General Data Protection Regulation GDPR
Data Processing Statement between WellSky International Ltd (WellSky) and Healthcare Clients
Section 1: Definitions
Client Systems: Any systems provided by WellSky or necessary for the provision of the Support Services provided by WellSky
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data.
Data Controller: The Healthcare Client; the party determining the means and purposes of processing the Personal Data.
Data Processor: WellSky the party processing the Personal Data on behalf of the Healthcare Client.
GDPR: The General Data Protection Regulation (EU)(2016/479).
Healthcare Client: The client of WellSky for the purposes of this Statement .
Personal Data: Any personal data processed by WellSky on behalf of the Healthcare Client as defined in Section 3 of this Statement.
Specified Purpose: A list of purposes for which Personal Data can be processed by WellSky, as defined in Section 2 of this Statement.
Support Services: The services agreed between the parties to be provided by WellSky.
Section 2: Data Sharing Principles
- For the purposes of any data sharing between Healthcare Clients and WellSky, WellSky will be the Data Processor and the Healthcare Client will be the Data Controller. WellSky will also be a Data Processor for any data of Healthcare Clients that it receives on behalf of its Healthcare Clients.
- WellSky will only process Personal Data strictly on the instructions of the Healthcare Client and as necessary for a Specified Purpose, as agreed with the Healthcare Client.
- Any access to Personal Data on the of Healthcare Clients Systems will only be granted to WellSky when required as requested by the Healthcare Client for a Specified Purpose, as agreed with the Healthcare Client.
- Specified Purposes will include the maintenance of healthcare systems provided to the Healthcare Client by WellSky,
- The limitations of these purposes will be specified in advance as agreed with the Healthcare Client. WellSky will not process any personal data received from Healthcare Clients for any other purposes than those specified between WellSky and the Healthcare Client. WellSky will not be responsible for any Personal Data other than that specified in this Section 2 that is disclosed by the Healthcare Client to WellSky.
Section 3: Data Processing
- WellSky will have access to Client Systems via a remote desktop connection, which will include access to personal data stored on the Client Systems, only as requested by the Healthcare Client.
- Support Services Requests from the Healthcare Client will only be processed by WellSky if received from authorised personnel at the Healthcare Client.
- WellSky will never request to receive any specific personal data from Healthcare Clients. Any personal data, including the personal data of patients, that WellSky receives from its Healthcare Clients will only be received as provided by the Healthcare Client.
- WellSky will only process the following Personal Data as received from the Healthcare Client:
- Patient Data – Limited to hospital ID numbers, patients’ names, patients’ dates of birth, patients’ gender;
- Sensitive Patient Data – Limited to patients’ medical conditions, drugs prescribed to patients
- The Healthcare Client will only provide WellSky with data that is necessary for its specified purposes as outlined in Section 2 above. WellSky and the Healthcare Client will agree on the data needed to be provided for these purposes on an ongoing basis.
- WellSky will inform the Healthcare Client, on request, of any Personal Data it is holding, storing and otherwise processing on behalf of the Healthcare Client.
Section 4: Data Security Measures
- WellSky will take all reasonable organisational and technical measures to ensure compliance with obligations under the GDPR to ensure the security of any data it receives from Healthcare Clients.
- It will be the responsibility of the Healthcare Client to anonymise any Personal Data before providing this data to WellSky for the purposes of IT Support.
- Where WellSky receives, either from the Healthcare Client any Personal Data, WellSky will reject the data and will not accept it until it is returned in an anonymised format.
- WellSky will grant access only to the minimum number of staff required for carrying out the request from the client.
- WellSky will notify Healthcare Clients within a reasonable amount of time if any Data Breach is detected or suspected to have occurred in relation to any Personal Data processed by WellSky.
Section 5: Data Deletion
- Any Personal Data that WellSky receives from Healthcare Clients will only be stored for the duration of the task carried out for the Healthcare Client. Following this, it will be deleted from all electronic databases and any physical storage locations operated by WellSky.
- WellSky will take all reasonable measures to ensure the timely destruction of any Personal Data received which is deemed unnecessary for its functions, as provided for in Section 2 above and as agreed with the Healthcare Client.
- The data deletion will include:
- Hard copy documents contained Personal Data will be properly shredded and disposed of or returned to the Healthcare Client for destruction.
- Electronic files and email containing Sensitive Personal Data will be deleted from email inboxes, computer hard drives, USB/Flash drives, and external hard drives as soon as it is no longer needed for the relevant Support Services.
- Personal Data will only be stored by WellSky for longer periods if specifically requested by the Healthcare Client.