Nhs England Data Processing Agreement

One example could be that two hospitals decide to aggregate patient data on asthmatics to understand local needs and care in the area. A DSA would be suitable for this type of release. When dealing with specific category data, you must determine both a legal basis for processing (Article 6 as mentioned above) and a specific condition for processing in accordance with Article 9. You should document both your legal treatment base and your particular category condition, so that you can demonstrate your compliance and liability. The ASD must be regularly audited to ensure that it remains up-to-date and relevant. Please explain here how this is concluded and what are the circumstances that may trigger a review (for example. B amendment of the law or any party that decides to withdraw from the agreement). Please indicate the ten processing conditions under section 9 to process personal data in the special category. Information about a person`s health is categorized as a particular category and, in order to divide it as part of the DSA, you must identify a condition within the meaning of Article 9. Typically, this is 9 2 (h) for health care, but controllers must be listed in this DSA to identify this condition for themselves, depending on the purpose of release. This section describes the organizations that entered into the agreement.

All parts must be listed here. It does not include organizations that process data on behalf of the parties mentioned in this section. If there are many controllers that will cover this DSA, you can fill in an attachment. Please indicate the six section 6 processing conditions that you intend to process personal data. Note that you cannot rely on the condition of legitimate interests if you are an authority that processes data to accomplish your official tasks. (d) Vital interests: treatment is necessary to protect a person`s life. (f) Legitimate interests: Treatment is necessary for your legitimate interests or for the legitimate interests of third parties, unless there is a valid reason to protect the personal data of the individual who ignores these legitimate interests.