Log in to Skyline

Data Processing Deeds

Owned by Andrew Syme
Last updated: Feb 22, 2023
10 min read

Overview

Where Informatica do not have a direct contract, containing appropriate provisions, with the Data Controller, the Data Processing Deed provides the legal basis for processing the data.

A data processing agreement lays out technical requirements for the controller and processor to follow when processing data. This includes setting terms for how data is stored, protected, processed, accessed, and used. The agreement also defines what a processor can and cannot do with data.

Sample Deed

Context

THIS DEED OF UNDERTAKING FOR DATA PROCESSING ("DEED")

is made on                                                                                          2021           

BY:

(1)        Informatica Systems Limited a company registered in England and Wales under number 02866377 whose registered office is at Aurora House, Deltic Avenue, Rooksley, Milton Keyes, Buckinghamshire, United Kingdom, MK13 8LW  ("Supplier");

FOR THE BENEFIT OF:

(2)        GP Practices and other service recipients who, from time to time, receive, or have previously received, Solutions under the Skyline Product and/or services from the Supplier and/or provide, or have previously provided, data for the purposes of data extraction services through the Contract ("Beneficiaries").

BACKGROUND

A          The Supplier provides systems and Services to the GPs and other service recipients through contract vehicle (“Contract”) established by  ### ##  ("Customer");

B          The Supplier is pursuant to this Deed giving direct assurances to the Beneficiaries with regard to how personal data is processed and safeguarded.

C         This Deed is effective from ### ("Effective Date"). From the Effective Date, the terms of this Deed shall apply to any data processing activities between the Supplier and the Beneficiaries. From the Effective Date, all earlier versions of direct data processing undertakings from the Supplier to the Beneficiaries are superseded. 

D         This Deed is an undertaking which operates as a deed poll to account for the fluctuation in the total number of Beneficiaries receiving systems and Services under the and/or providing data or receiving Services under the Contract.

E          This Deed is a unilateral undertaking which does not need to be executed by the Beneficiaries but its terms shall be enforceable by any Beneficiary. 

F          Nothing in this Deed shall affect the validity of the Contract. 

G         This Deed shall survive the expiry or termination of the Contract.

OPERATIVE PROVISIONS

1         Definitions

1.1        Capitalised terms in this Deed shall have the following meaning:

1.2        The term Parties shall mean the Supplier and Beneficiaries.

1.3        the terms personal data, processor, controller, process, processing, data subject, special category data, personal data breach, and Data Protection Officer shall have the meanings given to them in the Data Protection Legislation

1.3.1       Data Protection Legislation means:

1.3.1.1      the GDPR, the LED and any applicable national implementing Laws as amended from time to time

1.3.1.2      the DPA 2018 to the extent that it relates to processing of personal data and privacy;

1.3.1.3      all applicable Law about the processing of personal data and privacy;

1.3.2       Data Protection Impact Assessment means an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data;

1.3.3       Data Loss Event means any event that results, or may result, in unauthorised access to Personal Data held by Informatica Systems Ltd under this Deed, and/or actual or potential loss and/or destruction of Personal Data in breach of this Deed, including any Personal Data Breach;

1.3.4       Data Subject Access Request means a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data;

1.3.5       DPA 2018 or DPA means the Data Protection Act 2018;

1.3.6       GDPR means The DPPEC (Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit)) Regulations 2019 codified the General Data Protection Regulation (Regulation (EU) 2016/679);

1.3.7       Law means any law, subordinate legislation within the meaning of Section 21 (1) of the Interpretation Act 1978, bye-law, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, regulatory policy, mandatory guidance or code of practice, judgement of a relevant court of law, or directives or requirements with which the Parties are bound to comply;

1.3.8       LED means Law Enforcement Directive (Directive (EU) 2016/680) or any subsequent adequacy decisions;

1.3.9       Protective Measures means appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it.

1.3.10   Sub-Processor means any third party appointed to process Personal Data on behalf of Informatica Systems related to this Deed;

1.3.11   Solution Agreement means an agreement provided by Informatica Systems Ltd through the Skyline Product, specifically relating to a solution within the Skyline Product, and accepted by a named user;

1.3.12   General Agreement means an agreement accepted by a user through logging into the Skyline Product;

1.3.13   Informatica Systems Ltd Personnel means all directors, officers, employees, agents, consultants, and contractors of Informatica Systems Ltd and/or of any Sub-Contractor engaged in the performance of Informatica Systems Ltd’s obligations under this Deed.

2         Context

2.1        In this Deed, unless the context otherwise requires:

2.1.1       the singular includes the plural and vice versa;

2.1.2       a reference to a gender includes the other gender and the neutral;

2.1.3       references to a person include an individual, company, body corporate, corporation, unincorporated association, firm, partnership or other legal entity;

2.1.4       any references to a named body or organisation shall include references to successors of that body or organisation and/or any equivalent bodies or organisations that perform the same or substantially similar functions;

2.1.5       a reference to a law includes a reference to that law as modified, amended, extended, consolidated or re-enacted from time to time before or after the date of this Deed and any prior or subsequent legislation under it;

2.1.6       the words "including", "other", "in particular", "for example" and similar words shall not limit the generality of the preceding words and shall be construed as if they were immediately followed by the words "without limitation";

2.1.7       the headings are for ease of reference only and shall not affect the interpretation or construction of this Deed.

2.2        A reference in a clause to Beneficiaries shall mean the Beneficiaries who are relevant to the applicable rights and/or obligations set out in the clause.

3         Obligations

3.1        Each Party shall comply with its respective obligations under the provisions of the DPA.

3.2        Both Parties shall comply with their respective obligations under the Data Protection Legislation and the DPA 2018.

3.3        The Parties acknowledge that for the purposes of the Data Protection Legislation, the GP Practice is the Controller and Informatica Systems Ltd is the Processor. The only processing that Informatica Systems Ltd is authorised to do is listed in Annex A of this Deed and agreed on behalf of each Beneficiary in a Solution Agreement.

3.4        Informatica Systems Ltd shall notify the Customer without undue delay if it considers that any of the Customer’s instructions infringe the Data Protection Legislation.

3.5        Informatica shall provide a single DPIA guidance document applicable to this Data Processing Deed and associated Service and/or product provided.  The Data Controller is responsible for completing and approving the final DPIA. Where a Controller is unable to accept or comply with a DPIA they are to notify the Customer and Supplier and cease using the products and/or services covered under this Deed.

3.6        Informatica Systems Ltd shall, in relation to any Personal Data processed in connection with its obligations under this Deed:

3.6.1       process that Personal Data only in accordance with Annex A of this Deed, unless Informatica Systems Ltd is required to do otherwise by Law. If it is so required Informatica Systems Ltd shall promptly notify the Customer and Controller before processing the Personal Data unless prohibited by Law;

3.6.2       ensure that it has in place Protective Measures, as appropriate to protect against a Data Loss Event having taken account of the:

3.6.2.1      nature of the data to be protected;

3.6.2.2      harm that might result from a Data Loss Event;

3.6.2.3      state of technological development; and

3.6.2.4      cost of implementing any measures;

3.6.3       ensure that :

3.6.3.1      Informatica Systems Ltd Personnel do not process Personal Data except in accordance with this Deed (and in particular Annex A);

3.6.3.2      it takes all reasonable steps to ensure the reliability and integrity of any Informatica Systems Ltd Personnel who have access to the Personal Data and ensure that they:

3.6.3.2.1     are aware of and comply with Informatica Systems Ltd’s duties under this clause;

3.6.3.2.2     are subject to appropriate confidentiality undertakings with Informatica Systems Ltd or any Sub-processor;

3.6.3.2.3     are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the appropriate or as otherwise permitted by this Deed; and

3.6.3.2.4     have undergone adequate training in the use, care, protection and handling of Personal Data; and

3.6.3.3      not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:

3.6.3.3.1     Informatica Systems Ltd has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller;

3.6.3.3.2     the Data Subject has enforceable rights and effective legal remedies;

3.6.3.3.3     Informatica Systems Ltd complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Beneficiary in meeting its obligations); and

3.6.3.3.4     Informatica Systems Ltd complies with any reasonable instructions notified to it in advance by the Practice with respect to the processing of the Personal Data;

3.6.3.4      at the written direction of the Beneficiary, delete or enable the return of Personal Data to the Practice on termination of the Deed unless Informatica Systems Ltd is required by Law to retain the Personal Data. The Beneficiary may retrieve its Personal Data at any time.

3.7        Subject to clause 3.8, Informatica Systems Ltd shall notify the Beneficiary immediately if it:

3.7.1       receives a Data Subject Access Request (or purported Data Subject Access Request);

3.7.2       receives a request to rectify, block or erase any Personal Data;

3.7.3       receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;

3.7.4       receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Deed;

3.7.5       receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or

3.7.6       becomes aware of a Data Loss Event.

3.8        Informatica Systems Ltd obligation to notify under clause 3.7 shall include the provision of further information to the Beneficiary in phases, as details become available.

3.9        Taking into account the nature of the processing, and subject to such assistance being reasonable effort, Informatica Systems Ltd shall provide the Beneficiaries with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 3.7 (and insofar as possible within 48 hours of the request) including by promptly providing:

3.9.1       the Beneficiaries with full details and copies of the complaint, communication or request;

3.9.2       such assistance as is reasonably requested by the Customer to enable the Beneficiaries to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;

3.9.3       the Beneficiaries, at its request, with any Personal Data it holds in relation to a Data Subject;

3.9.4       assistance as requested by the Beneficiaries following any Data Loss Event;

3.9.5       assistance as requested in any consultation by the Beneficiaries with the Information Commissioner's Office.

3.10    Informatica Systems Ltd shall maintain complete and accurate records and information regarding processing which includes special categories of data as referred to in Article 9(1) of the GDPR .

3.11    Informatica Systems Ltd shall allow for audits of its Data Processing activity by the Beneficiaries or the beneficiaries’ designated auditor at the Beneficiaries cost. Such audits shall not compromise the availability, security or integrity of Informatica Systems Ltd’s systems or data.

3.12    Informatica Systems Ltd shall designate a data protection officer if required by the Data Protection Legislation.

3.13    Before allowing any Sub-processor to process any Personal Data related to this Deed, Informatica Systems Ltd must:

3.13.1   notify the Beneficiaries through an amendment to the Solution Agreements in the software, providing such information regarding the Sub-processor as the Practice may reasonably require;

3.13.2   provide sufficient notice to allow the beneficiaries to object;

3.13.3   enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 3.13 such that they apply to the Sub-processor; and

3.14    Informatica Systems shall remain fully liable for all acts or omissions of any Sub-processor.

3.15    Informatica Systems Ltd may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Deed).

3.16    The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Practice may on not less than 30 Working Days’ notice to Informatica Systems Ltd amend this Deed to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

3.17    Acceptance of this Deed indicates the Beneficiaries’ written consent to authorise Informatica Systems Ltd to process the Personal Data as the Customer has determined in Annex A and by the Sub-processors listed in Annex B.

4         Status

4.1        This Deed shall survive the expiry or termination of the Contract.

Executed as a deed by

Signature

 

 

Full Name

 

 

a director or Authorised Signatory, on behalf of Informatica Systems Ltd

in the presence of:

Signature of Witness

 

 

Name of Witness

 

 

Address of Witness

 

 

Occupation of Witness

 

 

ANNEX A - PROCESSING, PERSONAL DATA AND DATA SUBJECTS

 

Subject matter of the processing

Processing of patient data to aid the Beneficiary in delivering of direct patient care following both national and local standards.

Duration of the processing

Processing continues through the period agreed in the Contract with the Customer.

 

Nature and purposes of the processing

  1. Nature of processing:

a.     Import and synchronisation of patient data with the principal clinical system (e.g. EMIS Web);

b.     Analysis of patient data against national and local standards;

c.      Display of patient registers according to national and local standards;

d.     Prompts to clinicians of national and local standards indicators relating to individual patients;

e.     Collection of clinical data related to national and local standards for export to the principal clinical system;

f.       Reports related to analysed data to aid the Beneficiary in its management of the national and local standards;

g.     Communications (e.g. SMS message) to patients related to the national and local standards and initiated by the Practice.

h.     Processing of patient data for aggregated reporting to the Customer.

  1. The purpose of the processing is to:

a.     provide facilities to the Beneficiary to manage its treatment of patients to meet national and local standards

b.     provide associated reporting to the Customer.

Type of personal data

  1. Clinician record:

a.     Name

b.     Gender

c.      Role

  1. Patient record:

a.     Name

b.     Gender

c.      Email

d.     Phone

e.     Address

f.       NHS number

g.     Date of birth

h.     Preferred GP

i.       Patient medical record

Categories of Data Subject

Patients and Clinicians

Plan for return and destruction of the data once the processing is complete1

The Beneficiaries’ data will be held for 1 year beyond the date of contract termination. At this point their data will be deleted from the database it’s held in.

 

  1. UNLESS requirement under Law to preserve that type of data.

ANNEX B - SUB-PROCESSORS

Sub-Processor

Activity

AWS

Provides hosting and processing functionality for Skyline product

Skyline is designed and developed by Informatica