Data Controller Contract 1.SERVICE DESCRIPTION1.1The following are the services to be provided under this Contract (hereafter referred to as 'the Services'):1.1.1Services include though are not limited to; secretarial duties, the transcription, storage, processing and distribution of clinical and organisational letters and documents. The organisation, monitoring and arrangement of diary, booking and clinical activities including interactions with other organisations, clinical and non-clinical managers, other clinicians and patients. To facilitate the transfer of data in an approved manner to patients and others on reasonable and legitimate request. The assistance with other matters as would be appropriate for an organisation Personal Assistant; and1.1.2The performance of the Services will include, but is not limited to, data processing for the following purposes:(a)To ensure the accuracy and maintenance of clinical, organizational and management records. The transfer of data between clinicians, hospitals, clinics and individuals as necessary for proper clinical care. The facilitation of clinical activity by interactions with medical insurance companies and other organisations. The interaction and secure data transfer of patients’ records on request according to GDPR guidelines and requirements where appropriate on proper written request;(b)Electronic and other data assimilation and storage in an approved manner to ensure proper record keeping and clinical propriety and to facilitate clinical care; and(c)Personal data including, but not limited to: full demographic, financial and contact details for current and former patients, their other clinicians, referrals, hospital and clinic correspondence by email, message or written communications. Details of clinical diagnosis, management and progress together with the results of investigations, interventions or surgery including psychological or psychiatric assessments or recommendations. Data may be used in the participation of national or local audit where a specific consent is obtained for data inclusion in that process. Data may be made available to other statutory organisations and bodies as required by law, statute or to adhere to clinical or statutory best practice. 2.CONSULTANT'S RIGHTS AND OBLIGATIONS IN RESPECT OF PERSONAL DATA2.1The Consultant will be Data Controller for the purposes of this Contract and will be subject to the rights and obligations as further set out in this Contract, and any further rights or obligations contained within the Data Protection Legislation.3.PROTECTION OF PERSONAL DATA3.1The Parties acknowledge that the Consultant is a Data Controller and that the Medical Secretary is a Data Processor as he/she Processes Personal Data on the Consultant's behalf. 3.2The Medical Secretary shall: 3.2.1Process the Personal Data only as per the Consultant's written instructions, mainly as set out in this Contract but potentially otherwise in writing from time to time; 3.2.2ensure that at all times he/she Processes Personal Data in a secure manner to guard against unauthorised or unlawful processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data, by ensuring adherence to the Consultant's security measures and any other such measures as are applicable;3.2.3at all times Process the Personal Data in accordance with the Data Protection Legislation and the common law duty of confidence;3.2.4not disclose or transfer the Personal Data to any third party unless this is absolutely necessary in order for the Medical Secretary to perform his/her duties, and for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Consultant save where such disclosure or transfer is specifically authorised under this Contract or otherwise required by law. The Medical Secretary shall inform the Consultant of any such transfers as soon as reasonably practicable, and not later than 3 Business Days after taking place . Personal data approved for transfer without written consent include limited demographic details to facilitate clinical bookings or continued care, a minimum data required to arrange and manage clinics or investigations and interactions with medical insurance companies where necessary. ; 3.2.5notify the Consultant within 24 hours if he/she receives: (a)from a patient or any other Data Subject (or third party on their behalf): (i)a Data Subject Access Request (or purported Data Subject Access Request) requesting copies of their medical records or other Personal Data held about them; (ii)a request to rectify, block or erase any Personal Data; or (iii)any other request, complaint or communication relating to the Consultant's obligations under the Data Protection Legislation; (b)any communication from the Information Commissioner or any other regulatory body in connection with Personal Data; or (c)a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; 3.2.6not engage anyone else to process Personal Data on its behalf without the express prior written consent of the Consultant, and upon the same terms as set out in this Clause. The Medical Secretary will remain liable to the Consultant for any breaches of the Data Protection Legislation committed by anyone he/she engages to process Personal Data on their behalf;3.2.7provide the Consultant with full cooperation and assistance (within the timescales reasonably required by the Consultant) in relation to any complaint, communication or request made as referred to in Clause 3.2.5, including by promptly providing: (a)the Consultant with full details and copies of the complaint, communication or request; (b)where applicable, such assistance as is reasonably requested by the Consultant to enable the Consultant to comply with a Data Subject's Rights within the relevant timescales set out in the Data Protection Legislation; and (c)the Consultant, on request by the Consultant, with any Personal Data he/she holds in relation to a Data Subject.3.2.8provide the Consultant with full cooperation and assistance (within the timescales reasonably required by the Consultant) in relation to any Privacy Impact Assessment which the Consultant is required to conduct in accordance with the Data Protection Legislation;3.2.9provide the Consultant with full cooperation and assistance (within the timescales reasonably required by the Consultant and taking into account the nature of the processing) to enable the Consultant to comply with his/her obligations under the Data Protection Legislation. 3.2.10inform the Consultant immediately if asked to something in respect of Personal Data which would constitute an infringement of the Data Protection Legislation.3.2.11delete all Personal Data when the Contract ends or, if so instructed by the Consultant, otherwise return all Personal Data to the Consultant.3.2.12maintain an inventory detailing the Personal Data processed under this Contract, and the manner of this processing.3.2.13if requested by the Consultant, provide a written description of the measures that he/she has taken, for the purpose of compliance with his/her obligations pursuant to this Clause and the Data Protection Legislation and provide to the Consultant copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals, as well as the inventory detailed at clause 3.2.12.Breach3.3The Medical Secretary shall notify the Consultant promptly (and in any event no later than 24 hours after discovery) if he/she becomes aware of any actual, suspected or threatened unauthorised exposure, access, disclosure, Processing, use, communication, deletion, revision, encryption, reproduction or transmission of any component of the Personal Data, unauthorised access or attempted access or apparent attempted access (physical or otherwise) to Personal Data or any loss of, damage to, corruption of or destruction of Personal Data. This is known as a Notifiable Data Protection Incident, and could include, but is not limited to, loss of medical records, sending patient correspondence to the wrong patient and otherwise misusing a patient's data. 3.4If such an incident occurs then the Medical Secretary should, as a minimum, give the following information to the Consultant:3.4.1What has happened to make the Medical Secretary think there has been a breach, the type of Personal Data involved (for instance medical records or financial data) and the approximate number of patents and records concerned; and3.4.2Whether anything has been done to address the situation, such as retrieving lost data. 3.5In the event that the Medical Secretary cannot provide any of this information straight away then then it should be provided as soon as it is reasonably available, and without delay. Audit3.6The Consultant, and/or their appointed representatives (Auditors) shall be entitled to access the Medical Secretary’s computer system and places of work to inspect and audit the Medical Secretary's Processing of any Personal Data and take copies of relevant documentation (Data Protection Audit).3.7A Data Protection Audit shall only take place:3.7.1during the duration of the Medical Secretary's engagement working for the Consultant, and for a period of 3 years from the expiry or termination of the Contract;3.7.2not more than once in any calendar year;3.7.3on not less than 5 business days' prior written notice from, unless such Data Protection Audit is required in accordance with Clause 3.9 below in which case on not less than 3 business days' prior written notice from the Consultant; and3.7.4during ordinary business hours.3.8The Medical Secretary shall provide his/her full co-operation including but not limited to providing access to any of the Medical Secretary’s systems and places of work to the Auditors and shall provide the Auditors with all reasonable assistance to enable such inspection, auditing and copying to take place.3.9The Consultant shall not be required to give notice of any Data Protection Audit, and there shall be no limit to the number of audits that can take place in any calendar year, if:3.9.1the Consultant reasonably believes that the Medical Secretary is in breach of any of his/her obligations under this Contract;3.9.2the law or a regulator requires a Data Protection Audit on short notice; and 3.9.3the Medical Secretary suffers a Notifiable Data Protection Incident, such as losing or otherwise using Personal Data in an unauthorised manner. 3.10If an Audit reveals that the Medical Secretary has not complied with the terms of this Contract, he/she shall promptly remedy such non-compliance as instructed by the Consultant. 3.11If, following an audit under this Agreement, the Consultant believes that the Medical Secretary has breached obligations in respect of Personal Data then she may suspend or terminate the Contract. 3.12The Medical Secretary shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country not deemed adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). 3.13The Medical Secretary shall use its reasonable endeavours to assist the Consultant to comply with any obligations under the Data Protection Legislation and shall not perform his/her obligations under this Contract in such a way as to cause the Consultant to breach any of the Consultant’s obligations under the Data Protection Legislation to the extent the Medical Secretary is aware, or ought reasonably to have been aware, that the same would be a breach of such obligations. Definitions“Data Controller”has the meaning given in the Data Protection Legislation;“Data Processor”has the meaning given in the Data Protection Legislation;“Data Subject”has the meaning given in the Data Protection Legislation;“Data Subject's Rights”A request by a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation in relation to his or her Personal Data;“Data Protection Legislation”(as applicable): (i) the Data Protection Act 1998 (ii) the Data Protection Act 2018 (once implemented); and (iii) from 25 May 2018 onwards, Regulation (EU) 2016/679, as well as, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all other applicable law in respect of data protection and data privacy including any applicable guidance or codes of practice that are issued by the Information Commissioner, Working Party 29 and/or the European Data Protection Board (and each of their successors); “Personal Data”personal data (as defined in the Data Protection Legislation) which is Processed by the Contractor, or anyone else under Clause 3.2.6, on behalf of the Consultant pursuant to or in connection with this Contract;"Process"has the meaning given in the Data Protection Legislation. 'Processed' and 'Processing' shall be construed in the same manner. “Working Day”any day other than a Saturday, Sunday or public holiday in England and Wales.