code of Practice for Health and Social Care 2016 the Manufacturer has adopted the following retention periods for Personal Data:

(a) 90 days for data backups 

(b) 2 years for data held on the servers 

  1. Notices

14.1 All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement or at such other address as notified from time to time by the Parties in writing.