It is important that all data shared by the parties in the DPA is as accurate and up-to-date as possible. Organizations must make all reasonable efforts to ensure the accuracy of their data before disclosing it to third parties. The use of this template is not mandatory. Primary Care Networks is free to enter into various forms of data exchange and processing agreements at its sole discretion. If the model is used, it needs to be further developed among members of the Primary Care Network. Instructions are included at the end of the template. The start dates of the data sharing agreement (DPA) must ensure that there is no deviation from the end date of the previous agreement (if applicable). If the results or analyses are to be shared by organisations, this should be explained here, together with an explanation of why sharing these results is acceptable, necessary and proportionate (e.g.B the results are anonymous). DSAs can take various forms depending on the complexity and scope of data sharing.

They document a common set of rules, but are not identical to other documents, e.B a service level agreement or a data processing agreement. ODA needs to be reviewed regularly to ensure that it remains up-to-date and fit for purpose. Describe here how this is done and what circumstances may trigger a review (e.g.B changes in the law or a party who decides to leave the agreement). Whether or not your NCP goes through a limited liability company, common NCP collaboration activities such as hiring and sharing employees or providing certain local health services will inevitably result in the exchange of personal data. With a team of over 200 lawyers and national coverage, we are one of the leading law firms providing legal advice and support to the NHS and independent healthcare organisations. We work for over 100 NHS institutions and are involved in all national framework agreements – NHS SBS, NHS CPC, HealthTrust Europe, NHS Resolution, NHS Commercial Alliance and CCS. With a wider exchange of data across the network, the number of people with access to the data will inevitably increase, so it is important that this is recorded and properly managed in data mapping and PIA. List here the data elements that need to be processed under this DSA. Each element should be explained why it is necessary to share it in order to achieve the objectives listed in the DSA, unless these elements are listed in the DPIA for the project/programme (in which case you would only have to refer to the DPIA in this section). An essential part of the PIA will be the examination of the legal basis for the processing and the legal basis for the transfer of this personal data to other member firms and/or to a PCN corporate vehicle, as the transfer of personal data is a type of data processing. Clearly and concisely state the purpose of the information exchange and what it should achieve here. You can have as many goals as you need, but if those goals cover a variety of intentions, you can be better served by grouping the goals into similar topics (e.g., providing planning or research services) and have a separate DSA for each topic.

For individual support, it is usually not necessary to have a data exchange agreement. NHS England has usefully published a pro forma model data sharing agreement that can be concluded via NCPs. However, simply completing and signing this document is not enough to meet your obligations under the GDPR, as a properly formulated data exchange agreement is only one piece of the puzzle to ensure GDPR compliance. If your NCP uses a data processor (a computer/software company) to enable data sharing, who is responsible for managing the contractor? Who holds the contract and is it compliant with the requirements of the GDPR? Have you fulfilled the duty of care required by the data protection regulations towards the contractor (and all subcontractors)? Crown Commercial Services has published a useful notice containing standard contractual clauses for data processing agreements – see Appendix A. You must consider how personal data is transferred and stored securely and ensure that there are contractual safeguards in place between the personal data transfer practices that govern the data protection standards applicable to that data. The NHS Model Data Transfer Agreement is a good place to start, but needs to be tailored to the needs of your primary care network. The frequency of data exchange should also be specified here – Is it a single exchange or a regular exchange of data between organizations? If so, the frequency should also be determined here. Here are some tips on how to prepare for the arrival of the data sharing agreement template so that you can meet the June 30 deadline with your data exchange agreements: If you submit your application via DARS online under the DSA Details tab, you will be asked about the duration of your proposed contract – it will be either 12 months. 3 years or 5 years as described earlier in the presentation. You will also be asked to complete the start and end dates of your agreement.

You must also agree on the respective responsibilities between the practices related to handling complaints and requests for rights and the responsibilities of each practice in the event of a potential data breach. It is inevitable that NCP members will have different levels of existing data protection knowledge, experience and compliance in their own practices, which will affect the ease of implementation of these measures. Kathryn Heath is a Senior Partner in the IP, IT and Data Protection team. To discuss data protection, please send an email to Helen Wallwork is a partner and leader of our healthcare team. If you would like to discuss primary care networks, please email You can also call us on 01872 265100. NHS Digital has published a set of standards on how we evaluate applications for NHS Digital data. These are transparent and help you complete the appropriate section of your online data request.

If a breach occurs, you should document how it is handled by the parties involved. It is impossible to document the process for each type of breach here, but the main types should be covered here – an example is inappropriate or accidental disclosure or data loss. More information on reporting violations to the ICO can be found here. The DSA is only valid if it is signed by the appropriate persons authorized to do so by each organization. Their details and designation should be listed here. The level of the signatory must correspond to the profile of the data exchange (e.B. the more sensitive or complicated the objective, the higher the required signatory). Transparency is essential here and it is important that patients know how their data is processed and with whom it is shared and why. Jaspreet advises leading technology and healthcare companies on cutting-edge digital health topics. It focuses on the development and regulation of health technologies.

This also includes assessing how digital health solutions can comply with the legal framework for data protection, medical research and medical devices/pharmaceuticals. A processor is any organisation that processes personal data on behalf of a controller. These may be public and private sector organisations, but they may only act on written instructions from the controller. As an important first step, we recommend that you carry out a Data Protection Impact Assessment or PIA or DPIA for short. A PIA helps organizations identify and minimize risks to affected individuals when carrying out a new project or activity. The maximum duration of the contract between the expected date of signature and the end date of the agreement is as follows: The new Primary Care Network Agreement for RPNs stipulates that there must be an agreement on data exchange between member firms and all other organizations with which member firms wish to share patient data. An agreement to share model data is promised, but is still awaited. In the meantime, the clock is ticking at 30.

June for registration.. .