Data Processing Obligations

What is a Data Processing Deed?

The Data Processing Deed (DPD) forms part of the Digital First Online Consultation and Video Consultation and GPIT Futures contract suite. The DPD is the means by which processing of personal data is determined in order to meet UK General Data Protection Regulation (UK GDPR) Article 28 requirements. Data processing includes any third-party sub-processors used by a supplier in the provision of their solution e.g. a US based hosting solution.

Under the DPD the GP Practices are the beneficiaries as the data controllers. NHS Digital is the Catalogue Authority and is responsible for onboarding suppliers onto the buying catalogue and as part of this process, provides a level of compliance review on each of the solutions. As the Catalogue Authority, NHS Digital is not a data controller for any of the data and the GP practices remain accountable as data controllers where suppliers process personal data as processors of the GP practice.  

What this means for you?

·       The DPD prohibits the transfer and/or processing of personal data outside of the UK. This includes data which is merely stored in locations, or from where remote access to personal data is provided. The DPD does however, allow for processing outside the UK if the supplier has been instructed to do so by the GP practice it has entered into a contract with.

·       A supplier will need to seek instruction from the GP practice regarding overseas transfer of data. They will need to satisfy them that they comply with all the relevant UK GDPR requirements

·       As part of this, a supplier should complete a risk assessment to ensure that they are satisfied that the data subjects of the transferred data continue to have a level of protection essentially equivalent to that under the UK data protection regime.

·       The supplier should use the Information Commissioner’s Office (ICO) checklist to ensure that all transfers comply with UK GDPR.

·       Evidence of this risk assessment, a completed checklist and, if necessary, standard contractual clauses should provide a level of certainty to the GP practices around how data is being processed

Your role as a buyer

·       Some Suppliers will be contacting GP practices directly to discuss this issue.

·       Ensure that you are comfortable with where the supplier you have entered into a contract with, is processing data and that they have provided adequate assurance that the data transfers comply with UK GDPR.

Learn more

·       The Information Commissioner’s Office (ICO) has helpful guidance on international data transfers including SCCs  which can be found here

·       ICO explanations about personal data, data controllers and data processors can be found here

·       Further information on processing data overseas can be found in sections 2.5.16 and 2.5.17 in the Deed of Processing (document 0.2) here