General Data Protection Regulation GDPR
Data Processing Statement between JAC Computer Services Ltd (JAC) and Healthcare Clients
Section 1: Definitions
Client Systems: Any systems provided by JAC or necessary for the provision of the Support Services provided by JAC
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data.
Data Controller: The Healthcare Client; the party determining the means and purposes of processing the Personal Data.
Data Processor: JAC the party processing the Personal Data on behalf of the Healthcare Client.
GDPR: The General Data Protection Regulation (EU)(2016/479).
Healthcare Client: The client of JAC for the purposes of this Statement .
Personal Data: Any personal data processed by JAC on behalf of the Healthcare Client as defined in Section 3 of this Statement.
Specified Purpose: A list of purposes for which Personal Data can be processed by JAC, as defined in Section 2 of this Statement.
Support Services: The services agreed between the parties to be provided by JAC.
Section 2: Data Sharing Principles
- For the purposes of any data sharing between Healthcare Clients and JAC, JAC will be the Data Processor and the Healthcare Client will be the Data Controller. JAC will also be a Data Processor for any data of Healthcare Clients that it receives on behalf of its Healthcare Clients.
- JAC will only process Personal Data strictly on the instructions of the Healthcare Client and as necessary for a Specified Purpose, as agreed with the Healthcare Client.
- Any access to Personal Data on the of Healthcare Clients Systems will only be granted to JAC when required as requested by the Healthcare Client for a Specified Purpose, as agreed with the Healthcare Client.
- Specified Purposes will include the maintenance of healthcare systems provided to the Healthcare Client by JAC,
- The limitations of these purposes will be specified in advance as agreed with the Healthcare Client. JAC will not process any personal data received from Healthcare Clients for any other purposes than those specified between JAC and the Healthcare Client. JAC will not be responsible for any Personal Data other than that specified in this Section 2 that is disclosed by the Healthcare Client to JAC.
Section 3: Data Processing
- JAC will have access to Client Systems via a remote desktop connection, which will include access to personal data stored on the Client Systems, only as requested by the Healthcare Client.
- Support Services Requests from the Healthcare Client will only be processed by JAC if received from authorised personnel at the Healthcare Client.
- JAC will never request to receive any specific personal data from Healthcare Clients. Any personal data, including the personal data of patients, that JAC receives from its Healthcare Clients will only be received as provided by the Healthcare Client.
- JAC will only process the following Personal Data as received from the Healthcare Client:
- Patient Data – Limited to hospital ID numbers, patients’ names, patients’ dates of birth, patients’ gender;
- Sensitive Patient Data – Limited to patients’ medical conditions, drugs prescribed to patients
- The Healthcare Client will only provide JAC with data that is necessary for its specified purposes as outlined in Section 2 above. JAC and the Healthcare Client will agree on the data needed to be provided for these purposes on an ongoing basis.
- JAC will inform the Healthcare Client, on request, of any Personal Data it is holding, storing and otherwise processing on behalf of the Healthcare Client.
Section 4: Data Security Measures
- JAC will take all reasonable organisational and technical measures to ensure compliance with obligations under the GDPR to ensure the security of any data it receives from Healthcare Clients.
- It will be the responsibility of the Healthcare Client to anonymise any Personal Data before providing this data to JAC for the purposes of IT Support.
- Where JAC receives, either from the Healthcare Client any Personal Data, JAC will reject the data and will not accept it until it is returned in an anonymised format.
- JAC will grant access only to the minimum number of staff required for carrying out the request from the client.
- JAC will notify Healthcare Clients within a reasonable amount of time if any Data Breach is detected or suspected to have occurred in relation to any Personal Data processed by JAC.
Section 5: Data Deletion
- Any Personal Data that JAC receives from Healthcare Clients will only be stored for the duration of the task carried out for the Healthcare Client. Following this, it will be deleted from all electronic databases and any physical storage locations operated by JAC.
- JAC will take all reasonable measures to ensure the timely destruction of any Personal Data received which is deemed unnecessary for its functions, as provided for in Section 2 above and as agreed with the Healthcare Client.
- The data deletion will include:
- Hard copy documents contained Personal Data will be properly shredded and disposed of or returned to the Healthcare Client for destruction.
- Electronic files and email containing Sensitive Personal Data will be deleted from email inboxes, computer hard drives, USB/Flash drives, and external hard drives as soon as it is no longer needed for the relevant Support Services.
- Personal Data will only be stored by JAC for longer periods if specifically requested by the Healthcare Client.