Data Processing Agreement
This agreement is considered to be agreed upon signing of the Contract for Services between the Practice (acting as the Data Controller) and SurgeryWeb (the Supplier acting as the Data Processor on behalf of the Data Controller).
The Practice (as Data Controller) wishes to subcontract certain services which require the processing of personal data to SurgeryWeb (as Data Processor).
Processing of Personal Data
Both the Practice and SurgeryWeb shall comply with all applicable Data Protection Laws in the processing of the Practices personal data. The personal data to be processed includes (but is not limited to) Patient name, Date of Birth, Sex, Gender, Racial/Ethnic Origin, Address, Postcode, Telephone number, Email address, NHS number and relevant health data.
The Practice instructs SurgeryWeb to process this personal data where necessary to deliver the services provided by them. The processing required and purposes are listed below.
SurgeryWeb shall not process personal data for other purposes other than on the relevant Practices instructions. SurgeryWeb shall process personal data for the duration of the contract between the Practice and the supplier.
Sub-processing
SurgeryWeb will not appoint or share any personal data with any subcontracted processor unless authorised by the Practice. SurgeryWeb shall ensure that any subcontracted processor has implemented appropriate measures to ensure a level of security to the risk of a personal data breach as required by UK GDPR.
| Sub-processor | Personal data | Subject | Purpose | Additional Information |
|---|---|---|---|---|
| Amazon SES | Name, Email | NHS Patients, NHS Staff | Emailing patients and NHS staff | Amazon Web Services commitment to GDPR |
| Catalyst2 | Name, Date of Birth, Sex, Gender, Racial/Ethnic Origin, Address, Postcode, Telephone number, Email address, NHS number and relevant health data, documents, photographs. | SurgeryWeb customers, NHS Patients, NHS Staff | Web hosting, Storage and transmission | Catalyst2 Privacy Policy |
| Dropbox | Name, Date of Birth, Sex, Gender, Racial/Ethnic Origin, Address, Postcode, Telephone number, Email address, NHS number and relevant health data, documents, photographs. | SurgeryWeb customers, NHS Patients, NHS Staff | Storage of Data backups, retained for maximum of 2 weeks | Dropbox GDPR Compliance |
Security
All personal data is encrypted to NHS encryption standards. All personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for while the data is processed.
SurgeryWeb stores encrypted backups in a UK based data centre which auto-delete after a maximum of 2 weeks and is only accessible to authorised staff.
Data Subject Rights
SurgeryWeb will notify the Practice (Data Controller) within 2 working days if a request from a Data Subject is received in respect of personal data and will not respond to the request unless instructed to by the Practice.
Data Breach
SurgeryWeb will notify the Practice (Data Controller) without delay upon becoming aware of a personal data breach affecting personal data, providing the Practice with sufficient information to allow them to meet any obligations to report or inform Data Subjects of the breach under Data Protection Laws.
SurgeryWeb will co-operate with the Practice and take reasonable steps to assist in the investigation, mitigation and remediation of each breach.
Data Retention
SurgeryWeb has adopted retention periods for personal data of 2 weeks (14 days) for data backups and 3 years for data held on servers.
