Primary Care Networks – Template Data Sharing Agreement
As part of the Primary Care Network (“PCN”) suite of documentation, NHS England and GPC England have now issued a template Data Sharing Agreement (“Agreement”) and associated guidance: you can view the guidance by clicking here.
The Agreement is merely a suggested template and is not mandatory. Unfortunately, one size does not fit all when it comes to PCN arrangements. Whilst it is helpful to have a template document so that PCNs do not have to each develop their own agreement, as stated in the guidance, the template is not a substitute for legal advice. There are certain legal issues that members of a PCN will need to address prior to finalising and signing their data sharing agreement including the following:
- Joint Data Controllers or Data Controller and Data Processor? – the Agreement assumes that the PCN members are joint data controllers but what if this is not the case? Depending on the members of the PCN or how the Directed Enhanced Service (“DES”) is being provided by its members, the relationship between all members may not be one of joint data controllers for all purposes. Where any controller and processor relationships exist, additional drafting will be required to comply with the requirements of the General Data Protection Regulation (2016/679) (“GDPR”). The Information Commissioner’s Office (“ICO”) has some useful guidance on the difference between data controllers and data processors to assist members in their determination of the relationship between the parties.
- Appointment of Third Party Processors – where a member is acting as a data controller and is appointing any third party to process Personal Data on its behalf, GDPR requires there to be a written contract in place between the data controller and processor and prescribes certain provisions which are required to be in the contract. The onus is on the member (as data controller) to ensure that an appropriate contract is in place. The Agreement places an additional obligation on each member to ensure this compliance. The ICO has also published a useful controller and processor contracts checklist which can assist you here to ensure that any such contracts are compliant.
- Privacy Notices – it is also important that each member reviews its privacy notice to ensure it continues to comply with GDPR following creation of the PCN. The Agreement places an additional obligation on each member to ensure that this is done.
- Accession of a new party, voluntary exit and expulsion – headings have been included for these clauses in the Agreement but no drafting is provided as this will depend on the specifics of each PCN. The Network Agreement should already deal with these issues and it is important that these two documents work together so that where any party joins or leaves the PCN, they should also be added or removed from the Agreement. The process for doing to will depend on the mechanism agreed between the members of the PCN.
- Documenting the sharing of Personal Data – Schedule 1 to the Agreement provides for various information in relation to the sharing of Personal Data to be included in the Agreement. This includes matters such as the legal basis for processing Personal Data. Although you are required to document the legal basis for processing Personal Data as well as the separate condition for processing special category data (which includes medical records), you do not have to do so in a legally binding contract. The PCN may wish to consider documenting some of the information to be provided in Schedule 1 in a different way.
- Liability and Indemnity – there is no indemnity included in the Agreement and members are advised to take independent legal advice in relation to any liability and indemnity provisions required. This will to some extent depend on what (if any) liability and indemnity provisions have been agreed in the Network Agreement but given the potential fines associated with a serious data breach, members should consider having appropriate provisions and protections in the Agreement.
- Transfers outside the UK/EU – on current drafting, you will be required to seek written consent from other members before transferring personal data outside the EU. This applies whether we are “in” or “out” of the EU. It doesn’t however make any provision for the mechanisms for transferring data even with consent from other members. Data protection laws are prescriptive in what must be done to enable a transfer across borders and this should be detailed in this Agreement if this is to be a feature in your processing activities.
If you would like to discuss further the legal issues arising from the template Data Sharing Agreement, please do not hesitate to contact Louise Weatherhead or another member of the Healthcare Team at Sintons LLP.