EU Joint Data Controller Agreement
This Agreement is dated .
PARTIES
A. Patients Know Best (“PKB”); and
B. The Providers (listed in Schedule 4), (“Providers”), each a “Party” and together the “Parties”.
BACKGROUND
The Lead Controller has contracted with PKB under the Commissioning Contract to provide patients with access to and some control of their health data. The PKB platform facilitates patient access to their health data contributed by the Providers and facilitates the patient to add information which may be viewed by their health and care providers and other people of their choosing. The Providers are all organisations with a legal duty to provide care to individuals / OR are all organisations who have a contractual relationship to provide care to individuals, to which PKB supports the facilitation of this duty.
Data received by PKB from the Providers, and prior to the patient accessing their health data, is here referred to as the Patient Record. PKB, the Providers are Joint Controllers for all personal data within the Patient Record.
Where a Patient has activated access to their health data, any personal data entered by them but not viewed by a clinician is referred to as the Patient Account.
Data entered by a Patient and viewed by a clinician becomes a part of the Patient Record.
For the absence of doubt, PKB is solely the Controller for data within the Patient Account.
The Parties consider it is necessary to use certain Personal Data between them to give effect to the objectives of the Processing and the Data Processing Contract (“Agreement”) sets out the framework for such use, including the principles and procedures that the Parties shall adhere to and the responsibilities the Parties owe to each other.
DEFINITIONS AND INTERPRETATION
Unless specifically provided for in this Agreement, the following terms shall have the following meanings:
“Agreed Purposes” |
| has the meaning given in clause 7; |
“Commencement Date” |
| has the meaning given in clause 5.1; |
“Controller”, , “Personal_Data”, “Personal Data Breach”, “Processing” (including“Process” and “Processed”), and “Special Categories of Personal Data” |
| have the meaning given in the the GDPR
|
|
|
|
“Commissioning Contract” |
| means the commercial arrangement between the Parties; |
“Data Opt-Out” |
| means the opt-out mechanism operated by the Provider that allows patients to opt-out of the use of their data for research or planning purposes; |
“Data Protection Law” or “Data Protection Legislation” |
| means, the GDPR, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to Processing of Personal Data and privacy; |
“Data Subject” or “Patient” |
| means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person in any PKB Data; |
“Data Subject Request” |
| means a request from a Data Subject under Data Protection Law in respect of PKB Data; |
“GDPR”
|
| means the General Data Protection Regulation (Regulation (EU) 2016/679); |
“Governance Commitee” |
| The Governance Committee (GC) comprises nominated representatives of all provider signatories in Schedule 4, typically the Data Protection Officer of each, and representatives of PKB, together the controllers. The GC will be responsible for ensuring that the contractual terms are met in respect of data protection laws, for monitoring and reporting on compliance, collaboration where desirable, and identifying and recommending changes to processing activities to the Lead Controller; |
“Lead Controller” |
| means the party contracting with PKB either solely or on behalf of the Providers and named in the Commissioning Contract; |
“PKB data” |
| means all personal data held on the PKB platform, both patient Record and Patient Account; |
“Responsible Controller” |
| has the meaning given in clause 11.7. |
“Services”, “Platform”, “Solution” |
| means the PKB software and architecture, infrastructure and operations. |
“Third_Party Communication” |
| has the meaning given in clause 11.5. |
The following rules of interpretation apply to this Agreement:
clause, schedule, and paragraph headings shall not affect the interpretation of this Agreement.
a person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
the Schedules form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Schedules;
unless the context otherwise requires, words in the singular shall include the plural and, in the plural, shall include the singular;
a reference to a statute, statutory provision or other legal instrument is a reference to it as amended, extended, or re-enacted from time to time; and
any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
In the event and to the extent of a conflict between:
the main body of this Agreement and the Schedules, except as expressly stated otherwise, the main body of this Agreement shall prevail to the extent of such conflict.
SCOPE AND APPLICATION
This Agreement applies to the processing of Personal Data on the PKB Platform. Any reference in this Agreement to PKB Data shall be interpreted as a reference to any Personal Data held on the PKB Platform.
For the purpose of Data Protection Laws, this Arrangement shall prevail in the event of a conflict with the Commissioning Contract and any other agreement between the Parties and PKB.
For the avoidance of doubt, PKB will comply with all necessary data protection obligations where acting as sole controller.
Where PKB Data under this Agreement is accessed by another Organisation, that organisation shall be considered a Third Party under Article 4 (10) of GDPR.
COMMENCEMENT AND DURATION
This Agreement shall commence on the date set out at the top of it (the “Commencement Date”) and shall continue in accordance with its terms.
PATIENT AND REGULATORY ENGAGEMENT
Prior to the commencement of Processing, in respect of the activities contemplated by this Agreement, the Parties shall cooperate with each other to:
conduct patient engagement activities to assist the Parties in considering the views of patients; and
develop supporting materials for the provision of information to patients regarding the Processing of PKB Data;
For a period of not less than eight weeks, promote by all reasonably available and effective communication channels with patients and the public the proposed processing activity, purpose, risks and expected benefits using a layered approach and notifying and explaining the right and process for opting out.
Following the commencement of processing activity, the Providers will continue to promote the proposed processing activity in accordance with their duty of transparency.
AGREED PURPOSES
The Parties agree to only Process PKB Data under this Agreement for:
The provision of health and social treatment and care;
Providing a platform for patients to access and add to their PKB health record;
Allowing patients to determine which organisations can view their profile;
Maintaining a patient level record for statutory period;
The maintenance by PKB of the PKB platform and data held on it;
each of the above, an “Agreed Purpose”.
LAWFUL BASES FOR PROCESSING AND CLASSIFICATION OF PARTIES
The lawful bases for each Party’s Processing of Personal Data and the classification of the Parties for the purposes of Data Protection Law under this Agreement is set out in Schedule 2.
PROVIDER’S RESPONSIBILITY FOR PATIENT-FACING COMMUNICATIONS
Generally,
9.1.1 Except where expressly stated in this Agreement or agreed by the Parties in writing, Providers shall be responsible for all communications with Data Subjects relating to PKB Data, prior to the creation of the Patient Account:
the provision of information to Data Subjects in accordance with Article 13 and 14 of the GDPR;
responding to Data Subject Requests as set out in clause 9.2;
notifying Data Subjects of a Personal Data Breach where such notification is required by Data Protection Law.
9.1.2 Notwithstanding the above, each of the Parties acknowledges that a Data Subject may exercise its rights under Data Protection Law against and of the Parties in respect of PKB Data processed under this Agreement and nothing in this Agreement shall prevent either Party from complying with its obligations under Data Protection Law.
9.2 Data Subject Requests.
If either Party receives a Data Subject Request related to PKB data:
it shall notify the other within five (5) Business Days of receiving the Data Subject Request;
Each Providers shall be responsible for responding to the Data Subject Request received by them;
PKB shall provide Providers with reasonable assistance in responding to the Data Subject Request including, taking into account the nature of the Processing, assisting Providers by appropriate technical and organisational measures, insofar as this is possible to respond to requests from Data Subjects exercising their rights under Data Protection Law; and
Providers shall keep PKB reasonably informed as to the status and resolution of the Data Subject Request.
DATA MINIMISATION (INCLUDING OPT-OUT) AND PSEUDONYMISATION
Taking into the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects each Party shall implement appropriate technical and organisational measures, including pseudonymisation, to ensure that the use of Personal Data in relation to the processing is minimised.
Before any Personal Data is shared by the Providers with PKB, the Providers shall:
identify and remove the Personal Data of any Data Subjects who have opted out of data being loaded to the PKB platform through a locally operated and promoted Opt-Out scheme;
implement data minimisation measures as required by this clause 10 and as may be agreed by the Parties from time to time to ensure only approved data is loaded to the PKB platform; and
Each Party shall periodically review data minimisation measures implemented in accordance with this clause 10, and may agree with the other Party further steps to be taken to ensure the minimisation of Personal Data within PKB Data as may be required by Data Protection Law and in any case no less than every three years.
GENERAL OBLIGATIONS OF THE PARTIES
Each Party shall implement appropriate technical and organisational measures to protect Personal Data against unauthorised or accidental access, loss, alteration, disclosure, destruction or other unauthorised or unlawful forms of Processing (such measures may include, where appropriate, the pseudonymisation and encryption of PKB Data and other measures referred to in Article 32(1) of the GDPR).
Each Party shall ensure that its personnel who have access to PKB Data for the performance of this Agreement are under an obligation of confidentiality and ensure that such access is limited to those individuals who need to know and access PKB Data.
Upon becoming aware of a Personal Data Breach relating to PKB Data, each Party shall:
notify the other Party in writing without undue delay, and in any event within forty-eight (48) hours, (such notification to include the provision of information as is required under Data Protection Law in respect of the Personal Data Breach);
promptly take reasonable steps to investigate, mitigate and remediate the Personal Data Breach; and
provide reasonable assistance to the other Party, in relation to the other Party’s efforts to investigate, mitigate and remediate the Personal Data Breach.
PKB shall not transfer PKB Data from the European Economic Area to another jurisdiction without the prior written approval of the Providers and without putting in place appropriate safeguards where required for compliance with Data Protection Law.
Each Party shall notify the other Parties in writing within five (5) Business Days if it receives a “Third Party Communication” including but not limited to:
any communication from a Supervisory Authority or any other regulatory authority in connection with PKB Data or;
a request from any third party for disclosure of PKB Data where compliance with such request is required or purported to be required by Applicable Law,
Each Party shall provide the other Party with reasonable assistance in responding to any Third Party Communication and shall work with the other Party to determine the most appropriate Controller to respond to any Third Party Communication (the “Responsible Controller”) provided that nothing in this Agreement shall prevent a Party from responding to a Third Party Communication to the extent required by Applicable Law.
The Responsible Controller shall keep the other Party informed as to the status of the resolution of any Third-Party Communication, and the Parties shall provide all such assistance to one another as may be reasonably requested in respect of the same.
Each Party shall provide reasonable assistance to the other Party in ensuring compliance with its obligations under Data Protection Law taking into account the nature of the Processing for the purposes of this Agreement and the information available to it, including in respect of each Party’s obligations as set out in this Agreement relating to:
security of Processing;
notification of a Personal Data Breach to a Supervisory Authority;
communication of a Personal Data Breach to the affected Data Subjects; and
Data Protection Impact Assessments and any subsequent consultations with a Supervisory Authority.
Each Party shall provide the other Party with such information as the other Party may reasonably request to demonstrate compliance with this Agreement, and if the requesting Party (acting reasonably) considers that such information does not demonstrate the other Party’s compliance with this Agreement, to allow for audits, including inspections, by the requesting Party or an auditor mandated by the requesting Party to verify the other Party’s compliance with this Agreement subject to:
such audit or inspection being conducted during the other Party’s usual business hours and on reasonable advance notice; and
the Party conducting the audit and any third-party auditor:
using reasonable endeavours to minimise any disruption on the other Party’s business; and
complying with any reasonable requirements imposed by the other Party to protect the safety, integrity and security of its premises and systems, and the confidentiality of the other Party’s or third-party confidential information.
Each Party shall bear its own costs of any audit or inspection under clause 11.9, unless the audit or inspection was conducted by an independent third party and such third party determines the audited Party has materially breached its obligations under this Agreement in which case the audited Party shall reimburse the auditing Party in respect of its reasonable and properly incurred costs of engaging such third party to conduct such audit or inspection.
The Parties shall keep this Agreement under review and either Party may request a change to this Agreement as may be reasonably required to comply with Data Protection Law. Upon receipt of such a request from a Party, the Parties shall discuss and consider such request in good faith and do all things reasonably necessary to comply with Data Protection Law, including varying this Agreement or entering into any subsequent agreements.
JOINT CONTROLLERS
Each Party acknowledges and agrees that there is a common objective in respect of the Processing and are Joint Controllers for the purpose of Data Protection Law in respect of such Processing.
Each of the Parties shall perform the obligations allocated to it the table below following allocation of responsibilities in accordance with Article 26 of the GDPR:
Compliance obligation | Responsible Party |
Publicise a contact point for Data Subjects to facilitate the exercise of their rights in relation to the Processing under this Agreement. | Providers |
Upon request, make available to Data Subjects a summary of the arrangement between the Parties under this Agreement, such summary to be in a form agreed by the Parties. | Providers and PKB |
Maintaining the PKB platform | PKB |
Supplying initial dataset on Data Subject | Providers |
Maintaining transparency material online to meet A13 and A14 requirements | Providers and PKB |
USE OF PROCESSORS
Where PKB uses a Processor to Process PKB Data, PKB shall:
provide Providers with such information regarding such Processor as Providers may reasonably request. For clarity, PKB shall not be required to provide Providers with details of any commercial terms between PKB and any Processor;
ensure that such Processing is subject to an agreement as required by Article 28(3) of the GDPR; and
where Providers has provided its prior written approval to the international transfer of PKB Data conduct such international transfer in accordance with Data Protection Law.
COMBINATION WITH OTHER DATA
Providers acknowledge and agree that PKB may combine Providers Data to external sources of health data (including other Hospitals, patient inputted data and third-party application data) with the objective of increasing the quality and breadth of the PKB Data.
DATA RETENTION AND DELETION
The Parties shall not retain or Process PKB Data under this Agreement for longer than is necessary to carry out the Agreed Purposes. PKB will retain data for 8 years after the last access to the Patient Record by Providers.
RECORDS
Each Party shall maintain such records as required by Data Protection Law in respect of its Processing of PKB Data and as may be reasonably necessary to demonstrate its compliance with this Agreement.
REVIEW OF THIS AGREEMENT
The effectiveness of this Agreement shall be reviewed from time to time at such intervals as may be agreed by the Governance Committee, having consideration to the Permitted Purposes and whether any amendments may be necessary to this Agreement. This review will involve assessing whether:
this Agreement needs to be updated to comply with any amendments to Data Protection Law; and
Personal Data Breaches have been handled in accordance with this Agreement where PKB Data are involved.
WARRANTIES
Each Party represents and warrants to the other Party that:
it has full capacity to enter into and perform this Agreement which has been duly executed by the required corporate action;
entry into and performance of this Agreement does and will not violate or be subject to any restriction in or by any other agreement or obligation.
The use of PKB Data as permitted by this Agreement does not infringe the rights of any third party.
LIMITATION AND EXCLUSION OF LIABILITY
Each Party’s liability arising out of or in connection with this Agreement, whether in contract, tort (including negligence) or otherwise shall be limited costs incurred by the other parties as a direct result of negligence of the Party, including failure to comply with this Agreement.
Each Party is responsible for the cost of remedying any non-compliance with Data Protection Laws determined the responsibility of that Party by this Arrangement. Liability under this Arrangement for each Party is limited to that which arises from a breach of Data Protection Laws.
Any liability arising from processing activity undertaken under this Arrangement shall be determined by the roles and responsibilities of each Party in line with Article 82 of GDPR.
TERMINATION
Without affecting any other right or remedy available to it, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party:
if the other Party commits a material breach of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of ninety (90) days after being notified in writing to do so;
if the other Party repeatedly breaches any of the terms of this Agreement in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this Agreement;
if the other Party is subject to an Insolvency Event;
if there is a change of control of the other Party excluding any intra-group reorganisation (or similar) of such other Party; or
in accordance with clause 21.
If the Commissioning Contract terminates for any reason this Agreement shall terminate automatically at the same time as the effective date of termination of the Commissioning Contract without any further action required by either Party.
Each Party’s rights to terminate this Agreement set out in this clause 20 shall not affect any other right or remedy available to it including those arising under this Agreement prior to termination.
CONSEQUENCES OF TERMINATION
Upon termination or expiry of this Agreement:
PKB will permanently delete Patient Record data which has not been accessed by the Providers.
Return to the Providers a copy of Patient Record data which has been accessed by the Providers, after which it will be permanently deleted.
For the absence of doubt, Patient Accounts will be retained by PKB in accordance with their role and responsibilities as a Controller.
Termination or expiry of this Agreement shall not affect any rights, remedies, obligations or liabilities of the Parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of this Agreement which existed at or before the date of termination or expiry.
FORCE MAJEURE
Non-performance or delay of either Party will be excused to the extent that performance is caused by any circumstance beyond Party’s reasonable control, including strike, fire, natural disaster, governmental acts, orders or restrictions, failure of suppliers or subcontractors. In such circumstances the affected Party shall be entitled to a reasonable extension of time for performance. If the period of non-performance or delay continues for ninety (90) days, the Party not affected may terminate this Agreement immediately on written notice to the affected Party.
ASSIGNMENT AND OTHER DEALINGS
Neither Party may assign or otherwise transfer any of its rights or obligations under this Agreement without the prior written approval of the other Party, except as expressly permitted by clause 23.2.
A Party may, upon written notice to the other Party and subject to the prior written approval of the other Party (such approval not to be unreasonably withheld or delayed), assign or otherwise transfer this Agreement to any of its affiliates or in connection with a change of control transaction (whether by merger, consolidation, sale of equity interests, sale of all or substantially all assets, or otherwise). For clarity, where such assignment or transfer would give rise to a breach of obligations in relation to Data Protection Law or other Applicable Law or may already affect any research ethics approvals or would not be expected in accordance with the common law duty of confidentiality, such grounds shall amongst other matters be considered reasonable for refusing approval to such assignment or transfer. Any assignment or other transfer in violation of this clause will be void.
This Agreement will be binding upon the Parties hereto and their permitted successors and assigns.
VARIATION
No variation of this Agreement shall be effective unless it is in writing and signed by the Parties.
NOTICES
All notices required or permitted under this Agreement and all requests for approvals, consents and waivers must be delivered by a method providing for proof of delivery. Any notice or request will be deemed to have been given on the date of delivery. Notices and requests must be delivered to the Parties at the addresses on the first page of this Agreement until a different address has been designated by notice to the other Party.
SEVERANCE
If any provision of this Agreement is found to be unenforceable, such provision will be deemed to be deleted or narrowly construed to such extent as is necessary to make it enforceable and this Agreement will otherwise remain in full force and effect.
RELATIONSHIP OF THE PARTIES
The Parties are and will be independent contractors and neither Party has any right, power, or authority to act or create any obligation on behalf of the other Party.
RIGHTS AND REMEDIES
The rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
WAIVER
No term or provision of this Agreement will be deemed waived and no breach will be deemed excused, unless such waiver is in writing and signed by the Party claimed to have waived.
COUNTERPARTS
This Agreement may be executed in counterparts (which may be exchanged by facsimile or .pdf copies), each of which will be deemed an original, but all of which together will constitute the same Agreement.
THIRD PARTY RIGHTS
This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
FURTHER ASSURANCE
Each Party shall use reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement.
COSTS
Each Party shall pay its own costs incurred in connection with the negotiation, preparation, and execution of this Agreement.
ENTIRE AGREEMENT
This Agreement constitutes the entire agreement between the Parties and supersedes and extinguishes all previous drafts, agreements, arrangements, and understandings between them, whether written or oral, relating to its subject matter.
Each Party acknowledges that in entering into this Agreement it does not rely upon, and shall have no remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in this Agreement. No Party shall have any claim for innocent or negligent misrepresentation based on any statement in this Agreement.
GOVERNING LAW AND DISPUTE RESOLUTION
Governing law
This Agreement and all matters arising out of or in connection with it, including any Dispute and any dispute resolution procedure provided for in this Agreement, shall be governed by, and construed in accordance with, the law of *state country*.
Dispute resolution:
The Parties shall resolve any Disputes in accordance with the Commissioning Contract terms
36. SCHEDULE 1: DATA PROCESSING PARTICULARS
36.1 PERSONAL DATA TO BE PROCESSED
36.1.1 This Schedule describes the types of PKB Data that may be Processed under this Agreement. The Parties may agree to amend the descriptions in this clause at any time with the approval of the Parties.
36.1.2 For clarity, PKB Data Processed under this Agreement shall be subject to the data minimisation measures described in clause 10, including:
(a) The Organisation applying data minimisation measures prior to sharing any data with PKB; and
(b) The Parties continue to review the data minimisation measures to ensure the minimisation of Personal Data within PKB Data as may be required by Data Protection Law.
36.2 PKB Data to be Processed under this Agreement may include data from the following sources:
Providers Electronic Patient Record (structured coded data only) |
Patient Inputted Data |
Third Party Partners and Integrations (for purposes of care provision) |
36.3 The inclusion of personal data of any natural person under the age of *insert age* should be considered on a case by case basis.
37. SCHEDULE 2: PROCESSING OPERATIONS
2A PROCESSING OPERATION A
Processing Operation: Maintaining Patient Account
Performed by: PKB
Classification of Parties: PKB – Sole Controller
Lawful Bases for Processing: -Article 6(1)(f) and Article 9(2)(h) GDPR
Compliance with Principles
Principle 1 – Processing is lawful, fair and Transparent:
Individuals are invited to create an account by their healthcare provider (who has commissioned PKB) where they are able to provide their own personal data. Where this is the case, PKB act as Sole Controller and as such provides the individual with transparency information when registering.
Principle 2 – Collected for specific, explicit and legitimate purposes:
Personal data processed by PKB within the patient account is only used for the purposes of providing that service to the individual to help the individual manage their health and care. It is not used for further purposes.
Principle 3 – Adequate relevant and not excessive:
This processing will only involve personal data provided by the patient themselves, and as such will be limited to the personal data provided by the patient.
Principle 4 – Accurate and up to date:
Given the personal data is provided by the patient, PKB will have no determination as to the accuracy of that data. However, this will be marked within the PKB system as patient inputted data, so it will be clear to those accessing within the Patient Record (in the case it is transferred to the Patient Record).
Principle 5 – Kept for no longer than is necessary:
The Patient Account will be kept for up to 8 years after the last access date by Providers.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing, adherence to the NHS Data Security and Protection Toolkit (DSPT) and a role-based training programme for all employees.
2B PROCESSING OPERATION B
Processing Operation: Maintaining Patient Record
Performed by: PKB and Providers
Classification of Parties: PKB and the Providers act as Joint Controllers
Lawful Bases for Processing:
Providers – Article 6(1)(e) and Article 9(2)(h) GDPR
PKB – Article 6(1)( e) and Article 9(2)(h)/(g) GDPR
Specific Responsibilities for Parties:
PKB provide the platform.
PKB are responsible for providing the security around the platform.
The Providers are responsible for the data quality of the personal data uploaded to PKB including ensuring the correct privacy labels are with the associated data.
The Providers are responsible for only providing access to those in their own organisation who require it.
Principle 1 – Processing is lawful, fair and Transparent:
Processing for the Patient Record is considered necessary in order to support the care of the individual and allows the individual to have more choice and engagement with regard to their health and care information. Providers will be responsible for informing individuals that PKB is the provider of their system, and that this allows patients to have access.
Principle 2 – Collected for specific, explicit and legitimate purposes:
Personal data processed within the Patient Record will only be used for the purposes of providing care to the individual in line with the original purpose of collection.
Principle 3 – Adequate relevant and not excessive:
The Providers are responsible for providing only relevant information to PKB which will consist of structured data only. Confirmation of the dataset will be provided to PKB before any transfer of personal data.
Principle 4 – Accurate and up to date:
The personal data will be extracted directly from Providers electronic patient record to ensure only the most up to date available data is processed by PKB. This will be periodically updated to ensure the latest version of the record is available in PKB.
Principle 5 – Kept for no longer than is necessary:
The Patient Record will be kept for up to 8 years after the contract with Providers ends to maintain the integrity of the health record.
Principle 6 – Processed securely
PKB implements strong technical and organisational controls to maintain the integrity and confidentiality of this processing, including annual penetration testing and a role-based training programme for all employees.
2C PROCESSING OPERATION C
Processing Operation: Service Evaluation and Improvement
Performed by: PKB
Classification of Parties: PKB as Independent Controller
Lawful Bases for Processing:
PKB - Article 6(1)(f) GDPR
Specific Responsibilities for Parties:
PKB will undertake service evaluation and improvement to improve the user experience for both clinicians and patients.
Patients Know Best Wiki Hub | Deploy | Developer | Trust Centre | Manual | Research | Education | Release Notes
© Patients Know Best, Ltd. Registered in England and Wales Number: 6517382. VAT Number: GB 944 9739 67.