Information Governance. 2.1 The Parties must comply with Data Protection Legislation, Data Guidance, the FOIA and the EIR, and must assist each other as necessary to enable each other to comply with these obligations. 2.2 The Provider must: 2.2.1 nominate an Information Governance Lead; 2.2.2 nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body; 2.2.3 where required by Data Protection Legislation, nominate a Data Protection Officer; 2.2.4 ensure that the Authority is kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner; and 2.2.5 ensure that the Authority and NHS Digital are kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner. 2.3 The Provider must adopt and implement the National Data Guardian's Data Security Standards and must comply with further Guidance issued by the Department of Health and Social Care, the Authority, any National Data Guardian for Health and Care and/or NHS Digital pursuant to or in connection with those standards. The Provider must be able to demonstrate its compliance with those standards in accordance with the requirements and timescales set out in such guidance, including its adherence to data security standards and requirements for enabling patient choice. 2.4 The Provider must, at least once annually, audit its practices against quality statements regarding data sharing set out in NICE Clinical Guideline 138. 2.5 The Provider must report and publish any Data Breach and any Information Governance Breach in accordance with IG Guidance for Serious Incidents. If the Provider is required under Data Protection Legislation to notify the Information Commissioner or a Data Subject of a Personal Data Breach then as soon as reasonably practical and in any event on or before the first such notification is made the Provider must inform the Authority of the Personal Data Breach. This paragraph does not require the Provider to provide the Authority with information which identifies any individual affected by the Personal Data Breach where doing so would breach Data Protection Legislation. 2.6 The Provider must have in place a communications strategy and implementation plan to ensure that Service Users are provided with, or have made readily available to them, Privacy Notices, and to disseminate nationally-produced patient information materials. Any failure by the Provider to inform Service Users as required by Data Protection Legislation or Data Guidance about the uses of Personal Data that may take place under this Framework Agreement cannot be relied on by the Provider as evidence that such use is unlawful and therefore not contractually required. 2.7 Whether or not a Party or Sub-Contractor is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and the Information Commissioner's guidance on Data Controllers and Data Processors and any further Data Guidance. The Parties acknowledge that a Party or Sub-Contractor may act as both a Data Controller and a Data Processor. The Parties consider that: 2.7.1 in relation to Personal Data processed by the Provider for the purpose of delivering the Services the Provider will be sole Data Controller; and 2.7.2 in relation to Personal Data the processing of which is required by the Authority for the purposes of quality assurance, performance management and contract management, the Authority and the Provider will be joint Data Controllers. 2.8 The Provider must ensure that all Personal Data processed by or behalf of the Provider in the course of delivering the Services is processed in accordance with the relevant Parties’ obligations under Data Protection Legislation and Data Guidance and in accordance with the provisions of any relevant Contract. 2.9 In relation to Personal Data processed by the Provider in the course of delivering the Services, the Provider must publish, maintain and operate: 2.9.1 policies relating to confidentiality, data protection and information disclosures that comply with the Law, the Caldicott Principles and Good Practice; 2.9.2 policies that describe the personal responsibilities of Staff for handling Personal Data; 2.9.3 a policy that supports the Provider’s obligations under the NHS Care Records Guarantee; 2.9.4 agreed protocols to govern the sharing of Personal Data with partner organisations; and 2.9.5 where appropriate, a system and a policy in relation to the recording of any telephone calls or other telehealth consultations in relation to the Services, including the retention and disposal of those recordings. and apply those policies and protocols conscientiously. 2.10 Where the Authority requires information for the purposes of quality management of care processes, the Provider must consider whether the Authority's request can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the Authority, the Provider must: 2.10.1 provide such information in pseudonymised from where possible; and in any event 2.10.2 ensure that there is a legal basis for the sharing of Personal Data. 2.11 Notwithstanding paragraph 2.10 of this Schedule 2, the Provider must (unless it can lawfully justify non-disclosure) disclose defined or specified confidential patient information to or at the request of the Authority where support has been provided under the Section 251 Regulations, respecting any individual Service User’s objections and complying with other conditions of the relevant approval. 2.12 Where the Provider, in the course of delivering the Services, acts as a Data Processor on behalf of a Participating Authority, the provisions of Schedule 6F (Provider Data Processing Agreement) of the Call-off Terms and Conditions will apply. 2.13 Subject always to Clause 32, if the Provider is to engage any Sub-Contractor to deliver any part of the Services (other than as a Data Processor) and the Sub- Contractor is to access personal or confidential information or interact with Service Users, the Provider must impose on its Sub-Contractor obligations that are no less onerous than the obligations imposed on the Provider by this Schedule 2. 2.14 Subject always to Clause 32, if the Provider is to require any Sub-Contractor to act as a Data Processor on its behalf, the Provider must: 2.14.1 require that Sub-Contractor to provide sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out, and take reasonable steps to ensure compliance with those measures; 2.14.2 carry out and record appropriate due diligence before the Sub-Contractor processes any Personal Data in order to demonstrate compliance with Data Protection Legislation; and 2.14.3 as far as practicable include in the terms of the sub-contract terms equivalent to those set out in Schedule 6F (Provider Data Processor Agreement) of the Call-off Terms and Conditions and in any event ensure that the Sub-Contractor is engaged under the terms of a binding written agreement requiring the Sub-Contractor to: 2.14.3.1 process Personal Data only in accordance with the Provider's instructions as set out in the written agreement, including instructions regarding transfers of Personal Data outside the EU or to an international organisation unless such transfer is required by Law, in which case the Data Processor shall inform the Provider of that requirement before processing takes place, unless this is prohibited by law on the grounds of public interest; 2.14.3.2 ensure that persons authorised to process the Personal Data on behalf of the Sub-Contractor have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality;
Appears in 1 contract
Samples: Framework Agreement
Information Governance. 2.1 The Parties must comply with Data Protection Legislationacknowledge their respective obligations arising under FOIA, Data GuidanceDPA 2018, UKGDPR and HRA, and under the FOIA and the EIRcommon law duty of confidentiality, and must assist each other as necessary to enable each other to comply with these obligations.
2.2 . The Provider must complete and publish an annual information governance assessment using the NHS Data Security & Protection Toolkit. The Provider must:
2.2.1 : nominate an Information Governance Lead;
2.2.2 , to be responsible for information governance and for providing the Provider’s Governing Body with regular reports on information governance matters, including details of all incidents of data loss and breach of confidence; nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body;
2.2.3 where required by Data Protection Legislation, nominate a Data Protection Officer;
2.2.4 ; ensure that the Authority Commissioner is kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner; and
2.2.5 ensure that the Authority and NHS Digital are kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner.
2.3 . The Provider must adopt and implement the National Data Guardian's Data Security Standards and must comply with further Guidance issued by recommendations of the Department of Health and Social Care, the Authority, any National Data Guardian for Health Review of Data Security, Consent and Care and/or NHS Digital pursuant to or in connection with those standards. The Provider must be able to demonstrate its compliance with those standards in accordance with the requirements and timescales set out in such guidance, including its adherence to data security standards and requirements for enabling patient choice.
2.4 Op-outs (Caldicott 3).. The Provider must, at least once annuallyin each Contract Year, audit its practices against quality statements regarding data sharing set out in NICE Clinical Guideline 138.
2.5 . The Provider must achieve compliance with the mandatory requirements in the NHS Data Security & Protection Toolkit. The Provider must report and publish any Data Breach and any Information Governance Breach in accordance with IG Guidance for Serious Incidents. If The Provider acknowledges that the Commissioners are subject to the requirements of the FOIA. The Provider must assist and co-operate with each Commissioner to enable it to comply with its disclosure obligations under the FOIA. The Provider agrees: that this Contract and any other recorded information held by the Provider on a Commissioner’s behalf for the purposes of this Contract are subject to the obligations and commitments of the Commissioner under FOIA; that the decision on whether any exemption to the general obligations of public access to information applies to any request for information received under FOIA is required a decision solely for the Commissioner to whom the request is addressed; that where the Provider receives a request for information under Data Protection Legislation FOIA and the Provider itself is subject to notify FOIA, it will liaise with the Information relevant Commissioner or as to the contents of any response before a Data Subject of response to a Personal Data Breach then as soon as reasonably practical request is issued and will promptly (and in any event on or before within 2 Operational Days) provide a copy of the first such notification is made request and any response to the relevant Commissioner; that where the Provider must inform the Authority of the Personal Data Breach. This paragraph does not require the Provider to provide the Authority with receives a request for information which identifies any individual affected by the Personal Data Breach where doing so would breach Data Protection Legislation.
2.6 The Provider must have in place a communications strategy and implementation plan to ensure that Service Users are provided with, or have made readily available to them, Privacy Notices, and to disseminate nationally-produced patient information materials. Any failure by the Provider to inform Service Users as required by Data Protection Legislation or Data Guidance about the uses of Personal Data that may take place under this Framework Agreement cannot be relied on by the Provider as evidence that such use is unlawful and therefore not contractually required.
2.7 Whether or not a Party or Sub-Contractor is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and the Information Commissioner's guidance on Data Controllers and Data Processors and any further Data Guidance. The Parties acknowledge that a Party or Sub-Contractor may act as both a Data Controller and a Data Processor. The Parties consider that:
2.7.1 in relation to Personal Data processed by the Provider for the purpose of delivering the Services the Provider will be sole Data Controller; and
2.7.2 in relation to Personal Data the processing of which is required by the Authority for the purposes of quality assurance, performance management and contract management, the Authority FOIA and the Provider is not itself subject to FOIA, it will be joint Data Controllers.
2.8 The Provider must ensure not respond to that all Personal Data processed request (unless directed to do so by or behalf of the Provider relevant Commissioner to whom the request relates) and will promptly (and in any event within 2 Operational Days) transfer the course of delivering request to the Services is processed relevant Commissioner; that any Commissioner, acting in accordance with the relevant Parties’ obligations codes of practice issued and revised from time to time under Data Protection Legislation both section 45 of FOIA, and Data Guidance regulation 16 of the Environmental Information Regulations 2004, may disclose information concerning the Provider and this Contract either without consulting with the Provider, or following consultation with the Provider and having taken its views into account; and to assist the Commissioners in responding to a request for information, by processing information or environmental information (as the same are defined in FOIA) in accordance with a records management system that complies with all applicable records management recommendations and codes of conduct issued under section 46 of FOIA, and providing copies of all information requested by that Commissioner within 5 Operational Days of that request and without charge. Notwithstanding any other term of this Contract, the Provider consents to the publication of this Contract in its entirety (including variations), subject only to the redaction of information that is exempt from disclosure in accordance with the provisions of any relevant Contract.
2.9 In relation to Personal Data processed by the FOIA. The Provider in the course of delivering the Services, the Provider must publish, maintain and operate:
2.9.1 policies relating to confidentiality, data protection and information disclosures that comply with the Law, the Caldicott Principles and Good Practice;
2.9.2 policies that describe the personal responsibilities of Staff for handling Personal Data;
2.9.3 a policy that supports the Provider’s obligations under the NHS Care Records Guarantee;
2.9.4 agreed protocols to govern the sharing of Personal Data with partner organisations; and
2.9.5 where appropriate, a system and a policy in relation to the recording of any telephone calls shall not discriminate between or other telehealth consultations in relation to the Services, including the retention and disposal of those recordings. and apply those policies and protocols conscientiously.
2.10 Where the Authority requires information for the purposes of quality management of care processes, the Provider must consider whether the Authority's request can be met by providing anonymised against Service Users or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the Authority, the Provider must:
2.10.1 provide such information in pseudonymised from where possible; and in any event
2.10.2 ensure that there is a legal basis for the sharing of Personal Data.
2.11 Notwithstanding paragraph 2.10 of this Schedule 2, the Provider must (unless it can lawfully justify non-disclosure) disclose defined or specified confidential patient information to or at the request of the Authority where support has been provided under the Section 251 Regulations, respecting any individual Service User’s objections and complying with other conditions of the relevant approval.
2.12 Where the Provider, in the course of delivering the Services, acts as a Data Processor on behalf of a Participating Authority, the provisions of Schedule 6F (Provider Data Processing Agreement) of the Call-off Terms and Conditions will apply.
2.13 Subject always to Clause 32, if the Provider is to engage any Sub-Contractor to deliver any part of the Services (other than as a Data Processor) and the Sub- Contractor is to access personal or confidential information or interact with Service Users, the Provider must impose on its Sub-Contractor obligations that are no less onerous than the obligations imposed on the Provider by this Schedule 2.
2.14 Subject always to Clause 32, if the Provider is to require any Sub-Contractor to act as a Data Processor on its behalf, the Provider must:
2.14.1 require that Sub-Contractor to provide sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out, and take reasonable steps to ensure compliance with those measures;
2.14.2 carry out and record appropriate due diligence before the Sub-Contractor processes any Personal Data in order to demonstrate compliance with Data Protection Legislation; and
2.14.3 as far as practicable include in the terms of the sub-contract terms equivalent to those set out in Schedule 6F (Provider Data Processor Agreement) of the Call-off Terms and Conditions and in any event ensure that the Sub-Contractor is engaged under the terms of a binding written agreement requiring the Sub-Contractor to:
2.14.3.1 process Personal Data only in accordance with the Provider's instructions as set out in the written agreement, including instructions regarding transfers of Personal Data outside the EU or to an international organisation unless such transfer is required by Law, in which case the Data Processor shall inform the Provider of that requirement before processing takes place, unless this is prohibited by law Carers on the grounds of public interest;
2.14.3.2 ensure gender, age, ethnicity or race, disability, religion or belief, sexual orientation or any other protected characteristics under the Equality Act 2010. The Provider shall provide appropriate assistance and make reasonable adjustments for Service Users and Carers who do not speak, read or write English or who have communication difficulties (including without limitation hearing, oral or learning impairments). The Provider shall have due regard in its performance of this Agreement to the need contemplated by the Equality Act 2010 to: eliminate unlawful discrimination and harassment; promote equality of opportunity; make reasonable adjustments for disabled persons to assist them overcome any substantial difficulties which they face even where that involves treating disabled persons authorised to process more favourably than other persons; promote positive attitudes towards persons who have a protected characteristic under the Personal Data on behalf of the Sub-Contractor have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality;Equality Act 2010.
Appears in 1 contract
Samples: Service Level Agreement
Information Governance. 2.1 The Parties must comply with Data Protection Legislationacknowledge their respective obligations arising under FOIA, Data GuidanceDPA and HRA, and under the FOIA and the EIRcommon law duty of confidentiality, and must assist each other as necessary to enable each other to comply with these obligations.
2.2 . The Provider must complete and publish an annual information governance assessment using the NHS Information Governance Toolkit. The Provider must:
2.2.1 : nominate an Information Governance Lead;
2.2.2 , to be responsible for information governance and for providing the Provider’s Governing Body with regular reports on information governance matters, including details of all incidents of data loss and breach of confidence; nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body;
2.2.3 where required by Data Protection Legislation, nominate a Data Protection Officer;
2.2.4 ; ensure that the Authority Commissioner is kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner; and
2.2.5 ensure that the Authority and NHS Digital are kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner.
2.3 . The Provider must adopt and implement the National Data Guardian's Data Security Standards recommendations of the Caldicott Information Governance Review and must comply with further Guidance issued by the Department of Health and Social Care, the Authority, any National Data Guardian for Health and Care and/or NHS Digital pursuant Response to or in connection with those standardsCaldicott. The Provider must be able to demonstrate its compliance with those standards in accordance with the requirements and timescales set out in such guidance, including its adherence to data security standards and requirements for enabling patient choice.
2.4 The Provider must, at least once annuallyin each Contract Year, audit its practices against quality statements regarding data sharing set out in NICE Clinical Guideline 138.
2.5 . The Provider must achieve a minimum level 2 performance against all requirements in the relevant NHS Information Governance Toolkit. The Provider must report and publish any Data Breach and any Information Governance Breach in accordance with IG Guidance for Serious Incidents. If The Provider acknowledges that the Commissioners are subject to the requirements of the FOIA. The Provider must assist and co-operate with each Commissioner to enable it to comply with its disclosure obligations under the FOIA. The Provider agrees: that this Contract and any other recorded information held by the Provider on a Commissioner’s behalf for the purposes of this Contract are subject to the obligations and commitments of the Commissioner under FOIA; that the decision on whether any exemption to the general obligations of public access to information applies to any request for information received under FOIA is required a decision solely for the Commissioner to whom the request is addressed; that where the Provider receives a request for information under Data Protection Legislation FOIA and the Provider itself is subject to notify FOIA, it will liaise with the Information relevant Commissioner or as to the contents of any response before a Data Subject of response to a Personal Data Breach then as soon as reasonably practical request is issued and will promptly (and in any event on or before within 2 Operational Days) provide a copy of the first such notification is made request and any response to the relevant Commissioner; that where the Provider must inform the Authority of the Personal Data Breach. This paragraph does not require receives a request for information under FOIA and the Provider is not itself subject to provide the Authority with information which identifies any individual affected FOIA, it will not respond to that request (unless directed to do so by the Personal Data Breach where doing so would breach Data Protection Legislation.
2.6 The Provider must have relevant Commissioner to whom the request relates) and will promptly (and in place a communications strategy and implementation plan any event within 2 Operational Days) transfer the request to ensure the relevant Commissioner; that Service Users are provided withany Commissioner, or have made readily available to them, Privacy Notices, and to disseminate nationally-produced patient information materials. Any failure by the Provider to inform Service Users as required by Data Protection Legislation or Data Guidance about the uses of Personal Data that may take place under this Framework Agreement cannot be relied on by the Provider as evidence that such use is unlawful and therefore not contractually required.
2.7 Whether or not a Party or Sub-Contractor is a Data Controller or Data Processor will be determined acting in accordance with Data Protection Legislation the codes of practice issued and revised from time to time under both section 45 of FOIA, and regulation 16 of the Environmental Information Commissioner's guidance on Data Controllers Regulations 2004, may disclose information concerning the Provider and Data Processors this Contract either without consulting with the Provider, or following consultation with the Provider and any further Data Guidancehaving taken its views into account; and to assist the Commissioners in responding to a request for information, by processing information or environmental information (as the same are defined in FOIA) in accordance with a records management system that complies with all applicable records management recommendations and codes of conduct issued under section 46 of FOIA, and providing copies of all information requested by that Commissioner within 5 Operational Days of that request and without charge. The Parties acknowledge that a Party or Sub-Contractor may act as both a Data Controller and a Data Processor. The Parties consider that:
2.7.1 in relation to Personal Data processed by the Provider , except for the purpose of delivering the Services the Provider will be sole Data Controller; and
2.7.2 in relation to Personal Data the processing of any information which is required by the Authority for the purposes of quality assurance, performance management and contract management, the Authority and the Provider will be joint Data Controllers.
2.8 The Provider must ensure that all Personal Data processed by or behalf of the Provider in the course of delivering the Services is processed in accordance with the relevant Parties’ obligations under Data Protection Legislation and Data Guidance and exempt from disclosure in accordance with the provisions of FOIA, the content of this Contract is not Confidential Information. Notwithstanding any relevant other term of this Contract.
2.9 In relation to Personal Data processed by the Provider in the course of delivering the Services, the Provider must publish, maintain and operate:
2.9.1 policies relating to confidentiality, data protection and information disclosures that comply with the Law, the Caldicott Principles and Good Practice;
2.9.2 policies that describe the personal responsibilities of Staff for handling Personal Data;
2.9.3 a policy that supports the Provider’s obligations under the NHS Care Records Guarantee;
2.9.4 agreed protocols to govern the sharing of Personal Data with partner organisations; and
2.9.5 where appropriate, a system and a policy in relation consents to the recording publication of any telephone calls or other telehealth consultations this Contract in relation its entirety (including variations), subject only to the Services, including the retention and disposal redaction of those recordings. and apply those policies and protocols conscientiously.
2.10 Where the Authority requires information for the purposes of quality management of care processes, the Provider must consider whether the Authority's request can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the Authority, the Provider must:
2.10.1 provide such information in pseudonymised that is exempt from where possible; and in any event
2.10.2 ensure that there is a legal basis for the sharing of Personal Data.
2.11 Notwithstanding paragraph 2.10 of this Schedule 2, the Provider must (unless it can lawfully justify non-disclosure) disclose defined or specified confidential patient information to or at the request of the Authority where support has been provided under the Section 251 Regulations, respecting any individual Service User’s objections and complying with other conditions of the relevant approval.
2.12 Where the Provider, in the course of delivering the Services, acts as a Data Processor on behalf of a Participating Authority, the provisions of Schedule 6F (Provider Data Processing Agreement) of the Call-off Terms and Conditions will apply.
2.13 Subject always to Clause 32, if the Provider is to engage any Sub-Contractor to deliver any part of the Services (other than as a Data Processor) and the Sub- Contractor is to access personal or confidential information or interact with Service Users, the Provider must impose on its Sub-Contractor obligations that are no less onerous than the obligations imposed on the Provider by this Schedule 2.
2.14 Subject always to Clause 32, if the Provider is to require any Sub-Contractor to act as a Data Processor on its behalf, the Provider must:
2.14.1 require that Sub-Contractor to provide sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out, and take reasonable steps to ensure compliance with those measures;
2.14.2 carry out and record appropriate due diligence before the Sub-Contractor processes any Personal Data in order to demonstrate compliance with Data Protection Legislation; and
2.14.3 as far as practicable include in the terms of the sub-contract terms equivalent to those set out in Schedule 6F (Provider Data Processor Agreement) of the Call-off Terms and Conditions and in any event ensure that the Sub-Contractor is engaged under the terms of a binding written agreement requiring the Sub-Contractor to:
2.14.3.1 process Personal Data only disclosure in accordance with the Provider's instructions as set out in the written agreement, including instructions regarding transfers provisions of Personal Data outside the EU or to an international organisation unless such transfer is required by Law, in which case the Data Processor shall inform the Provider of that requirement before processing takes place, unless this is prohibited by law on the grounds of public interest;
2.14.3.2 ensure that persons authorised to process the Personal Data on behalf of the Sub-Contractor have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality;FOIA.
Appears in 1 contract
Samples: Service Level Agreement
Information Governance. 2.1 The Parties must comply with Data Protection Legislation, Data Guidance, the FOIA and the EIR, and must assist each other as necessary to enable each other to comply with these obligations.
2.2 The Provider must:
2.2.1 nominate an Information Governance Lead;
2.2.2 nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body;
2.2.3 where required by Data Protection Legislation, nominate a Data Protection Officer;
2.2.4 ensure that the Authority is kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner; and
2.2.5 ensure that the Authority and NHS Digital are kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner.
2.3 The Provider must adopt and implement the National Data Guardian's Data Security Standards and must comply with further Guidance issued by the Department of Health and Social Care, the Authority, any National Data Guardian for Health and Care and/or NHS Digital pursuant to or in connection with those standards. The Provider must be able to demonstrate its compliance with those standards in accordance with the requirements and timescales set out in such guidance, including its adherence to data security standards and requirements for enabling patient choice.
2.4 The Provider must, at least once annually, audit its practices against quality statements regarding data sharing set out in NICE Clinical Guideline 138.
2.5 The Provider must report and publish any Data Breach and any Information Governance Breach in accordance with IG Guidance for Serious Incidents. If the Provider is required under Data Protection Legislation to notify the Information Commissioner or a Data Subject of a Personal Data Breach then as soon as reasonably practical and in any event on or before the first such notification is made the Provider must inform the Authority of the Personal Data Breach. This paragraph does not require the Provider to provide the Authority with information which identifies any individual affected by the Personal Data Breach where doing so would breach Data Protection Legislation.
2.6 The Provider must have in place a communications strategy and implementation plan to ensure that Service Users are provided with, or have made readily available to them, Privacy Notices, and to disseminate nationally-produced patient information materials. Any failure by the Provider to inform Service Users as required by Data Protection Legislation or Data Guidance about the uses of Personal Data that may take place under this Framework Agreement cannot be relied on by the Provider as evidence that such use is unlawful and therefore not contractually required.
2.7 Whether or not a Party or Sub-Contractor is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and the Information Commissioner's guidance on Data Controllers and Data Processors and any further Data Guidance. The Parties acknowledge that a Party or Sub-Contractor may act as both a Data Controller and a Data Processor. The Parties consider that:
2.7.1 in relation to Personal Data processed by the Provider for the purpose of delivering the Services the Provider will be sole Data Controller; and
2.7.2 in relation to Personal Data the processing of which is required by the Authority for the purposes of quality assurance, performance management and contract management, the Authority and the Provider will be joint Data Controllers.
2.8 The Provider must ensure that all Personal Data processed by or behalf of the Provider in the course of delivering the Services is processed in accordance with the relevant Parties’ obligations under Data Protection Legislation and Data Guidance and in accordance with the provisions of any relevant Contract.
2.9 In relation to Personal Data processed by the Provider in the course of delivering the Services, the Provider must publish, maintain and operate:
2.9.1 policies relating to confidentiality, data protection and information disclosures that comply with the Law, the Caldicott Principles and Good Practice;
2.9.2 policies that describe the personal responsibilities of Staff for handling Personal Data;
2.9.3 a policy that supports the Provider’s obligations under the NHS Care Records Guarantee;
2.9.4 agreed protocols to govern the sharing of Personal Data with partner organisations; and
2.9.5 where appropriate, a system and a policy in relation to the recording of any telephone calls or other telehealth consultations in relation to the Services, including the retention and disposal of those recordings. , and apply those policies and protocols conscientiously.
2.10 Where the Authority requires information for the purposes of quality management of care processes, the Provider must consider whether the Authority's request can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the Authority, the Provider must:
2.10.1 provide such information in pseudonymised from where possible; and and
2.10.2 in any event
2.10.2 event ensure that there is a legal basis for the sharing of Personal Data.
2.11 Notwithstanding paragraph 2.10 of this Schedule 2, the Provider must (unless it can lawfully justify non-disclosure) disclose defined or specified confidential patient information to or at the request of the Authority where support has been provided under the Section 251 Regulations, respecting any individual Service User’s objections and complying with other conditions of the relevant approval.
2.12 Where the Provider, in the course of delivering the Services, acts as a Data Processor on behalf of a Participating Authority, the provisions of Schedule 6F (Provider Data Processing Agreement) of the Call-off Terms and Conditions will apply.
2.13 Subject always to Clause 32, if the Provider is to engage any Sub-Contractor to deliver any part of the Services (other than as a Data Processor) and the Sub- Sub-Contractor is to access personal or confidential information or interact with Service Users, the Provider must impose on its Sub-Contractor obligations that are no less onerous than the obligations imposed on the Provider by this Schedule 2.
2.14 Subject always to Clause 32, if the Provider is to require any Sub-Contractor to act as a Data Processor on its behalf, the Provider must:
2.14.1 require that Sub-Contractor to provide sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out, and take reasonable steps to ensure compliance with those measures;
2.14.2 carry out and record appropriate due diligence before the Sub-Contractor processes any Personal Data in order to demonstrate compliance with Data Protection Legislation; and
2.14.3 as far as practicable include in the terms of the sub-contract terms equivalent to those set out in Schedule 6F (Provider Data Processor Agreement) of the Call-off Terms and Conditions and in any event ensure that the Sub-Sub- Contractor is engaged under the terms of a binding written agreement requiring the Sub-Contractor to:
2.14.3.1 process Personal Data only in accordance with the Provider's instructions as set out in the written agreement, including instructions regarding transfers of Personal Data outside the EU or to an international organisation unless such transfer is required by Law, in which case the Data Processor shall inform the Provider of that requirement before processing takes place, unless this is prohibited by law on the grounds of public interest;
2.14.3.2 ensure that persons authorised to process the Personal Data on behalf of the Sub-Contractor have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality;
2.14.3.3 comply at all times with obligations equivalent to those imposed on the Provider by Article 32 of the UK GDPR and equivalent provisions in the DPA 2018;
2.14.3.4 impose obligations as set out in this paragraph 2.14.3 on any Sub-processor appointed by the Sub-Contractor;
2.14.3.5 taking into account the nature of the processing, assist the Provider by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Provider’s obligation to respond to requests for exercising rights granted to individuals by Data Protection Legislation;
2.14.3.6 assist the Provider in ensuring compliance with the obligations set out at Article 32 to 36 of the UK GDPR and equivalent provisions implemented into Law, taking into account the nature of processing and the information available to the Sub-Contractor;
2.14.3.7 at the choice of the Provider, delete or return all Personal Data to the Provider after the end of the provision of services relating to processing, and delete existing copies unless the Law requires storage of the Personal Data;
2.14.3.8 create and maintain a record of all categories of data processing activities carried out under the Sub-Contract, containing:
2.14.3.8.1 the name and contact details of the Data Protection Officer (where required by Data Protection Legislation to have one);
2.14.3.8.2 the categories of processing carried out on behalf of the Provider;
2.14.3.8.3 where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, where relevant, the documentation of suitable safeguards; and
2.14.3.8.4 a general description of the technical and organisation security measures taken to ensure the security and integrity of the Personal Data processed under this Agreement;
2.14.3.9 guarantee that it has technical and organisational measures in place that are sufficient to ensure that the processing complies with Data Protection Legislation and ensures that the rights of Data Subject are protected;
2.14.3.10 allow rights of audit and inspection in respect of relevant data handling systems to the Provider or to the Authority or to any person authorised by the Provider or by the Authority to act on its behalf; and
2.14.3.11 impose on its own Sub-Contractors (in the event the Sub- Contractor further sub-contracts any of its obligations under the Sub-Contract) obligations that are substantially equivalent to the obligations imposed on the Sub-Contractor by this paragraph 2.14.
2.15 The agreement required by paragraph 2.14 must also set out:
2.15.1 the subject matter of the processing;
2.15.2 the duration of the processing;
2.15.3 the nature and purposes of the processing;
2.15.4 the type of personal data processed;
2.15.5 the categories of data subjects; and
2.15.6 the plan for return and destruction of the data once processing is complete unless the Law requires that the data is preserved.
Appears in 1 contract
Samples: Framework Agreement
