1. Each Recipient will ensure that it and any of its Processors who process the Disclosed Data comply with the GDPR, the Data Protection Act 2018, all applicable law concerning privacy or the processing of personal data and the Duty of Confidence when processing the Disclosed Data.
2. Recipients may process the Disclosed Data for the Agreed Purposes only.
3. NHS Digital will share the Disclosed Data securely with the Recipients daily via the NHS Digital Web Viewer.
4. The Recipients are only permitted to store and process the Disclosed Data securely within the UK and the EEA or any country outside the EEA where there is a compliant legal transfer under the UK GDPR.
5. The Recipients and their Processor/s will on completion of the processing activity for purpose of contacting patients to arrange a clinical assessment in accordance with the Agreed Purposes securely destroy the Disclosed Data (including any copies it was necessary for it take for the Agreed Purposes) and on the request of NHS Digital shall provide a data destruction certificate signed by the Recipient’s and Processor’s Data Protection Officers.
6. The Recipients may only process the Disclosed Data for as long as is necessary to identify their patients to contact for clinical assessment in accordance with the Agreed Purpose. Recipients may process the Disclosed Data about their patients on the NHS Digital Web Viewer for as long as it is necessary to do so for the purposes of the individual care and treatment of those patients.
7. Each Recipient will notify NHS Digital as soon as reasonably practicable after it becomes aware of any Personal Data Breach (as defined in GDPR) by the Recipient concerning the Disclosed Data.
8. The Disclosed Data is confidential patient information and is provided by NHS Digital in confidence to the Recipients and to their Processors. The Disclosed Data must be maintained by the Recipients and their Processors as confidential in accordance with the Duty of Confidence. In particular, the Recipients must comply with their legal responsibilities under COPI when processing the Disclosed Data, including the restrictions laid down in Regulation 7 of COPI. This requires the Recipients when processing the Disclosed Data under COPI:
a. not to process the Disclosed Data more than is necessary to achieve the purposes for which the Recipients are permitted to process that information under Regulation 3(1) of COPI and the Agreed Purposes;
b. so far as it is practical to do so, to remove from the Disclosed Data any particulars which identify the person to whom it relates which are not required for the purposes for which it is, or is to be, processed;
c. not allow any person access to that information other than a person who, by virtue of their contract of employment or otherwise, is involved in processing the information for one or more of those purposes and is aware of the purpose or purposes for which the information may be processed;
d. not allow any person to process the Disclosed Data unless that person is a health professional or a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional; and
e. to ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of the Disclosed Data.
9. The Recipients must ensure that their Privacy Notices are updated as required to reflect that they are processing the Disclosed Data for the Agreed Purposes.
10. NHS Digital (and any auditors of or other advisers to NHS Digital) will be entitled to audit the Recipients’ compliance with these terms of release and the Recipients will provide all co-operation and assistance to NHS Digital in relation to any such audit, including providing access to personnel, premises and where necessary, equipment. NHS Digital will provide reasonable notice of its intention to carry out an audit and shall comply with all visitor rules and regulations applicable when attending at the Recipients’ premises for this purpose.
11. If a Recipient materially or persistently breach the terms of release, NHS Digital shall be entitled to terminate the data sharing arrangement by providing written notice to the Recipient, which will include the date of termination, which will be considered the End Date above.
12. Any dispute in respect of these terms or their subject matter will be escalated to appropriately senior officers of the Recipient and NHS Digital for resolution.
13. The contact details for the parties respective Data Protection Officers are:
14. NHS Digital may also collect outcomes data, inputted onto the CMDU Web Viewer, by CMDUs based upon Section 259 of the Health and Social Care Act 2012.