This is an agreement (“Data Processing Agreement”) between the following parties:
1.1
The following words and phrases used in this Agreement, the Appendix or any Schedules shall have the following meanings except where the context otherwise requires:
| CareIQ’s Sub-Processor Webpage | As set out on CareIQ’s Sub-Processor Webpage | | --- | --- | | CareIQ’s Security Measures Webpage | As set out CareIQ’s Data Security Webpage | | Controller | means a natural or legal person or organisation who determines the purposes for which, and the manner in which, any Personal Data are, or are to be processed; | | Processor | in relation to Personal Data, means any person (other than an employee of the Controller) who processes Personal Data on behalf of the Controller; | | Data Protection Legislation | means the EU's General Data Protection Regulation (2016/679), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, the UK GDPR and any mandatory guidance or codes of practice issued by the UK's Information Commissioner's Office from time to time; | | Data Subject | means an individual to whom Personal Data relates; | | GP Medical Record | means the patient’s medical record held by their registered GP. GP medical records include, but are not limited to, information about a patient’s medicine, allergies, vaccinations, previous illnesses and test results, hospital discharge summaries, appointment letters and referral letters; | | Personal Data | any information related to an identifiable natural person which can identify that individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; | | Special Categories of Personal Data | means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation; | | Services | means the provision of certain Software by CareIQ to the Healthcare Organisation from time to time, including products currently offered and those offered in the future; | | Software | the software service provided by CareIQ Limited; this software consists of a range of products to support healthcare intelligence for healthcare organisations and their patients; and | | UK GDPR | has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK's Data Protection Act 2018 |
2.1
This Data Processing Agreement applies to all data processing activities undertaken by CareIQ on behalf of the Healthcare Organisation, except those specific data processing activities within the scope of another agreement that both CareIQ and the Healthcare Organisation are party to (such as the processing for services procured under the "NHS Digital Care Services Catalogue" suite of agreements).
2.2
This Data Processing Agreement constitutes the written instructions of the Healthcare Organisation to CareIQ to process Personal Data in the manner described in the Schedule. Such instructions may be supplemented by the Healthcare Organisation from time to time if, for example, the Healthcare Organisation elects to use a new Service offering provided by CareIQ or decides to no longer use a particular element of the Services.