Data Processing Policy
For the purposes of compliance with the General Data Protection Regulations
(GDPR)
1. This Data Processing Policy governs all agreements and relationships between Isosec Limited (the Processor) and its Customers (the Controller) unless specifically agreed otherwise in writing by Isosec Limited.
2. Definitions
“Data” means the personal data (and other information) to be processed further to this Agreement, further particularised below.
“Data Protection Legislation” means (i) unless and until the GDPR is no longer directly applicable in the UK, the GDPR together with any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK; and (ii) any successor legislation to the GDPR and other legislation described at subparagraph (i) above.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, biometric, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Scope, nature and purpose of the processing
The Processor has entered into this Data Processing Agreement with the Controller to carry out the processing of Personal Data for the following purposes:
● Authentication: allows the Controller to allocate, distribute and otherwise manage Controller users to gain secure smartcard type authentication.
● Support: allows the Controller to receive third-line support from the Processor.
● Audit: allows the Controller to see real-time data about usage.
● Licensing: allows the Controller to have access to billing information.
The most likely basis for processing most health and social care data the provision of direct care, i.e. GDPR Article 9 (2)(h), and public interest, i.e. GDPR Article 6(1)(e), but it is up to the Controller to decide the lawful basis for processing.
● Google Analytics for Firebase data collection
● Firebase Performance Monitoring data collection
● Identifying devices for Firebase
4. The type(s) of Personal Data to be processed
4.1. The Personal Data to be processed under this Agreement is:
● Identity data of Controller employee: e.g. full name, role, email address, device user name, subject common name, certificate data, domain name of Active Directory account, and unique identifier as recorded in the NHS Spine Directory service;
● Contact details of commercial contacts;
● Location data transmitted from a mobile device: the GPS-coordinates of the location;
● Usage data: application use.
5. The categories of data subject to be processed
5.1. The categories of data subject whose Personal Data is to be processed are:
Only data for authorised Controller employees and contractors will be used. At all times, any such data entries being made shall be done by the Controller and not by the Processor. For the avoidance of doubt, at no point in time does the Processor have access to or otherwise deals with any NHS patient data in either cases above.
6. The duration of the processing
6.1. Data processing will commence on: the start date of any agreement to use the service and will complete on the termination date of the service as agreed between the Controller and the Processor. Data is stored for a period of up to 2 years for audit and support purposes. For licensing purposes, contact details are stored for the duration of the contract. After these time periods, the
data will be securely deleted from the Processor’s databases.
7. Transferring the Data for processing
7.1. The Controller shall securely transfer the Data to be processed to the Processor via the N3/HSCN Network and all data will be encrypted during transfer and at rest.
7.2. The Processor shall securely transfer the processed Data to the Controller (or such other persons nominated by the Controller as part of its instructions) via the N3/NSCN network.
8. General obligations of the Processor
8.1. The Processor shall comply with the requirements of the Data Protection Legislation and warrants that it shall implement appropriate technical and organisational measures to ensure that any Processing carried out under this Agreement will meet all applicable requirements of the Data Protection Legislation and ensure the protection of the rights of the data subjects. This Agreement is in addition to and does not relieve, remove or replace its obligations under the Data Protection Legislation.
9. Specific obligations of the Processor
Without prejudice to the generality of Clause 8, the Processor shall comply with the following further obligations:
9.1 Processing on instruction
The Processor shall:
(a) Process the Data and otherwise act only on the written instruction of the Controller, which may be set out in this Agreement or in other instructions given by the Controller from time to time. The Processor may further process the Data where it is required by law to act without such instructions. Where the Processor relies on such legal obligations, it shall promptly notify the Controller of this before performing the processing required by the applicable law, unless that law prohibits the Processor from so notifying the Controller;
(b) Take all reasonable further steps to ensure that any person acting under its authority who has access to the Data does not process it except on instructions from the Controller described in 9.1(a) above, unless he or she is required to do so by Union or Member State law, including by taking the measures set out in Clauses 9.2 – 9.3 below;
(c) immediately inform the Controller if it considers that an instruction issued by the Controller infringes any requirement of Data Protection Legislation;
(d) comply with any request from the Controller to amend, transfer or delete some or all of the Data, or otherwise complete a processing activity in connection with the Data;
(e) for the avoidance of doubt, not copy or use the Data for any other purpose other than complying with the instructions as set out in this Agreement;
(f) Where required, employ a Data Protection Officer in accordance with Article 37 GDPR, and provide the necessary resources to them and ensure their independence;
(g) Appoint in writing a representative within the European Union (where required to do so) in accordance with Article 27 GDPR.
9.2 Staffing and personnel
The Processor shall ensure that any employees or other persons processing the Data (including any temporary workers and agency workers):
(a) are subject to and aware of their duty of confidence in connection with the Data and have undertaken information governance training relating to handling personal data within the legal framework;
(b) are only able to access the Data where they are involved in the processing of the Data and only to the extent necessary for processing the Data in accordance with the requirements of this Agreement;
(c) do not disclose or otherwise process confidential or financial information about this Agreement, or the Data processed under it other than by judicial, administrative, governmental or regulatory process or otherwise by applicable law including (for example) under the Freedom of Information Act 2000, in which case notice shall be given to the Controller in accordance with Clause 9.1(a) above.
9.3. Security measures
9.3.1 The Processor shall implement appropriate technical and organisational measures to ensure the security of processing of Personal Data commensurate to the risks to the rights and freedoms of the data subjects. Such measures may include those measures referred to in Article 32(1) GDPR as appropriate.
9.3.2 In assessing the appropriate level of security for the purposes of Clause 9.3.1, the Processor shall take particular account of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
9.3.3. The Processor shall employ an appropriate security management system which, in particular, ensures that their employees only have access to data that is required to undertake their responsibilities under this Agreement.
9.3.4. Without prejudice to the generality of 9.3.1, the Processor shall ensure that access to its system(s) are via a secure log on process designed to minimise the opportunity of unauthorised access. This shall, as a minimum:
o Limit unsuccessful attempts to access the system
o Register failed attempts to log on, force a time delay to the next series of
attempts and disconnect the data link
o Identify and verify the identity and the location of each user
o Limit the connection times available to users
o Passwords should expire after a set period
o Prevent the re-use of existing or old passwords
o Each user should have a unique identifier
o Provide protection from unauthorised access to software capable of
overriding application controls
o Access to system administration utilities should only be available to specific
system users/roles
o The system should maintain an audit of access to system administration
functions and information.
9.3.5. To assure the Controller, the Processor’s security controls include:
The processor utilises one or more data centres that meet NHS Security Standards with significant experience in hosting critical services and applications for the NHS ecosystem. The Processor is accredited to Cyber Essentials that covers the IT infrastructure of Processor’s premises and which extends but is not limited to its staff machines, servers and networking hardware, as well as the policies in place within the company
9.4 Using Sub-Processors
9.4.1. The Processor shall only engage a Sub-Processor with the prior written consent of the Controller.
9.4.2. With respect to any proposed Sub-Processor, the Processor shall:
(a) carry out adequate due diligence to ensure that the proposed sub-processor is capable of providing the level of protection for the Controller’s data required by this Agreement and Data Protection Legislation;
(b) ensure that the arrangement between the Processor and the Sub-Processor is governed by a written contract including terms which offer at least the same level of protection for Controller Data as those set out in this Agreement and meet the requirements of Article 28(3) & (4) GDPR;
9.4.3. Notwithstanding any sub-processing arrangement entered into under this Clause 9.4, the Processor will remain liable to the Controller for the compliance of the Sub-Processor and will not be absolved of any responsibility for the processing by using a Sub-Processor.
9.5 Data Subjects’ Rights
9.5.1. Taking account, the nature of the processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures to facilitate the Controller’s obligations under Chapter III of the GDPR.
9.5.2. The Processor shall promptly notify the Controller if it receives a request from a Data Subject under Data Protection Legislation in respect of any Controller Data. The Processor shall not reply to any such request except (i) on the documented instructions of the Controller; or (ii) as required by Data Protection Legislation to which it is subject, in which case the Processor shall notify the Controller of the obligation before responding to the request.
9.6 Data exports
The Processor shall not store, transfer or otherwise process the Data outside the European Economic area without the prior written consent of the Controller (and subject to such requirements as the Controller may specify).
9.7 General assistance to the Controller
Without prejudice to the specific obligations in 9.5, the Processor shall:
(a) notify the Controller immediately if it becomes aware of any unauthorised or unlawful processing, loss of, damage to or destruction of Personal Data being processed under this Agreement;
(b) co-operate as required, with supervisory authorities (such as the Information Commissioner’s Office – ICO) in accordance with Article 31 GDPR;
(c) assist the Controller in meeting its GDPR obligations in relation to the security of processing, i.e. the notification of personal data breaches and data protection impact assessments including any high-risk processing under Articles 32-36 of the GDPR.
9.8 End of contract provisions
9.8.1. The Processor is required to retain the Controller’s Data for the period set above in Clause 6 (‘the duration of the processing’.) (This time period must not exceed the time necessary to enable the Processor to carry out the processing required under this Agreement).
9.8.2. At the discretion of the Controller, the Processor shall delete or return all Data to the Controller at the end of this Agreement or services provided under it, unless the Processor is required by law to retain the Data, in which case the Processor may retain the Data for the minimum period necessary to comply with that obligation, and shall then return or delete the Data as required by the Controller.
9.8.3. After processing is complete, the Processor shall undertake a full purge of its internal systems to securely and permanently destroy all Data held for the Controller and shall confirm such destruction in writing to the Controller.
9.8.4 To assure the Controller, the Processor’s secure destruction procedure is as follows:
Unless otherwise agreed, the Processor will securely destruct and otherwise delete all personal data within 2 years after the termination of the service provision. Controller employees would still be able to use their Virtual Smartcard for up to 2 years (or until their certificate expires) with another Isosec Trust customer.
9.9 Audits and inspections
The Processor shall:
(a) submit (at its own cost) to audits and inspections and provide the Controller (or a person nominated by the Controller) with whatever information is needed to demonstrate that both parties are meeting Article 28 (3)(h) obligations; and
(b) keep records of the processing it carries out on behalf of the Controller in accordance with article 30(2) GDPR and make such records available to the Controller and/or the ICO.
10. Indemnity
Subject to the limit of liability below, the Processor shall indemnify the Controller against all costs, claims, damages or expenses incurred by the Controller for which it may become liable due to any failure by the Processor its employees, agents, contractors or Sub-Processors to comply with any of its obligations set out under this Agreement or the Data Protection Legislation. The Processor’s liability in relation to this Agreement shall be limited to an amount equal to the amount paid or payable by the Controller to the Processor under the terms of its Agreement (on a rolling 12-month basis) or £50,000 whichever shall be the lower sum.
11. RELEVANT GDPR ARTICLES:
Article 27 Representative of controllers or processors not established in the Union
Article 28 Processor
Article 29 Processing under the authority of the controller or processor
Article 30 Records of processing activities
Article 31 Co-operation with the supervisory authority
Article 32 Security of processing
Article 33 Notification of a personal data breach to the supervisory authority
Article 34 Communication of a personal data breach to the data subject
Articles 35 Data protection impact assessment
Article 36 Prior consultation
Article 37 Designation of the data protection officer
Article 58 Powers
Article 82 Right to compensation and liability
Article 83 General conditions for imposing administrative fines
Article 84 Penalties