Data Processing Agreement

Issue 3, June 2023

 

Definitions:

Candidate – person undergoing medical / testing

Confidential Information includes: information relating to business methods; corporate plans; finances; business opportunities and development projects of the Company; trade secrets including designs or inventions belonging to the Company; all or any information relating to the marketing or sales of any past, present or projected product or service of the Company; personal data or information that may lead to the identification of a natural person; all or any information relating to medical records, medical correspondence, drug & alcohol test results, information pertaining to the investigation of any DOA results and any other information in respect of which the Company owes an obligation of confidentiality to a third party under the Access to Medical Reports Act 1988 or applicable data protection legislation.

Data Processor / you / your – the company completing the document as named on page 1, including all associated personnel who may provide services or access data on our behalf

Data Controller / we / us / our – Express Medicals (EM)

Data subject - a natural person or living individual to whom personal data relates. 

DOA – “drugs of abuse” / drug and alcohol test collected under chain of custody guidelines

Documentation – may include consent forms, medical questionnaires, chain of custody forms for DOA collections in paper or electronic format

Natural person - A living human being, as opposed to a juridical person created by law.

Services – any or all of the services you have specified you are able to provide to us as per page 1 of this Agreement.

SECTION A – ALL PROCESSORS

  1. The Data Processor will carry out the Services as required, in accordance with this Agreement.

  2. The Services will be supplied solely in accordance with these conditions. All other contractual terms which in any way add to, vary or contradict these conditions and upon which you may seek to rely or otherwise impose on us are excluded and do not form part of this Agreement (whether or not such other contractual terms post-date these conditions) unless we have specifically agreed in writing to be bound thereby.

  3. All requests for Services should be dealt with promptly.

  4. The Data Processor will not approach any client referred to you by the Data Controller to offer Services, either directly or via any other third party, for the duration of this agreement and for a period of 12 months thereafter without the express written consent of the Data Controller.

  5. The Data Processor must employ sufficient staff to ensure that the Services are provided at all times and in all respects in accordance with this Agreement. You must ensure that a sufficient reserve of staff is available to meet the Agreement during holidays or absences.

  6. In providing the Services you will use only such persons as are careful, skilled and experienced in the duties required of them.  You will ensure that every such person is properly and sufficiently qualified, trained and instructed and carries out the Services with regard to all relevant provisions of this Agreement and the requirements of the Health and Safety at Work Act 1974 and other relevant legislation and codes of practice.

  7. You will not provide the Services through any persons who we have advised you (in our absolute discretion) do not meet the above requirements.

  8. This Agreement may be terminated at any time by either party, by submission of one months’ written notice to the other party. Upon the expiration of the notice the Agreement shall terminate without prejudice to the rights of the parties accrued to the date of termination.

  9. If you do not provide the Services in accordance with this Agreement or are otherwise in breach we may:

    a.       require you to remedy the default within such reasonable time as we may specify without further charge to us;

    b.       provide, or procure the provision of, the Services ourselves until we are satisfied that you are able to carry out the Services in accordance with these conditions; or

  10. Provided you have performed the Services in accordance with the Agreement we will pay you within 30 days from the end of the calendar month following the invoice date.   We may deduct an agreed reasonable sum to compensate us for any breach.

  11. You will invoice us showing the date and services rendered, together with the agreed charging rates and any other details required as part of the Agreement.

  12. Any money due from you to us under any contract between us may be deducted from any payment to you.

  13. If we do not seek redress for breaches or insist on strict performance of any provision of this Agreement or exercise any right or remedy to which we are entitled under the Agreement such conduct will not constitute a waiver of such rights and shall not cause a diminution of your obligations under the Agreement.

  14. You will indemnify and hold us harmless from any claims, losses, or damages (including legal costs) resulting from any act or omission by you including your negligence or breach of statutory duty and will cooperate fully with us in the defence of any related claims against us by third parties.

  15. We may vary or add to the Agreement and no such variation or addition shall affect the continuation of this Agreement. We will give you written notice of any variation or addition. The notice will give details of the variation or addition and the date on which it is to take effect.

  16. You may not subcontract the whole or any part of the Services (including the benefit thereof) without our prior written consent.

  17. No third party shall acquire any benefit, claim or rights of any kind whatsoever pursuant to, under, by or through this Agreement.

  18. You agree to keep confidential all information disclosed by us or our clients to you during negotiations or otherwise in connection with the Agreement, and to use the Confidential Information only for the purposes of providing the Services.  You will not disclose the Confidential Information except in confidence and in connection with the performance of the Agreement, and ensure that all persons to whom the Confidential Information is disclosed are bound by obligations consistent with your obligations hereunder.  You will take all steps as are required by us to enforce such obligations against such persons.

  19. You agree to keep your equipment in good working order / calibrated to manufacturers specification where appropriate.

  20. You agree to keep your premises safe, presentable and in good repair.

  21. You will notify us promptly of any adverse event which will or may affect the continuity of provision of Services to us.

  22. You will notify EM of any changes to your working practices which may affect provision of the Services to EM or our clientele.  This may include, but is not limited to: change of premises; significant changes to data processing systems or technology; significant changes to personnel

  23. Where possible you will restrict essential maintenance e.g. IT updates, calibration etc. to outside core business hours, or make spare assets available so as not to disrupt the provision of the Services.

  24. You confirm that you will abide by all relevant legislation in the course of your duties, in particular statutes which relate to data protection, health and safety, the environment, bribery and modern slavery.

  25. In addition, and dependent on the scope of works supplied you may be required to supply copies of applicable policies, procedures, registrations etc. to verify compliance with legal, regulatory and contractual requirements.

  26. The Data Processor will apply appropriate protection to data at all times during processing and in transmission between the Data Processor and the Data Controller.

  27. In the event of any suspected or confirmed loss of data, or breach of applicable legislation involving our data, data subjects, processes or technologies you must notify us promptly with details of the volume and nature of data affected, and advise what action has been / will be taken in terms of containment or recovery.

  28. You agree to submit upon request a valid insurance certificate covering the scope of works outsourced to you.

  29. You agree to submit to an audit visit or remote review by a representative of EM if requested.

  30. You will not retain copies of any records processed on our behalf once we have acknowledged receipt and confirmed that all the information within is correct, except where a backup or archive is necessary as part of services provided.  This is in accordance with data protection legislation.

  31. If requested by EM you will destroy all Confidential Information and other data held on behalf of EM.

  32. If a candidate approaches you directly with a request to exercise their rights under Data Protection law, you must pass the request on to the Data Controller without delay.

    LIMITATION OF LIABILITY - YOUR ATTENTION IS PARTICULARLY DRAWN TO THIS CONDITION

  33. Except in the case of death or personal injury caused by negligence or fraudulent misrepresentation or in other circumstances where liability may not be so limited under any applicable law, our liability to you under or in connection with this Agreement, whether arising in contract, tort, negligence, breach of statutory duty or otherwise, will be limited to the monetary value of this Agreement (excluding variations) or £500, whichever is the lesser sum.

SECTION B – FOR PROVIDERS OF CLINICAL SERVICES ONLY (mark as N/A if not providing clinical services)

  • We will send referral case notes to you electronically via secure web link or other protected format.  You will be provided with a password to access the record.

  • We will provide subcontractors with our current testing protocols and relevant documentation, and will reissue these as and when they may be updated.

  • You will use documentation and protocols provided by EM when completing work on our behalf.

  • You will not cancel or rearrange appointments directly with the client and/or their delegate (i.e. all changes must be arranged via EM)

  • You should not give any draft preliminary medical report directly to the candidate or their employer.

  • You will return all referral case notes to EM promptly for review and final report, which we will then dispatch to the candidate and/or their employer as specified on the consent form.

  • Our preferred method of receiving completed referral case notes is via secure web link or other protected electronic format, however if it is necessary to send these via post the envelope must be marked “Private and Confidential”.

  • Where DOA testing is required as part of the contract, you will send all samples to our approved laboratory and will not use any other lab or process any results.  We will provide kits and pre-addressed envelopes for this purpose.

  • You agree to provide data as requested by EM regarding health and safety at your premises.

    If a candidate approaches you directly with a request to exercise their rights under Data Protection law, you must pass the request on to the Data Controller without delay.