Data protection addendum for individual clinician and clinic users

Last updated: 2nd September 2021

Data processing addendum for users of Concentric’s ‘Individual’ and ‘Clinic’ tiers.

The terms within this data protection addendum (“DPA”) are effective immediately and your continued use our services constitutes your acceptance of these terms and the linked Terms of Service. Previous versions of our data protection addendum are available on request.

If you have a separate data processing agreement with Concentric, the terms within this data protection addendum will not apply to you (e.g. use by a large healthcare organisation).

This DPA supplements the Terms of Service.

Definitions

  • The terms “you”, “your”, or “Customer” refer to you. If you are creating an account in order to use the Services on behalf of an organization, then you are agreeing to these terms for that organization and promising to us that you have the authority to bind that organization to these terms (and, in which case, the terms “you”, “your”, or “Customer” refer to that organization).

  • The terms “we”, “us,” “our”, “Concentric” or “Concentric Health” refer to Concentric Health Ltd, a company registered in England and Wales, with the registered address Concentric Health, Sbarc Spark, Maindy Road, Cardiff, CF24 4HQ, and the registered number 10733991.

  • “Terms of Service” means the terms entered between us and you, setting out the terms for the Services to be provided by us. These are available here.

  • “Applicable Data Protection Law” refers to all laws and regulations applicable to our processing of personal data under the Terms of Service including, without limitation, the General Data Protection Regulation (EU 2016/679) (“GDPR”).

  • “controller”, “processor”, “data subject”, “personal data”, and “processing” (and “process”) have the meanings given in accordance with Applicable Data Protection Law.

  • “Data Subject” means an individual who is the subject of personal data.

  • “Personal Data” means data which relate to a living individual who can be identified from that data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller or data processor.

  • “Security Incident” means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

  • When we refer to the “Services” in this DPA, we mean all products and services provided by us that are used by you.

Any capitalized term used but not defined in this DPA has the meaning provided to it in the Terms of Service.

Changes to these terms

We may update this DPA from time to time. We will provide you with notice of any material updates at least thirty (30) days in advance of the effective date.

Notices for material updates to this DPA will be given in accordance with the Notices section of the Terms of Service. Except as otherwise specified by us, updates will be effective and binding upon the date indicated at the top of this DPA. The updated version of this DPA will supersede all prior versions.

Following such notice, your continued use of the Services on or after the date the updated version of the DPA is effective is binding and constitutes your acceptance of such updated terms. If you do not agree to the updated version of the DPA, you must stop using the Services immediately.

Controller and processor

The parties acknowledge and agree that with regard to the processing of Personal Data, we are a processor and you are a data controller.

We will process Personal Data in order to provide the Services in accordance with the Terms of Service and in accordance with your instructions as outlined in Controller’s instructions. This DPA further specifies the duration of the processing, the nature and purpose of the processing, and the types of personal data and categories of data subjects.

You are responsible for ensuring that you are complying with Applicable Data Protection Law in your use of the Services and have the right to transfer, or provide access to, the Personal Data to us for processing in accordance with the terms of the Terms of Service and this DPA.

You acknowledge that we are not responsible for determining which laws are applicable to your business nor whether our provision of the Services meets or will meet the requirements of such laws. You will ensure that our processing of Personal Data, when done in accordance with the Controller’s instructions, will not cause us to violate any applicable law, regulation, or rule, including Applicable Data Protection Law. You are responsible for ensuring that our processing is in line with your functions as a data controller (e.g under Art.6(1)(b) and Art.9(2)(h) of the GDPR).

You will inform us if you become aware, or reasonably believe, that your data processing instructions violate any applicable law, regulation, or rule, including Applicable Data Protection Law.

Controller’s instructions

You appoint us as a processor to process Patient Data on your behalf as stated in this DPA, the Terms of Service, and as otherwise necessary to provide the Services and as necessary to comply with applicable law.

We are to retain full records of consent episodes for 25 years, as per best practice for medical records, and convert to stub records - including the patient name, procedure, responsible clinician, and consent form PDF - at 25 years.

Confidentiality

In the event that any request, correspondence, enquiry or complaint from a data subject, regulatory authority, or third party is made directly to us in connection with our processing of Patient Data, we will promptly inform you and provide details of the same, to the extent legally permitted. Unless legally obligated to do so, we will not respond to any such request, inquiry, or complaint without your prior consent.

We will ensure that any person we authorize to process Patient Data has agreed to protect the data in accordance with our confidentiality obligations under the Terms of Service.

Sub-processing

You agree that we may use sub-processors to fulfil our contractual obligations under the Terms of Service.

Where we authorize any sub-processor, we agree to impose data protection terms on the sub-processor that require it to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

You provide a general consent for us to engage onward sub-processors, conditional on the following requirements:

  • Any onward sub-processor must agree to only process data in a country that the European Commission has declared to have an “adequate” level of protection.
  • We will restrict the onward sub-processor’s access to personal data only to what is strictly necessary to provide the Services, and will prohibit the sub-processor from processing the personal data for any other purpose.

The sub-processors used by Concentric Health in the delivery of the services are:

  • Google Cloud Platform for the provision of cloud hosting.
  • Postmark for the provision of sending patient and clinician emails.
  • Twilio for the provision of sending patient SMS messages.

We will remain liable for any breach of this DPA that is caused by an act, error or omission of our sub-processors.

Data subject rights

Upon your request and at no additional cost, we will provide reasonable and timely assistance to assist you in complying with your data protection obligations with respect to data subject rights under Applicable Data Protection Law.

Security and audits

We have implemented and will maintain the technical and organizational measures set out in the technical information to protect personal data from a Security Incident.

We will, to the extent permitted by applicable law, notify you by email without undue delay, but in no event later than seventy-two (72) hours after, our confirmation or reasonable suspicion of a Security Incident impacting Personal Data of which we are a processor.

We will make reasonable efforts to identify and, to the extent such Security Incident is caused by a violation of the requirements of this DPA by us, remediate the cause of such Security Incident. We will provide reasonable assistance to you in the event that you are required under Applicable Data Protection Law to notify a regulatory authority or any data subjects of a Security Incident.

We acknowledge that you must be able to assess our compliance obligations under Applicable Data Protection Law and this DPA. We use external auditors to verify the adequacy of its security measures (i.e penetration testing and compliance with Cyber Essentials Plus) with respect to our processing of Personal Data. Such audits are performed at least once annually at our expense by independent third party security professionals at our selection and result in the generation of confidential audit reports, summaries of which are available on request.

Details of processing

We will process personal data as necessary to provide the Services under the Terms of Service. We will not sell or share Personal Data with third parties for compensation or for those third parties’ own business interests.

For the duration that the Services are provided to you, we will process stored Patient Data as per the Controller’s instructions.

Types of Personal Data processed as part of providing the Services:

  • Patient: title, given name, family name, date of birth, gender, identification number(s), and contact details (email address and/or phone number).
  • Clinician: title, given name, family name, email address, and job title.
  • Special Category Data: treatment name, named responsible clinician and clinicians who have modified the consent episode, other treatments discussed, indication for treatment, purpose of treatment, risks of treatment, clinician notes, and external resources shared.

Data access post-termination are covered within the Terms of Service here.

Jurisdiction specific terms

United Kingdom (UK)

  • A Google Cloud Platform server situated in the UK is used for all UK based Customers.
  • References in this DPA to “GDPR”, for customers within the United Kingdom (UK) should be deemed to be references to the corresponding laws of the UK (including the UK GDPR and Data Protection Act 2018)

Republic of Ireland (RoI)

  • A Google Cloud Platform server situated in the UK is used for all RoI based Customers.
  • The definition of “Applicable Data Protection Law” includes the Data Protection Act 2018.

Australia

  • A Google Cloud Platform server situated in Australia is used for all Australia based Customers.
  • The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
  • The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
  • The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

Further reading

Terms of Service for individual clinician and clinic users

Our terms of Service for users of Concentric's individual and clinic tiers.

Read

Data processing

Details regarding what data is processed by Concentric, the legal basis for processing, third party processors, and how user rights are met.

Read