General Data Protection Regulation GDPR
Data Processing Statement between CareFlow Medicines Management Ltd (CMM) and Healthcare Clients
Section 1: Definitions
Client Systems: Any systems provided by CMM or necessary for the provision of the Support Services provided by CMM
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data.
Data Controller: The Healthcare Client; the party determining the means and purposes of processing the Personal Data.
Data Processor: CMM the party processing the Personal Data on behalf of the Healthcare Client.
GDPR: The General Data Protection Regulation (EU)(2016/479).
Healthcare Client: The client of CMM for the purposes of this Statement .
Personal Data: Any personal data processed by CMM on behalf of the Healthcare Client as defined in Section 3 of this Statement.
Specified Purpose: A list of purposes for which Personal Data can be processed by CMM, as defined in Section 2 of this Statement.
Support Services: The services agreed between the parties to be provided by CMM.
Section 2: Data Sharing Principles
- For the purposes of any data sharing between Healthcare Clients and CMM, CMM will be the Data Processor and the Healthcare Client will be the Data Controller. CMM will also be a Data Processor for any data of Healthcare Clients that it receives on behalf of its Healthcare Clients.
- CMM will only process Personal Data strictly on the instructions of the Healthcare Client and as necessary for a Specified Purpose, as agreed with the Healthcare Client.
- Any access to Personal Data on the of Healthcare Clients Systems will only be granted to CMM when required as requested by the Healthcare Client for a Specified Purpose, as agreed with the Healthcare Client.
- Specified Purposes will include the maintenance of healthcare systems provided to the Healthcare Client by CMM,
- The limitations of these purposes will be specified in advance as agreed with the Healthcare Client. CMM will not process any personal data received from Healthcare Clients for any other purposes than those specified between CMM and the Healthcare Client. CMM will not be responsible for any Personal Data other than that specified in this Section 2 that is disclosed by the Healthcare Client to CMM.
Section 3: Data Processing
- CMM will have access to Client Systems via a remote desktop connection, which will include access to personal data stored on the Client Systems, only as requested by the Healthcare Client.
- Support Services Requests from the Healthcare Client will only be processed by CMM if received from authorised personnel at the Healthcare Client.
- CMM will never request to receive any specific personal data from Healthcare Clients. Any personal data, including the personal data of patients, that CMM receives from its Healthcare Clients will only be received as provided by the Healthcare Client.
- CMM will only process the following Personal Data as received from the Healthcare Client:
- Patient Data – Limited to hospital ID numbers, patients’ names, patients’ dates of birth, patients’ gender;
- Sensitive Patient Data – Limited to patients’ medical conditions, drugs prescribed to patients
- The Healthcare Client will only provide CMM with data that is necessary for its specified purposes as outlined in Section 2 above. CMM and the Healthcare Client will agree on the data needed to be provided for these purposes on an ongoing basis.
- CMM will inform the Healthcare Client, on request, of any Personal Data it is holding, storing and otherwise processing on behalf of the Healthcare Client.
Section 4: Data Security Measures
- CMM will take all reasonable organisational and technical measures to ensure compliance with obligations under the GDPR to ensure the security of any data it receives from Healthcare Clients.
- It will be the responsibility of the Healthcare Client to anonymise any Personal Data before providing this data to CMM for the purposes of IT Support.
- Where CMM receives, either from the Healthcare Client any Personal Data, CMM will reject the data and will not accept it until it is returned in an anonymised format.
- CMM will grant access only to the minimum number of staff required for carrying out the request from the client.
- CMM will notify Healthcare Clients within a reasonable amount of time if any Data Breach is detected or suspected to have occurred in relation to any Personal Data processed by CMM.
Section 5: Data Deletion
- Any Personal Data that CMM receives from Healthcare Clients will only be stored for the duration of the task carried out for the Healthcare Client. Following this, it will be deleted from all electronic databases and any physical storage locations operated by CMM.
- CMM will take all reasonable measures to ensure the timely destruction of any Personal Data received which is deemed unnecessary for its functions, as provided for in Section 2 above and as agreed with the Healthcare Client.
- The data deletion will include:
- Hard copy documents contained Personal Data will be properly shredded and disposed of or returned to the Healthcare Client for destruction.
- Electronic files and email containing Sensitive Personal Data will be deleted from email inboxes, computer hard drives, USB/Flash drives, and external hard drives as soon as it is no longer needed for the relevant Support Services.
- Personal Data will only be stored by CMM for longer periods if specifically requested by the Healthcare Client.