Data Protection & Processing
Data Protection
1.1
The terms ‘personal data’, ‘data subject’, ‘processor’, ‘controller’, ‘processing’, ‘personal data breach’, ‘pseudonymisation’, ‘special categories of data’ and ‘supervisory authority’ have the meanings set out in Data Protection Law as defined in Schedule 3.
1.2
In the event that Ardens processes personal data (as defined in UK data protection law) on behalf of the Organisation, then it shall do so as a data processor in accordance with the data processing annex set out at Annex I (“Data Processing Annex”).
1.3
The Organisation shall only require Ardens to process personal data of which the Organisation is a controller where such data is essential for the provision of the Services. In respect of personal data of the Organisation’s patients, the parties agree that Ardens will not process that personal data, or collect or retain any such personal data outside of the Principal GP IT System or any other Organisation IT System (the “Systems” for this Clause), save that:
1.3.1.
In respect of Ardens Clinical, personal data, which relates to the Organisation’s patients, may be disclosed or made visible to Ardens where the Organisation screen shares with Ardens, in order for Ardens to perform the Ardens Clinical Services. Any processing of personal data in connection with the Organisation’s patients shall at all times be to the minimum extent necessary;
1.3.2.
In respect of the Ardens Manager Services, such personal data will be collected, processed and retained outside of the Systems to the extent that, and only for as long as, it is necessary for the delivery of the Ardens Manager Services; and
1.3.3.
Personal data may also be processed (but not retained for any longer than strictly necessary) outside of the Systems, where that is essential for the purposes of the delivery of the Services.
Annex 1: Data Processing
The purpose of this Annex is to ensure that any personal data processed by Ardens on behalf of the Organisation is adequately protected and to enable the Organisation to meet its processing obligations under UK data protection and privacy laws.
Interpretation
Capitalised terms used in this Annex shall have the same meanings as they have in the Terms of Supply and Use. In addition, the following words shall have the following meanings in this Annex:
"Automated Extraction"
has the meaning given to it in Paragraph B.2 of Annex II (Processing and Categories of Data Subject and Personal Data).
"AWS Environment"
means the Amazon Web Services environment used by Ardens in the supply of Ardens Manager.
"Data Protection Law"
applicable UK laws and regulations protecting the privacy of individuals and their fundamental rights and freedoms in relation to their personal data as amended and updated from time to time (including the Data Protection Act 2018 and the UK GDPR).
"Data Subject Request"
an actual or purported Data Subject Request or notice or complaint from (or on behalf of) a data subject exercising his rights under the Data Protection Law.
"EPR"
means Electronic Patient Record.
"Manual Extraction"
has the meaning given to it in Paragraph B.1 of Annex II (Processing and Categories of Data Subject and Personal Data).
"NHS England IM1 Pairing Integration"
means the process that allows Ardens to integrate the Products with the Principal GP IT System.
"Organisation Instructions"
documented instructions (including this Schedule) from the Organisation regarding the processing of personal data by Ardens pursuant to a Supply Contract.
"UK GDPR"
The version of the EU’s General Data Protection Regulation (EU 2016/679) adopted into UK law following the UK’s withdrawal from the EU on 1 January 2021 as defined by s.4(10) of the Data Protection Act 2018.
Data Processing Particulars
2.1.
The parties agree that the processor may process personal data from time to time in order to supply the Products or provide the Services. This personal data will be restricted to the categories of data subject and personal data as described in Annex 2.
2.2.
Any processing of personal data of which the Organisation is the controller by Ardens shall (subject only to the provisions of paragraph 2.3 below) only be for the purpose of supplying the Products or the Services. Such processing may occur in situations where Ardens is required to access, configure, repair, restore or maintain the Principal GP IT System, or provide any Services in connection with the records stored on that System. The parties consider that the processing of personal data by Ardens in these circumstances and for that purpose is proportionate, necessary and appropriate (provided such processing is carried out subject to and in accordance with this Annex).
2.3.
Ardens shall notify the Organisation as soon as reasonably practicable, and in any event within thirty (30) days of:
2.3.1.
any changes by Ardens in its methods of processing of personal data under this Data Processing Annex.
2.3.2.
any changes to the Data Protection Law that may reasonably be interpreted as adversely affecting Ardens performance of the Supply Contract or this Data Processing Annex
2.4.
Ardens may not process personal data of which the Organisation is a controller otherwise than on the instructions of the Organisation unless, and only then to the extent that, Ardens is required by law to undertake such processing and only provided that (except where prohibited by the said law) Ardens first informs the Organisation of the applicable obligation and the nature of the processing which it will, pursuant to that obligation, be required to undertake. Subsequent instructions may be given by the Organisation, and which shall always be documented.
2.5.
Ardens shall inform the Organisation immediately in the event that any instruction of the Organisation pursuant to this Annex or the Supply Contract would result in Ardens processing the said personal data in a manner which infringes Data Protection Law.
Data Processing Arrangements
3.1.
The factual arrangement between the parties dictates the classification of each party in respect of the Data Protection Law. However, the parties anticipate that the Organisation shall act as a controller and Ardens shall act as a processor and in any such case Ardens shall only process personal data on and to the extent specified by the instructions of the Organisation.
3.2.
The Organisation warrants that:
3.2.1.
it is satisfied that there exists a lawful basis for the purposes of Article 6 of the UK GDPR for all of the processing of personal data which it instructs Ardens to undertake from time to time; and
3.2.2.
if, and to the extent that, Ardens is instructed to process personal data in one or more special category to which Article 9 of the UK GDPR applies, that one or more of the conditions set out in the said Article 9 also applies to that processing of those special categories of personal data.
3.3.
Ardens shall be permitted (and this paragraph comprises the Organisation’s general authority for Ardens) to appoint or replace sub-processors, and to disclose personal data to them for processing in accordance with the Supply Contract, provided always that:
3.3.1.
it provides the Organisation with no less than thirty (30) days’ written notice of any proposed changes to its appointment or replacement of sub-processors by virtue of it updating its approved list of sub-processors as detailed on the Ardens website and provides the Organisation no less than fourteen (14) days’ written notice of any change (effective from the date of such change) to allow the Organisation to raise any reasonable objections which Ardens will consider appropriately; and
3.3.2.
any sub-processor only processes the personal data on Ardens’ documented instructions and such processing is under a written contract which provides a level of protection for the rights and freedoms of individuals whose personal data is being processed which is at least, in substance, equivalent to the protection provided in this Annex;
3.3.3.
the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the processing will meet the requirements of Data Protection Law (including the requirements relating to security, integrity and confidentiality) and, where that sub-processor fails to fulfil its obligations, Ardens shall remain fully liable to Organisation for the performance of those obligations; and
3.3.4.
at the Organisation’s reasonable written request, Ardens shall provide a copy of such sub-processor agreement (including any subsequent amendments). To the extent necessary to protect business secret or other confidential information, including Personal Data, Ardens may redact the text of the sub-processor agreement prior to sharing the copy with the Organisation.
Security
4.1.
To the extent that Ardens is acting as a processor for and on behalf of the Organisation, it shall:
4.1.1.
process such personal data (including that set out in paragraph 2) for the purposes of performing its obligations under the Supply Contract and only in accordance with the terms of the Supply Contract and any Organisation Instructions (except where it is required to do so otherwise by law, in which case Ardens shall notify Organisation of such beforehand, unless such notice is prohibited by law);
4.1.2.
taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks to the rights and freedoms of natural persons, Ardens shall implement and maintain appropriate technical and organisational measures (as detailed in the Service Specification) to ensure a level of security appropriate to the risk of processing in accordance with Data Protection Law;
4.1.3
insofar as the same is not already required by the other provisions of this paragraph 4.1, ensure that it abides by all of the obligations to which it is subject by virtue of Article 32 of the UK GDPR;
4.1.4.
take all reasonable steps to ensure the reliability and integrity of any Ardens’ personnel who shall have access to the personal data;
4.1.5.
ensure that access to the personal data is restricted to only those members of Ardens’ personnel who require it in order to discharge Ardens’ obligations under the Supply Contract; and
4.1.6.
where the personal data are confidential, and without limiting the general provisions as to confidentiality contained in the Supply Contract, keep them secret and not disclose them to any third party without Organisation’s prior written authorisation (except to the extent disclosure is required by law).
4.1.7.
ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Data Subject Rights
5.1.
If a data subject makes a request to Ardens or Organisation relating to the exercise of his or her legal rights in relation to personal data, Ardens shall (taking into account Organisation’s duty to respond to the data subject within a specified period) provide Organisation (at Organisation’s own cost based on Ardens’ then hourly rates) any assistance it reasonably requires in order to facilitate that data subject’s rights. Ardens’ obligation to cooperate under this paragraph shall also apply to any requests to Ardens or Organisation by a supervisory authority.
5.2.
To the extent that any Organisation instructions:
5.2.1.
require additional effort and/or expenditure on the part of Ardens, this shall be reimbursed by the Organisation in accordance with Ardens’ then current standard rates; and/or
5.2.2.
serve to hinder or prevent Ardens’ performance of its obligations under the Supply Contract, the Supply Contract shall continue despite such reduced performance, and:
5.2.3.
Ardens shall not be in breach of the relevant Product’s Licence or any other agreement with the Organisation as a result of it following Organisation instructions; and
5.2.4.
the Charges which have been paid or which will become payable shall not be reduced (even in the event Ardens is unable to perform its obligations in part or in full).
Breach Notification
6.1.
If Ardens becomes aware of a Personal Data Breach, it shall:
6.1.1.
notify the Organisation without undue delay of the Personal Data Breach, such notification including:
6.1.1.1.
and approximate number of Data Subjects and data records concerned;
6.1.1.2.
the details of a contact point where more information concerning the Personal Data Breach can be obtained; and
6.1.1.3.
its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects;
6.1.2.
provide Organisation with such information and assistance as it reasonably requires in relation to the Personal Data Breach (including in relation to action to remedy or mitigate the breach); and
6.2.
except to the extent required by Applicable Law, upon the termination of the Supply Contract for any reason, or earlier if instructed in writing by the Organisation to do so, Ardens shall cease processing all personal data and return and/or permanently and securely destroy so that it is no longer retrievable (as directed in writing by the Organisation) all personal data and all copies in its possession or control (and it shall provide the Organisation with a certificate signed by a duly authorised representative confirming it has done so).
6.3.
Where the Organisation makes any such request prior to the termination of the Supply Contract, and it serves to hinder or prevent Ardens’ obligations thereunder, the Supply Contract shall continue despite such reduced performance, and:
6.3.1.
Ardens shall not be in breach of the Supply Contract with the Organisation as a result of it following such Organisation instructions; and
6.3.2.
the Charges which have been paid or which will become payable shall not be reduced (even in the event Ardens is unable to perform its obligations in part or in full).
Audits and Privacy/Data Protection Impact Assessments
7.1.
Ardens shall (at Organisation’s cost and subject to Organisation providing appropriate confidentiality undertakings) provide reasonable cooperation with any request by Organisation to carry out audits, inspections or impact assessments in connection with privacy and/or data protection. Ardens may satisfy its obligations under this Clause by it making available copies of third-party audits, inspection reports or prior impact assessments. Nothing in this Clause shall require Ardens to disclose or permit access to any of its (or any third party’s) confidential or commercially sensitive information.
International Transfers
8.1.
Ardens will not export personal data to a country outside the United Kingdom unless:
8.1.1.
the transfer is on the basis of a valid adequacy decision made by the UK Government in accordance with Data Protection Law
8.1.2.
appropriate safeguards are applied (as set out in Data Protection Law (which, in the event of any uncertainty as to the appropriate safeguards to be adopted, shall mean the use of the International Data Transfer Agreement or any other model contract clauses in a form approved by the UK Government); or
8.1.3.
such transfer is otherwise permitted under Data Protection Law.
Annex 2: Processing and Categories of Data Subject and Personal Data
Overview of Processing Personal Data
A. Ardens Clinical
Personal Data is not processed via Ardens Clinical.
B. Ardens Manager
Use of Ardens Manager involves two methods of Processing Personal Data:
Manual Extraction: Users will create an aggregated data set based upon a pre-defined Ardens report using the search functionality on the Principal GP IT System. This is uploaded onto the Ardens Manager platform. Organisational controls such as guidance and acceptable use dictate that personal data should not be accessed in this process.
Automated Extraction: Personal Data is extracted from the Electronic Patient Record (“EPR”) through bulk extract mechanisms provided by the NHS England IM1 Pairing Integration and transmitted securely into the AWS Environment.
Ardens process this personal data on behalf of the data controller (e.g. GP Practice) in order to provide the purchased commissioned service. As described above, this is a population management analytics tool that enables GP Practices and other Healthcare organisations to upload their data from the relevant clinical system to support service management by automated or manual extracts from EMIS Web and SystmOne. It also enables customers such as PCNs and GP practices to identify individual patients based upon pre-specified reports for the purposes of National and Local Contract management and locally commissioned services where they have a legitimate relationship to do so.
*For Ardens DEMO System Sites ONLY– Ardens is authorised by the Data Controller to anonymise data to be included in a demonstration system in order to allow other prospective users to see realistic interpretations of the Ardens System
Ardens Clinical
Ardens Manager
Description
Details
Categories of data subjects
N/A
Users
Location of the User
Patients of the Organisation
Categories of personal data processed
N/A
Patient name
Patient address
Postcode
Telephone number
E-mail address
Gender
Date of Birth
Date of Death
Physical description
SRE or EMIS GUID Identifier
Practice identifier
NHS number
GP details
Categories of sensitive data processed
N/A
Health data
Race or ethnic origin
Sexual life or sexual orientation
Religious or philosophical beliefs
Criminal or suspected criminal offences
Nature of processing
Ardens may inadvertently view personal data where a Organisation (or User) shares their screen as part of the provision of the Ardens Clinical Services.
Ardens have been commissioned to process the above personal data for the purposes including providing aggregated, anonymised population health management analytics to GP Practices, Federations, Primary Care Networks (“PCNs”), Integrated Care Boards (“ICBs”), places and other Healthcare Bodies.
Purpose of the processing for the Organisation
As above at: Overview of Processing Personal Data
As above at: Overview of Processing Personal Data
Plan for return and destruction of the data once the Processing is complete (unless there is a requirement under union or member state law to preserve that type of data)
Ardens will notify the Organisation where it inadvertently accesses personal data, and where relevant, will have the personal data deleted.
Ardens will process data for the duration of the Supply Contract. Prior to the end of the agreement the Controller will have the option to have all data returned or to have it deleted.