Data Processing Agreement

Data Processing Agreement (“Agreement”)  

This Agreement forms part of and is considered agreed upon signing of the Contract for Services between (the “Contracting Authority”) acting as the “Data Controller” and

SCHAPPIT LIMITED
Trading as Silicon Practice
A Company registered in England, number 09084187
Whose registered office is:
Unit 2, 79-93 Ratcliffe Road
Sileby, Loughborough
Leicestershire
England
LE12 7PU
(the “Supplier”) acting as the “Data Processor” on behalf of the Data Controller. 

(together as the “Parties”) 

The Contracting Authority as a Data Controller wishes to subcontract certain Services, which require the processing of personal data, to the Supplier as a Data Processor. 

The Definitions in Clause 1 apply to the use of all capitalised terms in this Agreement. 

1. Definitions and Interpretation

“Agreement” means this Data Processing Agreement 

“Personal Data” means any Personal Data processed by the Supplier or a Subcontracted Processor on behalf of the Contracting Authority 

“Subcontracted Processor” means any person or company appointed by or on behalf of the Supplier to process Personal Data on behalf of the Contracting Authority in connection with the Agreement 

“Data Protection Laws” means the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 

“EEA” means the European Economic Area 

“Data Transfer” means a transfer of Personal Data from the Contracting Authority to the Supplier; or an onward transfer of Personal Data from the Supplier to a Subcontracted Processor 

“Services” means all services and features as described in the Order Form  

“Contract” means the Contract for Services  

“Term” a period of one year beginning on the Commencement Date or Renewal Date of the Contract 

“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the UK GDPR 

“Confidential Information” means all information, in whatever form, however disclosed, from one party to another that was not already in the public domain on completion of this Agreement 

2. Processing of Personal Data

2.1. Both the Contracting Authority and the Supplier shall comply with all applicable Data Protection Laws in the Processing of the Contracting Authority’s Personal Data. The Personal Data that may be processed includes: 

i. Patient Name; Address; Postcode; Date of Birth; Sex; Gender; Racial/Ethnic Origin; NHS No.; Phone No.; Email Address and Health Data 

ii. Contracting Authority staff Name; Work Address; Phone No and Email Address 

2.2. The Contracting Authority instructs the Supplier to process Personal Data where this is necessary to deliver the Services provided by the Supplier. The processing required and the purposes are set out in Appendix A. 

2.3 The Supplier shall not process Personal Data for other purposes other than on the relevant Contracting Authority’s documented instructions. 

2.4 The Supplier shall process Personal Data for the duration of the Contract between the Contracting Authority and the Supplier and any subsequent Terms. 

3. Sub-processing

3.1. The Supplier shall not appoint (or disclose any Personal Data to) any Subcontracted Processor unless authorised by the Contracting Authority. 

3.2. The Supplier shall ensure that any Subcontracted Processor is required to meet equivalent terms to those set out in this Agreement and in particular shall ensure that any Subcontracted Processors provide adequate assurance that they have also implemented appropriate technical and organisational measures to ensure a level of security appropriate to the assessed risk, in particular the risk of a Personal Data Breach, as required by the UK GDPR. 

3.3. The Supplier currently has in place the following Subcontracted Processors, which the Contracting Authority is deemed to have authorised when signing this Agreement, for the purpose of assisting the Processor with Processing of Personal Data. 

Sub-Processor Purpose Location of Processing 
Amazon  Web Hosting and Storage  UK 
4D Web Hosting and Storage  UK 
Atlassian Service Desk, Ticketing and Task Management EU (Ireland) 
Google Suite Email, Documents and File Storage  UK 
Wirehive  Web Hosting and Storage  UK 
Redcentric HSCN Connection UK 
Docman Data Handler UK 
Brinkworth Virtual Business Centre Disaster Recovery/Out of Hours Telephony UK 
OpenTok Video Consultation  EU (Ireland) – Using end to end encryption 
BT Soprano SMS Messaging UK 
CareIS Clinical System Integration UK 
Amazon SES Email Messaging UK 
Zoho Corporation CRM System, Finance, Email UK with occasional processing in the EU 

4. Processor Personnel

The Supplier shall take reasonable steps to ensure the reliability of any employee, agent or subcontractor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. 

5. Security

5.1. The Supplier shall ensure a level of security appropriate to the risk.  

5.2. All Personal Data is encrypted to NHS encryption standards. All Personal Data is kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are Processed. If the Processing activity requires it the Supplier can anonymise Personal Data. 

5.3. The Supplier has a number of internal policies that address the confidentiality, integrity, availability and resilience of Processing systems and Services including our network security policy. These policies are reviewed and updated regularly. The Supplier will ensure that it is compliant with the NHS Data Security & Protection Toolkit to at least the “Standards Met” level; the Personal Data is stored in a data centre which is ISO 27001 compliant and the Supplier has achieved Cyber Essentials as specified by the NHS. 

5.4. The Supplier stores encrypted backups in a London Data Centre, the encrypted Personal Data automatically deletes after 90 days and is only accessible to authorised staff. In the event that the Contracting Authority requires restoration of Personal Data this can be done in a timely manner upon written request within these 90 days. 

5.5. The Supplier’s internal policies are regularly reviewed and updated as necessary. A programme of maintenance is ongoing including regular penetration testing, risk assessment, system updates, access control audits, change control management, self-assessment and external assessment including Cyber Essentials. 

6. Data Subject Rights

6.1. The Supplier shall assist the Contracting Authority by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Contracting Authority’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.  

6.2. The Supplier shall endeavour to notify Data Controller within 3 working days if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and ensure that it does not respond to that request except on the documented instructions of the Data Controller or as required by Data Protection Laws to which the Supplier is subject, in which case the Supplier shall to the extent permitted by Data Protection Laws inform the Data Controller of that legal requirement before responding to the request. 

7. Personal Data Breach

7.1. The Supplier shall notify the Contracting Authority without undue delay upon becoming aware of a Personal Data Breach affecting the Personal Data, providing the Contracting Authority with sufficient information to allow the Contracting Authority to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. 

7.2. The Supplier shall co-operate with the Contracting Authority and take reasonable commercial steps as are directed by the Contracting Authority to assist in the investigation, mitigation and remediation of each such Personal Data Breach. 

8. Data Protection Impact Assessment and Prior Consultation

The Supplier shall provide reasonable assistance to the Contracting Authority with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the Contracting Authority reasonably considers to be required. 

9. Deletion or Return of the Contracting Authority’s Personal Data

The Supplier shall at the choice of the Contracting Authority, delete or return all the Personal Data to the Data Controller after the end of the provision of Services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. 

10. Audit Rights

The Supplier shall make available to the Contracting Authority on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Contracting Authority or an auditor mandated by the Contracting Authority in relation to the Processing of the Contracting Authority’s Personal Data. The Supplier shall immediately inform the Contracting Authority if, in its opinion, an instruction infringes this Regulation (Article 28 UK GDPR) or other Union Member State data protection provisions. 

11. Data Transfer Outside of the EEA

The Supplier may not transfer or authorize the transfer of Personal Data to countries outside the European Economic Area (EEA) without the prior written consent of the Contracting Authority and any such agreed transfer shall meet the requirements specified in the UK GDPR. 

12. Confidentiality

12.1. Each Party must keep this Agreement and keep any information it receives about the other Party and its business in connection with this Agreement confidential. Neither party shall use or disclose to a third party (and shall use their best endeavours to prevent the publication or disclosure of), any Confidential Information without the prior written consent of the other Party except to the extent that: 

a) Disclosure is required by law; 

b) The relevant information is already in the public domain

13. Data Retention

13.1. In alignment with the Records Management Code of Practice for Health and Social Care 2021 recommendations for transactional records that are not themselves part of a care record, the Supplier has adopted the following retention periods for Personal Data: 

a) 90 days for data backups 

b) 2 years for data held on the servers

14. Notices

All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement or at such other address as notified from time to time by the Parties in writing. 

Appendix A

Sub-processor  Type of data Data Subject Purpose of processing 
Amazon AWS Name, date of birth, email, phone number, sex, address, ethnicity, photographs, letters, documents, medical data NHS Patients, their carers and NHS staff Web Hosting, Storage and Transmission 
4D Name, date of birth, email, phone number, sex, address, ethnicity, photographs, letters, documents, medical data. All this data is encrypted in transmission and in storage Patients, their carers and GP practice staff Web Hosting, Storage and Transmission 
Atlassian Names, addresses, emails, phone numbers NHS Staff and Silicon Practice Staff Service Desk, Ticketing and Task Management 
Google Suite Names, email addresses, phone numbers Silicon Practice Customers, Suppliers, Staff Email, Documents and File Storage 
Wirehive Name, date of birth, email, phone number, sex, address, ethnicity, photographs, letters, documents, medical data Patients, their carers and GP practice staff Web Hosting, Data Storage and Transmission 
Redcentric Names, addresses, emails, phone numbers, medical data NHS patients, NHS Staff, Silicon Practice Staff HSCN Connection 
Docman Name, email, phone number, sex, address, medical data NHS Patients Data Handler 
Brinkworth Virtual Business Centre Name, email, phone number Silicon Practice Customers, Suppliers Telephony 
OpenTok Name, date of birth, email address, medical details, image of patients, image of clinicians NHS Patients, NHS Staff Video Consultation 
BT Soprano Phone number, health data NHS Patients Sending text messages to patients 
CareIS Health data NHS Patients To transfer patient data from FootFall to the patient record in SystmOne 
Amazon SES Name, email NHS Patients, NHS Staff Emailing messages to patients and NHS Staff 
Zoho Corporation Names, addresses, emails, phone numbers NHS Staff and Silicon Practice Staff CRM system, Finance, Email