STEP 5: CONTRACTS AND AGREEMENTS
To enable effective processing of data as required by the Care System, both the secondary use activities and their data requirements need to be documented in formal agreements. A variety of mechanisms can be used to hold these agreements, including contracts and service level agreements and, critically, data processing agreements.
It is key to note, that the relevant contracts and agreements identified as needed must be in place before any data is extracted, transferred etc. All agreements about control or processing of data need to be reviewed by experienced information governance staff.
For each integrated care activity (or cohorts of activities), the respective data controllers and data processors will have been established in Step 3. This provides the basis for the contractual framework to permit data usage and management across your care system.
- Where an organisation has been identified as a data controller in its own right and hosts the data store, no additional agreements are required, for example, a Provider organisation hosting its own data
- Where an organisation has been identified as a data controller in its own right, but needs to source data from the data store, the organisation needs to enter into a data processing agreement with the data store host
- Where an organisation has been identified as a data processor on behalf of one other organisation, the commissioning organisation needs to enter into a data processing agreement with both the organisation undertaking the activity and the data store host
- Where an organisation has been identified as a data processor on behalf of multiple organisations, the commissioning organisations need to enter into a joint data controller agreement and this joint controller enters into a data processing agreement with both the organisation undertaking the activity and the data store host
Note that a data processing agreement may be documented within wider contractual agreement or in standalone document. Regardless of the document used, the content should reflect that included within a GDPR-compliant data processing agreement. The SUDGT provides template data processing and joint data controller agreements in the reference materials.
- Example processing agreement between a controller and any processor
- Example processing agreement between a controller and a commissioning support unit as a processor
- Example processing agreement schedule – this can be used where there is an existing processing agreement between parties, but an additional schedule is needed to add further processing instructions
- Example joint data controller agreement - for use by commissioners
The above examples are based on Crown Commercial Services and NHS England templates. When using or adapting the templates above, it is important to ensure that the documents are reviewed in full by subject matter experts before they are signed off.
It is a legal requirement under GDPR and the Data Protection Act 2018 to establish lawfully binding contracts and agreements between data controllers and data processors.
You should now determine and record for each unique data controller and processor relationship identified in Step 3:
- that appropriate data processing schedules are in place
- confirmation of the agreement in which each such schedule can be located
This information can be recorded in the SUDGT input tool.
HINTS AND TIPS
- For the purposes of secondary uses activities, where multiple organisations may share or delegate activities, these should be as follows:
- Data Controllers: organisation(s) with statutory responsibility for undertaking secondary use activities, irrespective of whether they will discharge the activities themselves or not
- Data Processors: organisation(s) who have been contracted to undertake secondary use activities on behalf of a data controller because they do not have statutory responsibilities in their own right