This table is intended to be comprehensive but may be incomplete. There may also be instances where some of the requirements are not applicable but the Review Panel concludes that these requirements will apply in most circumstances. Additionally, there may be elements that overlap with other contracting requirements, so these will need to be drawn together appropriately.
Requirements
1 Define the status and relationship of the parties as data controller or data processors. This includes clarity about sole, joint or in common data
controllership, and where an organisation’s relationships with data may fall across these categories in different circumstances, to clarify the circumstances in which the different relationships with the data will apply.
2 Define scope and term of the contract.
3 Whether the contract will be supported by Service level/data sharing agreements (where applicable to define data set and disclosures for specific purposes. This should include any variation to the data controller relationships set out in the contract).
4 Define terminology used.
5 Legal, professional and contractual requirements.
Definition of the governing law (i.e. England), requirement to adhere to legal and professional requirements, and the provisions of this contract in particular in relation to Data Protection, Human Rights and common law obligations such as the duties of care and confidentiality. This includes but is not limited to: • when personal confidential data may lawfully be disclosed;
• for de-identified data for limited disclosure or access the requirement for this data to be held separately from personal confidential data within a safe haven (to ensure it does not become identifiable, and therefore personal data
requiring a legal basis to process);
• having mechanisms to prevent re-identification where de-identified data may be linked together in a safe haven;
• a requirement not to disclose data to other parties other than in anonymised form, or as authorised by the data controller, or where required by law; and • for data processors the requirement only to process data as instructed by the
data controller.
6 Duty to co-operate with other parties.
7 In relation to personal confidential data, a definition of the purposes and the legal basis for processing for each specified purpose, with a restriction to confine processing to these purposes, where there is a need to re-identify individuals, this must be in the purposes and authorised. It is helpful to include this within the contract so all parties are assured of the legal basis for processing and the boundaries of that legal basis. (Privacy impact assessments are helpful in clarifying whether there is a secure basis in law and the nature of that basis as part of the pre-contract checks and ongoing management of the contract.) In relation to de-identified data for limited disclosure or access, clarity of the purposes and assurance that the purposes of processing are in the public interest. 8 Confidentiality and protection of commercially sensitive information and
9 Fair processing information responsibilities — service user involvement in its development.
10 Policies and procedures on: consent both for treatment and for the use of data; conflicts of interest management; and agreement more broadly about whose policies are used. This may be specific to the policy in question.
11 Timely communication of transfer or discharge information to other care professionals.
12 Online access to records and communication of care plans to the service user. 13 Conformance with requisite Information and Data Standards.
14 Staff recruitment checks, education and training, and terms and conditions of employment — this also needs to address honorary and seconded staffing arrangements to ensure the failure to adhere to policies and procedures are addressed through disciplinary action via the substantive contract of
employment.
15 Maintenance of Information Asset Registers, data flow mapping and data sets for extraction and reporting requirements.
16 Data extraction processes.
17 Responsibility for FOI, EIR and subject access requests — in particular attention needs to be given to who will undertake the clinical review of records for Subject Access Requests to ensure that seriously harmful information, or information provided by third parties is not disclosed.
18 Housekeeping measures: • business continuity; • disaster recovery;
• monitoring and auditing of access controls and reporting; and
• transfer, retention, archiving, and disposal of records at end of data lifecycle in line with DH record retention schedules or termination of contract.
19 Security requirements (ISO 27001 and 2) ISMS to include: • network security;
• device security (including encryption);
• software security including protection against malware; • data and system back-up;
• secure transfer of data; • physical security;
• access control functionality, logging, alerts, auditing and reporting; • software control of printing and USB devices;
• use of security and privacy enhancing technologies;
• risk assessment, audit and reporting (including penetration testing); • review and updating; and
• incident reporting.
20 Registration Authority (RA) — Legitimate Relationship (LR) and Role Based Access Control (RBAC) authorisation and implementation.
21 Change control, authorised officers and approvals processes.
22 Sub-contracting notification to data controller of intent to sub-contract, identity of sub-contractor(s), contracting and oversight arrangements of sub-contractor and authorisation by data controller requirements.
23 Location of data storage and arrangements i.e. within EEA, outside EEA, or cloud. Need for binding corporate rules or other means of satisfying DP principle 8. 24 Serious incidents/data breaches (duty of candour): monitoring, reporting,
investigating, publishing with outcomes.
25 DC contract performance management including right of access to visit site(s) and audit procedures/use of data including any sub-contractors. Additionally, mandatory independent audit of the IG Toolkit submission or equivalent
statements of compliance should also be considered, with the scope set annually by the data controller.
26 Process for agreeing variations to the contract including novation to new bodies. 27 Dispute resolution process.
28 Exit from contract:
• natural end of contract considerations such as record management;
• premature end of contract from failures of any party e.g. bankruptcy, serious data breach; and
• continuing obligations, e.g. not using data subsequently for own purposes and maintaining confidentiality of personal data indefinitely.
29 Charges, liability and indemnity, remedies and penalties for breach of contract — care needs to be taken to ensure that this clause includes unlimited recovery of costs arising from a breach by data processor and data processors need to maintain insurance supporting liability in the contract.
30 Definition of roles and responsibilities — senior responsible officers for implementation and oversight of different elements of the contract for each party to the contract.
31 Signatures of senior responsible officers of all parties.
32 An appendix to the contract, with the day to day contact details for the senior responsible officers and other key staff.
Sources:
CEN WORKSHOP AGREEMENT CWA 15292 May 2005
Commissioning Board SLA Mock Template and Collaborative Commissioning Agreement http://www.commissioningboard.nhs.uk/resources/ resources-for-ccgs/
National Standard Contracts
PASA IT Documentation — NHS Supplementary conditions of contract relating to information security August 2009 ICO — Model Contract Clauses – International transfers of personal data
ICO — Privacy Impact Assessment