THE HEALTH AND SOCIAL CARE INFORMATION CENTRE DATA SHARING CONTRACT

Transcription

1 THE HEALTH AND SOCIAL CARE INFORMATION CENTRE DATA SHARING CONTRACT CONTRACT TYPE CONTRACT REF HIGH RISK REF HIGH RISK N/A 1. PARTIES TO THE CONTRACT This Contract is made between: The Health & Social Care Information Centre (the HSCIC) 1 Trevelyan Square Boar Lane Leeds LS1 6AE And: <Legal format of name, company number if applicable, registered address etc.> (Data Recipient)

2 2. SCOPE OF THE CONTRACT Start date 01/04/2013 End date 30/06/2013 Term The period from the Start Date until the End Date Field Subject to the terms and conditions specified here within, this Contract grants to the data recipient rights as set out in this Contract to utilise the data in products or services supplied by you for; <Mark those appropriate> Comparative Analysis Academic Research Public Task Improving the quality of healthcare management and service delivery Business to Business trading Internal Business Development Territory England UK Europe Worldwide 3. DATA REQUIREMENTS Data Required Data specification details in Schedule 2 Access to SUS data from all CDS types The Secondary Uses Service Online Data Access Service is a reporting tool which allows registered users to access all submitted Commissioning Data Set (CDS) activity data and produce tailored data extracts to assist with contract monitoring, performance analysis and healthcare planning. System access is dependent on pre-defined role based access permissions, ensuring the protection of patient identifiable data

3 Level of Data Required 1. Anonymised with third party terms and conditions. Schedule N/A 2. Record Level pseudonymised 3. High Risk IG Sign off required a) High Risk Record Level Pseudonymised including sensitive LEGAL GATEWAY ECC 2-05 (b)/2007 1/2/3/5/6/7/ 8/9 b) High Risk Record Level including ONS Data c) High Risk Record Level including Identifiable Data NO ONS DATA LEGAL GATEWAY ECC 2-05 (b)/2007 <See Schedule 5 part 2 for specific conditions> 1/2/3/5/6/7/ 8/9 Purpose The Data Recipient agrees to process the data only for the purposes agreed with the HSCIC and only data for 2012/13 and 2013/14 to maintain essential business continuity, namely: This contract allows the Data Recipient access to SUS data from all CDS types. Access is required to the Commissioning Data Sets (CDS) within SUS for a 3 month period. This is a temporary measure designed to support business continuity. Commissioning Data Sets (CDS) The analyses of the data by NHS Commissioners are to be used for 1) Auditing and monitoring patient care delivery checking for appropriate procedures against diagnoses by provider; checking lengths of stay by provider or by condition; checking appropriate pathways across providers; checking re-admission rates; checking levels of types of admissions; checking referral patterns by practice or by condition for normal/abnormal patterns. 2) Effective pathways and use of resources and capacity - checking pathways by spells and linked events; supporting enabling and ensuring patient treatment

4 within agreed time periods; monitoring referral to treatment both retrospectively and prospectively; monitoring costs and service level agreements (through PbR Mart and RTT analysis facilities). 3) Support service redesign and modernisation: a. To ensure that services are provided to patients in appropriate locations. b. To provide learning and potentially predictions in likely patient pathways for certain conditions, in order to influence early interventions and other treatments for patients. c. To provide analysis of outcome measures for differential treatments, accounting for the full patient pathway. 4) Understanding health needs on geographic bases (e.g. health conditions, length of stay, link to deprivation) and improve targeting of interventions to geographic populations; understanding DNA (did not attend) rates by area; estimating service uptake between different populations or areas of residence or by deprivation indices. 5) Enabling clinicians with legitimate relationships to identify and contact patients, for example those who would benefit from Active Case Management, thereby providing a more appropriate level of care to the patient. 6) Supporting care service planning and commissioning (including Practice Based Commissioning and Payment by Results) and performance management, Data Transfer Method Special Conditions Via Registration Authority (RA) Access Special Conditions are set out in Schedules 5; 7 & 8 shall apply to the Data. Additionally the Data Controller is responsible for ensuring all staff requiring access to identifiable data as part of their role, understand and abide by the restrictions on the use of this data. It is expected that the Data Controller will make available, a summary of the relevant sections of this contract, to all relevant staff. Schedule 9 summarises the terms of this contract using the template provided within the ICOs Data Sharing Code of Practice. This must be completed locally in respect of local arrangements for Access and Human Rights and Data Retention processes. Once completed schedule 9 may be used as a basis for informing staff.

5 1. INTERPRETATION 1.1. Certain words and expressions used in and principles of interpretation applicable to this Contract are defined or set out in Schedule 1 (Interpretation) The Schedules form part of this Contract and any reference to this Contract includes the Schedules If there is a conflict or inconsistency between any provision contained in the body of this Contract and any provision contained in a Schedule, except where provided to the contrary in the former, the former prevails to the extent of the conflict or inconsistency. 2. DATA CONTROLLER RESPONSIBILITIES 2.1. The HSCIC or a Data Controller of the Data agrees to share, and the Data Recipient agrees to take, the Data in accordance with and subject to the terms and condition of this Contract This Contract shall, subject to prior termination in accordance with clause 10, continue for the period set out in clause 2 until terminated by the HSCIC serving notice in accordance with clause The HSCIC is a Data Controller of the Data insofar as it is Personal Data. Where the Data shared is High Risk Record Level including Identifiable Data, the HSCIC may become a joint Data Controller or a Data Controller in common with the Data Recipient dependent on the Purpose for which the Data Recipient uses the Data The relevant Data Controller shall, at all times, process Personal Data held by it as Data Controller in accordance with the terms of the DPA The HSCIC shall transfer the Data to the Data Recipient using the agreed Data Transfer Method. 3. DATA RECIPIENT RESPONSIBILITIES 3.1. Where the Data Recipient obtains Data from the HSCIC it shall hold such Data as Data Processor, Data Controller, Data Controller in common or joint Data Controller as relevant The Data Recipient: shall, subject to clause , use the Data only as permitted in accordance with the Purpose within the Field and the Territory shall process the Data, insofar as it is Personal Data, in accordance with the DPA; shall process the Data in accordance with the Special Conditions (if any); may not share the Data with any third party without the prior written permission of the HSCIC. Where Data is shared with a third party pursuant to this clause the Data Recipient shall enter into an agreement with such third party for the sharing of that Data which contains provisions regarding the sharing of the Data which are, as a minimum, equivalent to those set out in this Contract; shall, where it is used for a Non-NHS Purpose, comply with the Re-Use Terms;

6 3.2.6 shall, when the Data is deemed by the HSCIC to be:- a) High Risk Record Level Pseudonymised Data including Sensitive Data, process the Data in accordance with the High Risk Record Level Pseudonymised Data including Sensitive Data Terms and Conditions in addition to all other terms of this Contract ; b) High Risk Record Level Data including ONS Data process the Data in accordance with the High Risk Record Level Data including ONS Data Terms and Conditions in addition to all other terms of this Contract; c) High Risk Record Level Data including Identifiable Data, process the Data in accordance with the relevant Section 251 Approval (if one exists) and in any event in accordance with the Section 251 Terms and Conditions, in addition to all other terms of this Contract shall, where it receives Sensitive Data, other than Section 251 Data, become a data custodian for such Data and shall be responsible for processing such Sensitive Data in accordance with any specific legal or regulatory standard applied to such Data; shall, on termination of this Contract or earlier if use of the Data is completed, destroy the Data, together with all hard or soft copies of the same and certify such destruction using a Certificate of Destruction; may notify the HSCIC in writing that it wishes to retain use of the Data at the end of this Contract for a purpose other than the Purpose. The HSCIC shall inform the Data Recipient whether or not it grants such permission, and where it does so, it shall notify the Data Recipient in writing; and notify any Data Breaches to the HSCIC as soon as the Data Recipient discovers such Data Breach and where appropriate or directed by the HSCIC, to the Information Commissioner s Office 3.3 Where Non-Personalised Data has been supplied by the HSCIC and then becomes identifiable, the Data Recipient shall become the Data Controller for such Data. 4. DATA SECURITY 4.1 The Data Recipient shall process the Data at all times: in accordance with the DPA: using appropriate technical and organisational security measures against unauthorised or unlawful processing of Data and against accidental loss or destruction of, or damage to the Data; in accordance with the provisions of Schedule 7 part 1 for all levels of data being shared; and in accordance with the provisions of Schedule 7 part 2 for Record Level Pseudonymised Data, High Risk Record Level Pseudonymised Data including

7 Sensitive Data, High Risk Record Level Data including ONS data and High Risk Record Level Data including Identifiable Data. 4.2 The Data Recipient shall not, and shall procure that third parties to whom it transfers the Data shall not, transfer the Data to another territory outside the European Economic Area (EEA) except with the express prior written consent of the HSCIC and only in circumstances when such transfer is permitted under the DPA. 5. AUDIT AND SPECIFIC RIGHTS The HSCIC is entitled at any time during the term of this Contract to require the Data Recipient to permit the HSCIC to audit the Data Recipient s use of the Data. The Data Recipient shall, for the purpose of such audit, provide or procure the access to the Data Recipient s sites, systems, procedures, documents and staff as may be necessary or desirable in connection with the audit and still permit the HSCIC to take copies of relevant documents and data pursuant to such audit. 6. WARRANTIES The Data Recipient warrants that it shall use the Data in accordance with all applicable regulatory requirements and standards, laws and regulations relating to the use of such Data. 7. CHARGES 7.1 In consideration of the provision of the Data by the HSCIC, the Data Recipient agrees to pay the Charges (if any) as set out in Schedule 3 and to process the Data in accordance with the specific requirements of this Contract. All Charges payable are exclusive of value added tax and all other applicable taxes, duties of levies. 7.2 Charges shall be paid within 30 days of the date of the HSCIC s invoice. 8. CONFIDENTIALITY 8.1 The Data Recipient agrees in relation to the Data [and any other information provided to it by the HSCIC in the course of this Contract] during this Contract and for ten years afterwards that: it shall keep such Data separate from all other information and shall keep such information confidential and shall not disclose it to any third party or make any attempts to identify an individual from such Data save where expressly permitted to do so in accordance with the terms of this Contract; it shall, on termination of this Contract or earlier if use of the Data is completed, destroy the Data, together with all hard or soft copies of the same and certify such destruction using a Certificate of Destruction; and it shall use such Data only in so far as is necessary to perform this Contract. 8.2 The restrictions as to disclosure and use contained in clause 8.1 shall not apply to information to the extent that it is or was: already in the possession of or becomes available to Data Recipient in either case free of any obligation of confidentiality;

8 8.2.2 is required to be disclosed by the Data Recipient by law, regulation or pursuant to an order of a competent authority, or to a professional adviser; or at the time of receipt by the Data Recipient, is in the public domain or after such receipt comes into the public domain other than as a result of breach by the Data Recipient of this clause The Data Recipient shall be responsible for any unauthorised disclosure or use of the Data made by any of its employees, agents, or sub-contractors and shall take all reasonable precautions to prevent such unauthorised disclosure or use. 8.4 Without prejudice to any other rights and remedies the HSCIC may have, the Data Recipient agrees that damages may not be an adequate remedy for any breach of this clause 8 and accordingly the Data Recipient agrees that the HSCIC will be entitled, without proof of special damage, to the remedies of an injunction and other equitable relief for any actual or threatened breach of this clause8. 9. EXTENT OF LIABILITY 9.1 The following sets out the entire liability of the HSCIC to the Data Recipient in respect of: any breach by the HSCIC of this Contract; negligence for which the HSCIC is liable or any other tortious liability or breach of statutory duty in connection with this Contract; and any representation or statement arising under or in connection with this Contract or by or on behalf of the HSCIC. 9.2 The total liability of the HSCIC to the Data Recipient (including any liability of the HSCIC to pay interest on late payments under any contractual provision or statute) and in respect of all claims arising under any of the matters set out in clause 9.1 shall not exceed [ [amount]]. 9.3 HSCIC shall in no circumstances be liable to the Data Recipient for: any loss of profits, loss of business or production, loss of data, depletion of goodwill; and any Indirect Loss. 9.4 Other than any warranties expressly set out in this Contract, all warranties, conditions or other terms, whether express or implied by statute, common law, trade usage or otherwise are excluded except to the extent the exclusion is prohibited by law. 9.5 Notwithstanding anything to the contrary, the HSCIC s liability to the Data Recipient for: death or personal injury resulting from the negligence of the HSCIC, its employees, agents or sub-contractors; damage for which the HSCIC is liable to the Data Recipient under Part I Consumer Protection Act 1987 or equivalent; and

9 9.5.3 fraud shall not be excluded or limited nor shall any other liability of the HSCIC to the extent such liability may not be excluded or limited as a matter of law. 10. INDEMNITY The Data Recipient shall indemnify the HSCIC in full for any costs, losses, charges, expenses it suffers arising out of the Data Recipient s loss of the Data or unauthorised or unlawful use of it whether arising in negligence or otherwise and including any fine imposed on the HSCIC by the Information Commissioner by way of a civil monetary penalty under s55 DPA. 11. TERMINATION 11.1 Subject to prior termination under clause 11.2, the HSCIC may terminate this Contract by giving to the Data Recipient not less than [one] months written notice expiring at the end of the relevant period of three months The HSCIC may terminate this Contract with immediate effect by written notice to the Data Recipient on or at any time after the occurrence of an event specified in clause The events are: the Data Recipient is in material breach of this Contract and that breach cannot be remedied; the Data Recipient is in material breach of this Contract which can be remedied but the Data Recipient fails to do so within 30 days starting on the day after receipt of the written notice from the HSCIC referred to in clause 11.2; the Data Recipient stops payment of its debts or is unable to pay its debts as they fall due; the Data Recipient is dissolved; the Defaulting Party becomes or is declared insolvent or a resolution is passed for the winding up of the Data Recipient or the Data Recipient convenes a meeting of its creditors or makes or proposes to make any arrangement or composition with its creditors or a liquidator, an administrative receiver, a receiver, manager, trustee or administrator or analogous officer is appointed in respect of all or any part of its property, undertaking or assets or the Data Recipient becomes subject to any bankruptcy procedure or analogous insolvency procedure in any jurisdiction or any person files a notice of intention to appoint an administrator or a notice of appointment of an administrator or applies to court for an administration order in respect of the Data Recipient; it becomes unlawful for the Data Recipient to perform all or any of its obligations under this Contract; or the Data Recipient (being a natural person) shall die or become mentally incapacitated. 12 ASSIGNMENT The Data Recipient shall not, without the prior written consent of the HSCIC, assign, novate, transfer, charge, dispose of or deal in any other manner with this Contract or any of its rights or

10 beneficial interests under it, or purport to do any of the same, nor sub-contract any or all of its obligations under this Contract. The HSCIC may assign, transfer, charge, dispose of or deal in any manner with its rights and obligations under this Contract. Where it does so, it shall notify the Data Recipient of such change. 13 NOTICES 13.1 Any communication given under this Contract shall be in writing and delivered personally by or by pre-paid recorded, special delivery or first class post (or air mail post if to an address outside the United Kingdom) to the address of the party who is to receive such communication as set out on page 1 or to such other address in the United Kingdom as may from time to time be specified in writing by the relevant party as its address for the purpose of this clause Each party undertakes to notify the other party in accordance with this clause 13 if the address specified in this clause 13 is no longer an appropriate address for the service of communications. 14. MISCELLANEOUS 14.1 Nothing in this Contract or any arrangement contemplated by it shall constitute either party a partner, agent, fiduciary or employee of the other party No amendment or variation of the terms of this Contract shall be effective unless made or confirmed in writing and signed by the parties to this Contract If any provision of this Contract shall be found by any court or body or authority of competent jurisdiction to be invalid or unenforceable, such provision shall be severed from the remainder of this Contract which shall remain in full force and effect to the extent permitted by law The rights and remedies provided by this Contract are cumulative and (unless otherwise provided in this Contract) are not exclusive of any rights or remedies provided by law This Contract does not create, confer or purport to create or confer any benefit or right enforceable by any person not a party to it (except that a person who is a permitted successor to or assignee of the rights of a party to this Contract shall be deemed to be a party to this Contract). 15. GOVERNING LAW AND JURISDICTION 15.1 This Contract and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with English law Each party irrevocably agrees that the courts of England and Wales shall have nonexclusive jurisdiction to hear and determine any suit, action or proceedings, and to settle any disputes or claims (including non-contractual disputes or claims) which may arise out of or in connection with this Contract, its subject matter or formation. 16. ENTIRE CONTRACT

11 16.1 This Contract constitutes the entire agreement and understanding of the parties and supersedes any previous agreement between the parties relating to the subject matter of this Contract but without prejudice to the rights and liabilities of the parties accrued before the date of this Contract Nothing in this clause 16 shall operate to limit or exclude any liability for fraud. This Contract has been entered into on the date specified on page 1. SCHEDULE 1 Part 1 Interpretation 1. In this Contract the following expressions have the following meanings:- Agreed Purpose Anonymised Data with Third Party Terms and Conditions the purpose(s) which the Data Recipient wishes to use the Data for, as set out in clause 3; data which cannot identify an individual but which may have additional terms and conditions imposed upon its use by a third party. Certificate of Destruction Charges Data Data Breaches Data Controller Data Transfer Method Deletion Policy a certificate in the form set out in Schedule 6 which certifies that the Data and all hard and soft copies thereof have been destroyed by the Data Recipient; the charges payable, if any, for the provision of the Data as set out in Schedule 4; all data shared by the HSCIC under the terms of this Contract including as applicable, Anonymised Data with Third Party Terms and Conditions, Record Level Pseudonymised Data, High Risk Record Level Pseudonymised Data including Sensitive Data, High Risk Record Level Data including ONS Data, High Risk Record Level Data including Identifiable Data; a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data; as defined in the DPA; the method of transferring the Data to the Data Recipient as described in Section 2; the Data Recipient s policy for the deletion of Data;

12 Depersonalised Data information that relates to individuals where it is not possible to identify individuals from that information, whether in isolation or in conjunction with any other information; DPA the Data Protection Act 1998; Field as defined in clause 2; High Risk Data High Risk Record Level Data including Identifiable Data High Risk Record Level Data including ONS Data High Risk Record Level Data including ONS Data Terms and Conditions High Risk Record Level Pseudonymised Data including Sensitive Data High Risk Record Level Pseudonymised Data including Sensitive Data Terms and Conditions Indirect Loss NHS Purpose a Non-NHS Purpose High Risk Record Level Pseudonymised Data including Sensitive Data, High Risk Record Level Data including ONS Data and High Risk Record Level Data including Identifiable Data or Data which is otherwise categorised by HSCIC as High Risk Data and notified as such to the Data Recipient; Record Level Identifiable Data which includes Personal Data and/or Sensitive Data which requires either patient consent or Section 251 Approval in order for the Data Recipient to be permitted to process it or Data which the Data Controller is otherwise permitted by statute to process; Record Level Data which contains sensitive items and is designated as High Risk Data by HSCIC and which contains Data from the Office of National Statistics; the terms and conditions of use for High Risk Record Level Data including ONS Data; Record Level Data which is Non-Personal Data and which contains sensitive items and is designated as High Risk Data in writing by HSCIC and notified to the Data Recipient; the terms and conditions of use for High Risk Data as set out in Part 1 of Schedule 5; any indirect loss, damage, costs or expenses arising out of or in connection with this Contract or its contemplated or lack of performance; a purpose which, in respect of a public authority, is part of the organisation s public task together with any purpose carried out by a [commercial] service provider acting on behalf of such organisation for such public task; a purpose of processing Data other than for an NHS Purpose;

13 Non-Personal Data Personal Data Publish information that does not relate to people including information about organisations, companies, resources, projects or information about people that has been aggregated to a level that is not about individuals but that could become Personal Data when merged with other data sets held by the Data Recipient; as defined in the DPA including Sensitive Personal Data; to make available to third parties in any form, including the production of hard copy materials, soft and/or electronic copies, s and posting online; Purpose as defined in clause 3; Record Level Pseudonymised Data Re-Use Terms Section 251 Approval Section 251 Terms and Conditions Sensitive Data Special Conditions individual record data which does not contain any identifiable or sensitive items but which may be deemed disclosive; the licence and terms for use of the Data as set out in Schedule 3; an approval under section 251 of the NHS Act 2006 which re-enacted Section 60 of the Health & Social Care Act 2001 whereby an organisation can process confidential medical information without the consent of the patient subject to the terms of the particular section 251 approval which is granted by the relevant authority; the terms and conditions of use for the Section 251 Data as set out in Part 2 of Schedule 5; includes sensitive personal Data as defined in the DPA and other sensitive Data; the special conditions for processing the Data as set out in Schedule 8; and Territory as stated in clause [ ]. 1.1 In this Contract: any gender includes any other gender and the singular includes the plural and vice versa; references to persons include bodies corporate, unincorporated associations, governments, states, partnerships and trusts (in each case, whether or not having separate legal personality); the Schedules form part of this Contract and the expression this Contract includes the Schedules; and

14 1.1.4 any reference to a statutory provision includes a reference to any modification, consolidation or re-enactment of the provision from time to time in force and all subordinate instruments, orders or regulations made under it.

15 SCHEDULE 2 Data Specification Access to SUS data from all CDS types The Secondary Uses Service Online Data Access Service is a reporting tool which allows registered users to access all submitted Commissioning Data Set (CDS) activity data and produce tailored data extracts to assist with contract monitoring, performance analysis and healthcare planning. System access is dependent on pre-defined role based access permissions, ensuring the protection of patient identifiable data The data items that will be extracted will be from the full contents of the full range of CDS and are subject to change as changes are made to the CDS and ratified through the Information Standards Board (ISB). The data items themselves are as defined in the NHS Data Dictionary. Data can only be accessed for years 2012/13 and 2013/14 Data sets contained within CDS are: Admitted Patient Care Accident and Emergency Waiting List Critical Care Augmented Care Periods Care Activity and Future Care Activity (the latter cover outpatient and diagnostic attendances and the associated future attendances and replace the previous outpatient CDS). Data can only be accessed for years 2012/13 and 2013/14 to maintain essential business continuity These CDS have a common set of patient identifiable data, namely NHS Number, local patient identifier, date of birth and postcode of usual address and the associated quasi identifiers data items of gender and ethnic category. Alternatively where possible to meet the purpose, staff should access patient records where the identifiable data items are held in pseudonymised form.

16 SCHEDULE 3 Re-Use Terms and Conditions Part 1 1. This Contract grants to the Data Recipient a time limited licence to re-use the data supplied under the terms of this Contract. The Data must only be used in accordance with the terms set out in this Contract and as additionally contained in the HSCIC s Standard Terms and Conditions for the Use and Re-Use of Public Sector Information, (Version 2.2) and as may be additionally specified in any annexes. 2. Together the term Field and Territory represent the permissible Market for the Data Recipient s products and services in accordance with the HSCIC s Re-Use of Information, Re-Use License Fees Policy (Version 1.2). Should the Data Recipient require an agreement or agreements for additional markets, please contact the HSCIC to discuss the terms and conditions on which such additional agreements might be granted. 3. In case of conflict or ambiguity, the terms and conditions set out in this Schedule 1 shall take precedence over any corresponding terms and conditions contained in subsidiary documents referenced herein. 4. Based on the purpose stated in section 3 of this Contract, the HSCIC grants the Data Recipient a time limited, non-exclusive licence to use or re-use the Data specified supplied under this Contract for the following purposes: 4.1 Use only within the Field and Territory as specified in this Contract. 4.2 Publishing the material in any medium, including featuring the information asset on websites which can be accessed via the Internet or via an internal electronic network or on an Intranet. 4.3 Authorising users and subscribers who use the Data Recipient s electronic or digital products to access the material. 4.4 Translating the information asset into another language or converting to Braille or other formats for people who are visually impaired. 5 If the Data Recipient is obliged to respond to requests under the Freedom of Information Act 2000 and a request is received regarding the data supplied under this Contract, then the Data Recipient is required to consult with the HSCIC prior to any release of data. 6. The Data must not be shared with any third party in the format in which it is provided to the Data Recipient by the HSCIC unless sub licence arrangements have been agreed between the parties and are in place. Sub licence arrangements are to be agreed separately with the HSCIC and the HSCIC reserves the right not to enter a sub-licence at its discretion. 7. Unless otherwise specified in any annexes attached to this Contract, the HSCIC will retain copyright of the Data supplied and this must be cited correctly as follows: 8. Copyright YYYY, Re-used with the permission of the Health and Social Care Information Centre. All rights reserved.

17 9. The Data received under the terms of this Contract may incur a charge payable by the Data Recipient for its provision, if applicable please refer to Schedule 4.

18 Part 2 Reuse Conditions N/A IN THIS CONTRACT

19 SCHEDULE 4 Charges NONE TO BE APPLIED

20 SCHEDULE 5 Part 1 High Risk Data Terms and ConditionsIn order to protect the data, the data recipient agrees: 1. To store and process the data securely, and destroy it when it is no longer necessary; 2. To not publish in full the data received through this Contract, but only once de-identified to a standard suitable for subsequent release; 3. To maintain good information governance standards and practices, meeting or exceeding the Information Governance Toolkit standards required of their organisation type 1 4. To not disseminate the data, or a subset of the data, received from the HSCIC to other bodies without explicit authorisation from the HSCIC, other than when publishing the data; 5. To monitor access to the data. 6. No contact will be made with any individual(s) that could be identified from the information supplied, other than in accordance with the documented consent of the individual(s) concerned, some form of statutory authority (e.g. s251) or for a purpose judged to be sufficiently in the public interest, having regard to guidance published by the Department of Health, NHS England or the HSCIC, to warrant that contact. 7. Users of the Data supplied are obliged to fully comply with The Data Protection Act 1998, together with all other related and relevant legislation and Department of Health directives covering issues of Data sharing and including: British (International) Standard ISO 27001; The Caldicott Report 1997; The Freedom of Information Act 2000; Section 251 of the NHS Act 2006 (originally enacted under Section 60 of the Health and Social Care Act 2001), Confidentiality: NHS Code of Practice 2003; NHS Records Management Code of Practice (Part 1, 2006 & Part 2, 2009); Health and Social Care Act 2012 The NHS Information Security Management Code of Practice 2007; The Computer Misuse Act 1990; The Electronic Communications Act 2000; The Regulation of Investigatory Powers Act 2000; The Copyright, Designs and Patents Act 1988; The Re-Use of Public Sector Information Regulations 2005; The Human Rights Act 1998 The NHS Care Record Guarantee 2007 Anonymisation Standard for Publishing Health and Social Care Data Code of Confidentiality 8. Before undertaking any publication activity using this Dataset or any derived information, the data recipient will undertake an organisational Risk Assessment Exercise to ensure compliance with the above guidelines. The risk assessment will be in line with the standards set out in the Anonymisation Standard for Publishing Health and Social Care Data. 1 Organisations that are not required to complete the IG Toolkit will be required to be able to demonstrate that their information governance standards are sufficient through annex 1.

21 Part 2 Section 251 Terms and Conditions Specific s251 terms and conditions include: 1. Data can only be accessed for years 2012/13 and 2013/14 to maintain essential business continuity 2. Each autonomous CCG and NHS England (on behalf of CSUs) will be required to sign and abide by the terms of a data sharing contract with the Health and Social Care Information Centre. 3. That CSU and autonomous CCGs data security arrangements are to be approved by the Department of Health and the Health and Social Care Information Centre. This will require either an appropriate submission of the IG Toolkit or a commitment to deliver an IG Toolkit submission if one has not already been made. 4. All CSUs and autonomous CCG staff who will be accessing patient data must have a Confidentiality clause in their contract of employment. In addition, all staff accessing the data must be made aware of the purposes for which the data can be used as outlined in the data sharing contract. Data recipients must notify the HSCIC of how they will handle the data at the end of the three month period. They will be required to either: a) Destroy the data and seek an alternative de-identified flow from the HSCIC, b) Ensure that appropriate processes are in place to de-identify the data and destroy the identifiers c) Confirm that appropriate s251 support is in place for continued access and processing of the identifiable data: a. Provide reference to any national s251 support b. Provide reference to an individual s251 support Onward disclosure of the data is only permitted where there is an appropriate lawful basis such as patient consent or s251 support to do so. The data can only be published where it has been de-identified in accordance with the published information standard on anonymisation for publication. Any disclosure of de-identified data where there is a risk of re-identification can only be undertaken with agreement from the HSCIC and under similar, appropriate terms and conditions that will protect privacy and confidentiality. When processing data under this Contract for purposes requiring the approval of the Secretary of State under regulation 5 of the National Health Service (Control of Patient Information) Regulations 2002, no attempt shall be made to establish the identity of any individual to a degree that would enable that individual to be contacted, unless this was specifically approved through the approvals process. In the absence of this specific approval, where an individual is inadvertently identified to the extent that would enable him/her to be contacted or it is reasonable for the data recipient to be aware that data relating to an individual has been placed into the public domain or has otherwise been made available that would enable such contact then the data relating to that individual must

22 be anonymised (i.e. NHS Number and other identifiers must be deleted)

23 SCHEDULE 6 Certificate of Destruction AGREEMENT REF NUMBER: DATE OF DESTRUCTION: METHOD OF DESTRUCTION: <Certificate of destruction to be attached and sent to the HSCIC along with this schedule 6 completed.> SIGNITURE OF DATA RECIPIENT DATE

24 SCHEDULE 7 Data Security Requirements Part 1 1. Without prejudice to the Data Recipient s other obligations in respect of information security, the Data Recipient shall:- 1.1 having regard to the state of technological development and to the cost of implementing any measures, provide a level of security (including appropriate technical and organisational measures) appropriate to: the harm that might result from unauthorised or unlawful processing of Data or accidental loss, destruction or damage of such Data; and the nature of the Data; 1.2 ensure that access to the Data is limited to those employees who need access to the Data to meet the Data Recipient s obligations under this Contract; 1.3 take reasonable steps to ensure the reliability of the Data Recipient s personnel who have access to the Data which shall include: ensuring all staff engaged by the Data Recipient understand the confidential nature of the Data and the issues which arise if proper care is not taken in the processing of the Data; ensuring all staff engaged by the Data Recipient are properly trained in data protection and to ensure that all staff must have completed such training prior to their use of the Data. Where requested to do so the Data Recipient shall provide examples of training materials used, together with methodologies used to demonstrate that personnel have understood the training. Training shall be repeated at regular intervals to take account of developments in law on good data protection practice and in any event [on an annual basis]; and ensuring all staff (including temporary staff) are properly vetted, both during the initial recruitment process and throughout their engagement in their processing of the Data, including through the use of procedures to identify changes in personal circumstances which may affect an employees ability to process the Data in accordance with the terms of this Contract; 1.4 provide the HSCIC with such information, assistance and co-operation as HSCIC may require from time to time to establish the HSCIC s compliance with the DPA; 1.5 inform the HSCIC as soon as reasonably practicable of any particular risk to the security of the DPA of which it becomes aware and of the categories of Data and individuals which may be affected; 2 The Data Recipient shall promptly, and in any event not later than reasonably required in order to enable the HSCIC to fulfil its duties under the DPA:- 2.1 pass on to the HSCIC any enquiries or communication (including subject access requests) relating to their Personal Data or its processing; and

25 i. provide such information as may be required for the purpose of responding to any such data subjects or otherwise to comply with its or the HSCIC s duties under the DPA. 3 The Data Recipient shall implement and maintain security standards, facilities, controls and procedures appropriate to the nature of the Data held by it and the harm that would be caused by its loss or disclosure including a data protection policy. The Data Recipient shall ensure that all its employees, agents or contractors shall comply with the obligations upon them contained in the data protection policy. 4 The Data Recipient shall ensure:- 4.1 that it has properly configured access rights for its staff, including a well-defined joiners and leavers process to ensure access rights are properly managed; 4.2 that it has proper controls in place to make sure that complex alphanumeric passwords are required for access to the Data and that training is provided in relation to the need to keep such passwords secure; 4.3 it has in place procedures to identify wrongful use of Data, including the monitoring of wrongful access to Data; 4.4 suitable and effective authentication processes are established and used to protect Data; 4.5 Data is backed up on a regular basis and that any back up data which is subject to such vigorous security procedures as are necessary in order to protect data integrity, such security measures being commensurate to the nature of the data. The Data Recipient shall take particular care when transporting backup data and other personal information and shall ensure such backup data and other personal information is transported in a safe and secure manner; 4.6 data transferred electronically is encrypted; 4.7 information stored on laptops or other portable media is encrypted and that the Contractor maintains an accurate, up to date asset register, including all such portable media used in the provision of the Services; 4.8 that employees are not able to access the data from home or via their own electronic device other than through a secure electronic network and that data may not be stored in such devices; 4.9 that suitable physical security measures are established commensurate to the harm that could result from the unlawful disclosure of personal data. Such physical security measures shall be as identified in the Data Recipient s data protection policy; 4.10 all data which is disposed of is disposed of pursuant to the Data Recipient policy for the disposal of data identified in the data protection policy, including the disposal of assets containing personal data, a copy of which policy shall be provided, on request, to the HSCIC; and

26 4.11 that the Data Recipient establishes and maintains adequate data security compliance policies and audits its use of personal data in compliance with its data security policies on a regular basis and in any event annually. 5 The Contractor shall nominate in writing an individual to take responsibility and be accountable for compliance with the DPA.

27 SCHEDULE 7 Data Security Requirements Part 2 1. It is Department of Health policy for all bodies that process NHS patient information to provide security assurance through annual completion and publication of an Information Governance (IG) Toolkit. The Department now wishes to seek this assurance from bodies that obtain NHS patient information in circumstances approved under section 251 NHS Act 2006 and supporting Regulations. A requirement within the Regulations is to ensure that appropriate technical and organisational measures are taken to prevent unauthorised processing of that information. Assurance over this aspect is now provided through satisfactory IG Toolkit submission including applications requiring sensitive data items approved by Data Access Advisory group (DAAG) and those covering access to Registration data approved by Office of National Statistics (ONS) 2. Applicant Security Responsibilities The Data Recipient understands and accepts that it becomes the Data Controller in common for personal (identifiable) data received from the HSCIC. As such the Data Recipient is responsible for processing the data in accordance with the Data Protection Act 1998 and maintaining good information governance standards and practices. The Data Recipient also understands and accepts that it becomes the data custodian for sensitive personal data. As such the Data Recipient is responsible for processing the Data in accordance with any specific legal or regulatory standards applied to the Data in question. 3. To provide assurance that good Information Governance practices are being maintained, the Data Recipient can demonstrate and will allow the HSCIC to audit that it: (please tick appropriate box) meets or exceeds the Information Governance Toolkit standards required for their organisation type, where applicable. (please provide organisation code and score) is Certified against international security standard ISO (please provide certification details) has other assurance in place (please provide details) 4. In cases where these assurance standards are not appropriate, the Data Recipient will ensure it meets the following requirements, which the HSCIC reserves the right to audit. 5. As a Data Controller/data custodian, with respect to the data being provided by the HSCIC, the Data Recipient undertakes to ensure that:

28 5.1 It processes personal or sensitive personal data only for medical purposes, and only for purposes described in the data sharing contract with the HSCIC which it assures are also consistent with the purposes recorded in the Data Recipient s data protection registration with the Information Commissioner s Office; 5.2 It processes the minimum data necessary (e.g. using age range rather than age if sufficient) 5.3 It deploys secure processes, procedures, practice and technology for storage and access, commensurate with the personal or sensitive personal data being processed 5.4 It ensures no individual other than those to be named in the Contract will access the data, and that all computer terminals and other means of access are maintained securely in secure premises. 5.5 It ensures the rights of individuals are met, such as satisfying subject access requests received, ensuring data accuracy and correcting errors, and handling objections and complaints 5.6 It destroys the Data once it is no longer required for the purpose for which it was collected; 5.7 It ensures all employees with access to the Data provide a written undertaking that they understand and will act in accordance with their responsibilities under the Data Protection Act, will not share passwords, and will protect the confidentiality of the data they access 5.8 It reports immediately to the HSCIC any security incidents relating to use of the supplied Data, and any instances of breach of any of the terms of this Contract. 5.9 It complies with any specific legislation in relation to the Data provided by the HSCIC e.g. Statistics and Registration Services Act It signs the Contract prior to the release of any Data by the HSCIC. 2 2 Agreement; a document that will outline the specific details of the customer request and data release conditions

29 SCHEDULE 8 Special Conditions

30 SCHEDULE 9 Data Sharing Agreement Background In line with the Data Controller s responsibilities outlined in Section 3 of the Data Sharing Contract (DSC) with the Health and Social Care Information Centre (HSCIC), all staff requiring access to identifiable data as part of their role which has been supplied under the DSC, must understand and abide by the restrictions on the use of this data as outlined in this Schedule to the DCA. It is expected that the Data Controller will ensure this summary is provided to all relevant staff. Data items to be received from the HSCIC Identifiable data items which may be accessed are: DOB NHS Number Hospital Provider Spell No. Patient Identifier Postcode Data can only be accessed for the years 2012/13 and 2013/14 to maintain essential business continuity Purpose of the data being shared by the HSCIC This agreement allows access to SUS data from all Commissioning Data Sets (CDS) types. This is a temporary measure designed to support business continuity. The analyses of the data by NHS Commissioners are to be used for: a. Auditing and monitoring patient care delivery checking for appropriate procedures against diagnoses by provider; checking lengths of stay by provider or by condition; checking appropriate pathways across providers; checking re-admission rates; checking levels of types of admissions; checking referral patterns by practice or by condition for normal/abnormal patterns. b. Effective pathways and use of resources and capacity - checking pathways by spells and linked events; supporting enabling and ensuring patient treatment within agreed time periods; monitoring referral to treatment both retrospectively and prospectively; monitoring costs and service level agreements (through PbR Mart and RTT analysis facilities). c. Support service redesign and modernisation:

31 i. To ensure that services are provided to patients in appropriate locations. ii. To provide learning and potentially predictions in likely patient pathways for certain conditions, in order to influence early interventions and other treatments for patients. iii. To provide analysis of outcome measures for differential treatments, accounting for the full patient pathway. d. Understanding health needs on geographic bases (e.g. health conditions, length of stay, link to deprivation) and improve targeting of interventions to geographic populations; understanding DNA (did not attend) rates by area; estimating service uptake between different populations or areas of residence or by deprivation indices. e. Enabling clinicians with legitimate relationships to identify and contact patients, for example those who would benefit from Active Case Management, thereby providing a more appropriate level of care to the patient. f. Supporting care service planning and commissioning (including Practice Based Commissioning and Payment by Results) and performance management, The organisations that will be involved in the data sharing The HSCIC will enable access to CDS data in SUS for the organisation. Onward disclosure of the data in identifiable format is only permitted where there is an appropriate lawful basis such as patient consent or s251 support to do so. The data can only be published where it has been de-identified in accordance with the published information standard on anonymisation for publication. Any disclosure of de-identified data where there is a risk of re-identification can only be undertaken with agreement from the HSCIC and under similar, appropriate terms and conditions that will protect privacy and confidentiality. Legal basis for sharing The Information Commissioner s Office (ICO) Data Sharing Code of Practice 3 highlights the need for each member of staff to be able to clearly explain the basis for data sharing. A DSC does not in itself provide any form of legal indemnity from action under the Data Protection Act (DPA) or other law. The legal basis for access by the organisation to CDS SUS data is s251 of the NHS Act 2006 and the Health Service (Control of Patient Information) Regulations 2002 which is provided on a temporary basis. The organisation becomes the Data Controller in common for personal (identifiable) data received from the HSCIC. As such the organisation is responsible for processing the data in accordance with the Data Protection Act 1998 and maintaining good information governance 3 on/detailed_specialist_guides/data_sharing_code_of_practice.ashx