Common use of Restrictions on use of the Shared Information Clause in Contracts

Restrictions on use of the Shared Information. 6.1. Each Party shall only process the Relevant Information as is necessary to achieve the Specified Purpose, and, in particular, shall not use or process Relevant Information for any other purpose unless agreed in writing by the Data Controller that released the information to the other. There shall be no other use or onward transmission of the Relevant Information to any third party without a lawful basis first being determined, and the originating Data Controller being notified. 6.2. Access to, and processing of, the Relevant Information provided by a Party must be the minimum necessary to achieve the Specified Purpose. Information and Sensitive Personal Data will be handled at all times on a restricted basis, in compliance with Information Law requirements, and Personnel should only have access to Personal Data on a justifiable Need to Know basis for the purpose of performing their duties in connection with the services they are there to deliver. The Need to Know requirement means that the Data Controllers’ Personnel will only have access to Personal Data or Sensitive Personal Data if it is lawful for such Personnel to have access to such data for the Specified Purpose and the function they are required to fulfil at that particular time, in relation to the Specified Purpose, cannot be achieved without access to the Personal Data or Sensitive Personal Data specified. 6.3. Having this Agreement in place does not give licence for unrestricted access to data that the other Data Controller may hold. It lays the parameters for the safe and secure sharing and processing of information for a justifiable Need to Know purpose. 6.4. Neither Party shall subcontract any processing of the Relevant Information without the prior written consent of the other Party. Where a Party subcontracts its obligations, it shall do so only by way of a written agreement with the sub-contractor which imposes the same obligations as are imposed on the Data Controllers under this Agreement. 6.5. Neither Party shall cause or allow Data to be transferred to any territory outside the European Economic Area without the prior written permission of the responsible Data Controller. 6.6. Any particular restrictions on use of certain Relevant Information are included in the attached Personal Data Agreement.

Restrictions on use of the Shared Information. 6.1. Each Party shall only process the Relevant Information as is necessary to achieve the Specified Purpose, and, in particular, shall not use or process Relevant Information for any other purpose unless agreed in writing by the Data Controller that released the information to the other. There shall be no other use or onward transmission of the Relevant Information to any third party without a lawful basis first being determined, and the originating Data Controller being notified. 6.2. Access to, and processing of, the Relevant Information provided by a Party must be the minimum necessary to achieve the Specified Purpose. Information and Sensitive Special Category Personal Data will be handled at all times on a restricted basis, in compliance with Information Law requirements, and Personnel should only have access to Personal Data on a justifiable Need to Know basis for the purpose of performing their duties in connection with the services they are there to deliver. The Need to Know requirement means that the Data Controllers’ Personnel will only have access to Personal Data or Sensitive Personal Data if it is lawful for such Personnel to have access to such data for the Specified Purpose and the function they are required to fulfil at that particular time, in relation to the Specified Purpose, cannot be achieved without access to the Personal Data or Sensitive Special Category Personal Data specified. 6.3. Having this Agreement in place does not give licence for unrestricted access to data that the other Data Controller may hold. It lays the parameters for the safe and secure sharing and processing of information for a justifiable Need to Know purpose. 6.4. Neither Party shall subcontract any processing of the Relevant Information without the prior written consent of the other Party. Where a Party subcontracts its obligations, it shall do so only by way of a written agreement with the sub-contractor which imposes the same obligations as are imposed on the Data Controllers under this Agreement. 6.5. Neither Party shall cause or allow Data to be transferred to any territory outside the European Economic Area without the prior written permission of the responsible Data Controller. 6.6. Any particular restrictions on use of certain Relevant Information are included in the attached Personal Data Agreement.

Restrictions on use of the Shared Information. 6.1. Each Party shall only process the Relevant Information as is necessary to achieve the Specified Purpose, and, in particular, shall not use or process Relevant Information for any other purpose unless agreed in writing by the Data Controller that released the information to the other. There shall be no other use or onward transmission of the Relevant Information to any third party without a lawful basis first being determined, and the originating Data Controller being notified. 6.2. Access to, and processing of, the Relevant Information provided by a Party must be the minimum necessary to achieve the Specified Purpose. Information and Sensitive Personal Data will be handled at all times on a restricted basis, in compliance with Information Law requirements, and Personnel should only have access to Personal Data on a justifiable Need to Know basis for the purpose of performing their duties in connection with the services they are there to deliver. The Need to Know requirement means that the Data Controllers’ Controllers‟ Personnel will only have access to Personal Data or Sensitive Personal Data if it is lawful for such Personnel to have access to such data for the Specified Purpose and the function they are required to fulfil at that particular time, in relation to the Specified Purpose, cannot be achieved without access to the Personal Data or Sensitive Personal Data specified. 6.3. Having this Agreement in place does not give licence for unrestricted access to data that the other Data Controller may hold. It lays the parameters for the safe and secure sharing and processing of information for a justifiable Need to Know purpose. 6.4. Neither Party shall subcontract any processing of the Relevant Information without the prior written consent of the other Party. Where a Party subcontracts its obligations, it shall do so only by way of a written agreement with the sub-contractor which imposes the same obligations as are imposed on the Data Controllers under this Agreement. 6.5. Neither Party shall cause or allow Data to be transferred to any territory outside the European Economic Area without the prior written permission of the responsible Data Controller. 6.6. Any particular restrictions on use of certain Relevant Information are included in the attached Personal Data Agreement.

Restrictions on use of the Shared Information. 6.1. Each Party shall only process the Relevant Information as is necessary to achieve the Specified Purpose, and, in particular, shall not use or process Relevant Information for any other purpose unless agreed in writing by the Data Controller that released the information to the other. There shall be no other use or onward transmission of the Relevant Information to any third party without a lawful basis first being determined, and the originating Data Controller being notified. 6.2. Access to, and processing of, the Relevant Information provided by a Party must be the minimum necessary to achieve the Specified Purpose. Information and Sensitive Personal Data will be handled at all times on a restricted basis, in compliance with Information Law requirements, and Personnel should only have access to Personal Data on a justifiable Need to Know basis for the purpose of performing their duties in connection with the services they are there to deliver. The Need to Know requirement means that the Data Controllers’ Personnel will only have access to Personal Data or Sensitive Personal Data if it is lawful for such Personnel to have access to such data for the Specified Purpose and the function they are required to fulfil at that particular time, in relation to the Specified Purpose, cannot be achieved without access to the Personal Data or Sensitive Special Category Personal Data specified. 6.3. Having this Agreement in place does not give licence for unrestricted access to data that the other Data Controller may hold. It lays the parameters for the safe and secure sharing and processing of information for a justifiable Need to Know purpose. 6.4. Neither Party shall subcontract any processing of the Relevant Information without the prior written consent of the other Party. Where a Party subcontracts its obligations, it shall do so only by way of a written agreement with the sub-contractor which imposes the same obligations as are imposed on the Data Controllers under this Agreement. 6.5. Neither Party shall cause or allow Data to be transferred to any territory outside the European Economic Area without the prior written permission of the responsible Data Controller. 6.6. Any particular restrictions on use of certain Relevant Information are included in the attached Personal Data Agreement.

Restrictions on use of the Shared Information. 6.1. Each Party shall only process the Relevant Information as is necessary to achieve the Specified Purpose, Purpose and, in particular, shall not use or process Relevant Information for any other purpose unless agreed in writing by the Data Controller that released the information to the other. There shall be no other use or onward transmission of the Relevant Information to any third party without a lawful basis first being determined, and the originating Data Controller being notified. 6.2. Access to, and processing of, the Relevant Information provided by a Party must be the minimum necessary to achieve the Specified Purpose. Information and Sensitive Special Category Personal Data will be handled at all times on a restricted basis, in compliance with Information Law Data Protection Legislation requirements, and Personnel the Parties’ Staff should only have access to Personal Data on a justifiable Need to Know basis for basis. Neither the purpose provisions of performing their duties in connection with the services they are there this Schedule nor any associated Data Sharing Agreement and/or Data Processing Agreement should be taken to deliver. The Need to Know requirement means that the Data Controllers’ Personnel will only have access to Personal Data or Sensitive Personal Data if it is lawful for such Personnel to have access to such data for the Specified Purpose and the function they are required to fulfil at that particular time, in relation to the Specified Purpose, cannot be achieved without access to the Personal Data or Sensitive Personal Data specified. 6.3. Having this Agreement in place does not give licence for permit unrestricted access to data that held by any of the other Data Controller may hold. It lays the parameters for the safe and secure sharing and processing of information for a justifiable Need to Know purpose. 6.4Parties. Neither Party shall subcontract any processing of the Relevant Information without the prior written consent of the other Party. Where a Party subcontracts its obligations, it shall do so only by way of a written agreement with the sub-contractor which imposes the same obligations as are imposed on the Data Controllers that Party under this Agreement. 6.5, and shall remain liable for the performance of the subcontractor’s obligations. Neither Party The Parties shall not cause or allow Data Relevant Information to be transferred to any territory outside the European Economic Area United Kingdom without the prior written permission of the responsible Data Controller. 6.6. Any particular restrictions on use of certain Relevant Information are should be included in a Data Sharing Agreement and/or Data Processing Agreement. In addition to having a lawful basis for sharing information, the attached UK GDPR generally requires that the sharing must be fair and transparent. In order to achieve fairness and transparency to the Data Subjects, the Parties will take the following measures as reasonably required: amendment of internal guidance to improve awareness and understanding among Staff; amendment of respective privacy notices and policies to reflect the processing of data carried out further to this Agreement, including covering the requirements of articles 13 and 14 UK GDPR and providing these (or making them available to) Data Subjects; ensuring that information and communications relating to the processing of data is clear and easily accessible; and giving consideration to carrying out activities to promote public understanding of how data is processed where appropriate. Each Party shall procure that its notification to the Information Commissioner’s Office, and record of processing maintained for the purposes of Article 30 UK GDPR, reflects the flows of information under this Agreement. The Parties shall reasonably co-operate in undertaking any DPIA associated with the processing of data further to this Agreement, and in doing so engage with their respective Data Protection Officers in the performance by them of their duties pursuant to Article 39 UK GDPR. Further provision in relation to specific data flows may be included in a Data Sharing Agreement and/or Data Processing Agreement between the Parties. The Parties must take reasonable steps to ensure the suitability, reliability, training and competence, of any Staff who have access to Personal Data, and Special Category Personal Data, including ensuring reasonable background checks and evidence of completeness are available on request. The Parties agree to treat all Relevant Information as confidential and imparted in confidence and must safeguard it accordingly. Where any of the Parties’ Staff are not healthcare professionals (for the purposes of the Data Protection Act 2018), the employing Parties must procure that Staff operate under a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional. The Parties shall ensure that all Staff required to access Personal Data (including Special Category Personal Data) are informed of the confidential nature of the Personal Data. The Parties shall include appropriate confidentiality clauses in employment/service contracts of all Staff that have any access whatsoever to the Relevant Information, including details of sanctions for acting in a deliberate or reckless manner that may breach the confidentiality or the non-disclosure provisions of Data Protection Legislation requirements, or cause damage to or loss of the Relevant Information. Each Party shall provide evidence (further to any reasonable request) that all Staff that have any access to the Relevant Information whatsoever are adequately and appropriately trained to comply with their responsibilities under Data Protection Legislation and this Agreement. The Parties shall ensure that: only those Staff involved in delivery of the Agreement use or have access to the Relevant Information; that such access is granted on a strict Need to Know basis and shall implement appropriate access controls to ensure this requirement is satisfied and audited. Evidence of audit should be made freely available on request by the originating Data Controller; and specific limitations on the Staff who may have access to the Relevant Information are set out in any Data Sharing Agreement and/or Data Processing Agreement entered into in accordance with this Schedule. At all times, the Parties shall have regard to the requirements of Data Protection Legislation and the rights of Data Subjects. Wherever possible (in descending order of preference), only anonymised information, or, strongly or weakly pseudonymised information will be shared and processed by the Parties. The Parties shall co-operate in exploring alternative strategies to avoid the use of Personal Data in order to achieve the Specified Purpose. However, it is accepted that some Relevant Information shared further to this Agreement may be Personal Data or Special Category Personal Data. Processing of any Personal Data or Special Category Personal Data shall be to the minimum extent necessary to achieve the Specified Purpose, and on a Need to Know basis. If any Party becomes aware of: any unauthorised or unlawful processing of any Relevant Information or that any Relevant Information is lost or destroyed or has become damaged, corrupted or unusable; or any security vulnerability or breach in respect of the Relevant Information, it shall promptly, within 48 hours, notify the other Parties. The Parties shall fully co-operate with one another to remedy the issue as soon as reasonably practicable, and in making information about the incident available to the Information Commissioner and Data Subjects where required by Data Protection Legislation. In processing any Relevant Information further to this Agreement, the Parties shall process the Personal Data and Special Category Personal Data only: in accordance with the terms of this Agreement and otherwise (to the extent that it acts as a Data Processor for the purposes of Article 27-28 GDPR) only in accordance with written instructions from the originating Data Controller in respect of its Relevant Information including any instructions set out in a Data Processing Agreement entered into under this Schedule, unless required by law (in which case, the processor shall inform the relevant Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest); to the extent as is necessary for the provision of the Specified Purpose or as is required by law or any regulatory body; and in accordance with Data Protection Legislation requirements, in particular the principles set out in Article 5(1) and accountability requirements set out in Article 5(2) UK GDPR; and not in such a way as to cause any other Data Controller to breach any of their applicable obligations under Data Protection Legislation. The Parties shall act generally in accordance with Data Protection Legislation requirements. This includes implementing, maintaining and keeping under review appropriate technical and organisational measures to ensure and demonstrate that the processing of Personal Data is undertaken in accordance with Data Protection Legislation, and in particular to protect Personal Data (and Special Category Personal Data) against unauthorised or unlawful processing, and against accidental loss, destruction, damage, alteration or disclosure. These measures shall: take account of the nature, scope, context and purposes of processing as well as the risks, of varying likelihood and severity for the rights and freedoms of Data Subjects; and be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and Special Category Personal Data, and having the nature of the Personal Data and Special Category Personal Data which is to be protected. In particular, each Party shall: ensure that only Staff as provided under this Schedule have access to the Personal Data and Special Category Personal Data; ensure that the Relevant Information is kept secure and in an encrypted form, and shall use all reasonable security practices and systems applicable to the use of the Relevant Information to prevent and to take prompt and proper remedial action against, unauthorised access, copying, modification, storage, reproduction, display or distribution, of the Relevant Information; obtain prior written consent from the originating Party in order to transfer the Relevant Information to any third party; permit any other party or their representatives (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the data processing activities carried out further to this Agreement (and/or those of its agents, successors or assigns) and comply with all reasonable requests or directions to enable each Party to verify and/or procure that the other is in full compliance with its obligations under this Agreement; and if requested, provide a written description of the technical and organisational methods and security measures employed in processing Personal Data. The Parties shall adhere to the specific requirements as to information security set out in any Data Sharing Agreement and/or Data Processing Agreement entered into in accordance with this Schedule. The Parties shall use best endeavours to achieve and adhere to the requirements of the NHS Digital Data Security and Protection Toolkit. The Parties’ Single Points of Contact set out in paragraph Error: Reference source not found will be the persons who, in the first instance, will have oversight of third party security measures. This paragraph supplements paragraph 8 of this Schedule. Transfer of Personal Data between the Parties shall be done through secure mechanisms including use of the N3 network, encryption, and approved secure (XXX.xxx or gcsx) e-mail. Wherever possible, Personal Data should be transmitted and held in pseudonymised form, with only reference to the NHS number in 'clear' transmissions. Where there are significant consequences for the care of the patient, then additional data items, such as the postcode, date of birth and/or other identifiers should also be transmitted, in accordance with good information governance and clinical safety practice, so as to ensure that the correct patient record and/or data is identified. Any other special measures relating to security of transfer should be specified in a Data Sharing Agreement and/or Data Processing Agreement entered into in accordance with this Schedule. Each Party shall keep an audit log of Relevant Information transmitted and received in the course of this Agreement. The Parties’ Single Point of Contact notified pursuant to paragraph 13 will be the persons who, in the first instance, will have oversight of the transmission of information between the Parties.

Restrictions on use of the Shared Information. 6.1. Each Party shall only process the Relevant Information as is necessary to achieve the Specified Purpose, and, in particular, shall not use or process Relevant Information for any other purpose unless agreed in writing by the Data Controller that released the information to the other. There shall be no other use or onward transmission of the Relevant Information to any third party without a lawful basis first being determined, and the originating Data Controller being notified. 6.2. Access to, and processing of, the Relevant Information provided by a Party must be the minimum necessary to achieve the Specified Purpose. Information and Sensitive Special Categories of Personal Data will be handled at all times on a restricted basis, in compliance with Information Law requirements, and Personnel should only have access to Personal Data on a justifiable Need to Know basis for the purpose of performing their duties in connection with the services they are there to deliver. The Need to Know requirement means that the Data Controllers’ Personnel will only have access to Personal Data or Sensitive Special Categories of Personal Data if it is lawful for such Personnel to have access to such data for the Specified Purpose and the function they are required to fulfil at that particular time, in relation to the Specified Purpose, cannot be achieved without access to the Personal Data or Sensitive Special Categories of Personal Data specified. 6.3. Having this Agreement in place does not give licence for unrestricted access to data that the other Data Controller may hold. It lays the parameters for the safe and secure sharing and processing of information for a justifiable Need to Know purpose. 6.4. Neither Party shall subcontract any processing of the Relevant Information without the prior written consent of the other Party. Where a Party subcontracts its obligations, it shall do so only by way of a written agreement with the sub-contractor which imposes the same obligations as are imposed on the Data Controllers under this Agreement. 6.5. Neither Party shall cause or allow Data to be transferred to any territory outside the European Economic Area without the prior written permission of the responsible Data Controller. 6.6. Any particular restrictions on use of certain Relevant Information are included in the attached Personal Data Agreement.