Skip to main content

Total Billing Solutions Limited trading as Enhanced Technology

DATA PROCESSING AGREEMENT IN RELATION TO GP PROFIT RECOVERY

 

IMPORTANT INFORMATION AND WHO WE ARE

 

This Data Processing Agreement applies to our GP Profit Recovery service line.  It is issued on behalf of Total Billing Solutions Limited, trading as Enhanced Technology (“Enhanced Technology”).  Total Billing Solutions Limited is a limited liability company registered in Jersey with company number 95710 and having its registered office at Notre Reve, La Route De Noirmont, St. Brelade, JE3 8AJ, Jersey.  We will be referred to as “Enhance Technology”, “we”, “us” or “our” in this Privacy Policy.

 

Enhanced Technology respects privacy and is committed to protecting the personal data you control. This Data Processing Agreement will inform you how we look after personal data (including personal data in respect of individuals who are clients, suppliers, customers of our clients or other third parties or any individual connected to those parties) where you provide personal data when you sign up to our service. 

 

If you use another service such as GP Billing, Medibooks or ITrackIT/IStoreIT, the way we handle and use data will differ so please refer to the appropriate Data Processing Agreement  for that service line.

 

Should you have any questions on the content of this Data Processing Agreement or how we use your data, please contact our Data Protection Officer by email on: support@enhancedtechnology.co.uk.

 

CHANGES TO THE DATA PROCESSING AGREEMENT AND YOUR DUTY TO INFORM US OF CHANGES

 

This version of our Data Processing Agreement was updated in February 2024. Historic versions can be obtained by contacting us.  We may update our Data Processing Agreement from time to time.  The latest version of our Data Processing Agreement will be made available on our website (or is available on request) and it is your responsibility to regularly check for updates.

 

DATA PROCESSING AGREEMENT 


THIS AGREEMENT is made on BETWEEN:


Practice and Processor ENHANCED TECHNOLOGY

(with each a "Party" and both the "Parties"). 


BACKGROUND:

The Parties are party to the service delivered by Enhanced Technology.

The Processor is required to Process the Processor Shared Personal Data on

behalf of the Practice.

This Agreement effects the appointment of the Processor and sets out the

terms and conditions that shall apply to its Processing of the Processor Shared Personal Data.


NOW IT IS HEREBY AGREED as follows:


1.DEFINITIONS AND INTERPRETATION
1.1In this Agreement unless the context otherwise requires the following words and expressions shall have the following meanings:

“Commencement Date”

The date specified on the contract.

"Controller"

has the meaning given to it in the GDPR;

“Data Protection Impact Assessment”

means an assessment by the Practice, for the purposes of Article 35 of the GDPR, of the impact of certain envisaged Processing of the Processor Shared Personal Data;


"Data Protection Legislation"

means all applicable data protection and privacy legislation in force from time to time in the UK including but not limited to the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any guidance or codes of practice issued by any Supervisory Authority from time to time;

"Data Subject"

has the meaning given to it in the GDPR;

“Data Subject Access Request”

a request made by, or on behalf of, a Data Subject in accordance with the Data Subject’s rights under the Data Protection Legislation to access their Personal Data;

"GDPR"

General Data Protection Regulation (Regulation (EU) 2016/679);

“International Organisation”

has the meaning given to it in the GDPR;

“Law”

means any law, subordinate legislation within the meaning of Section 21(1) of the Interpretation Act 1978, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements with which the Processor is bound to comply;

“Personal Data”

has the meaning given to it in the GDPR;

“Personal Data Breach”

has the meaning given to it in the GDPR and includes also any breach of Article 5(1)(f) (the integrity and confidentiality principle) of GDPR;

"Processing"

has the meaning given to it in the GDPR, and the terms “Process” and “Processed” shall be construed accordingly;

“Processor”

has the meaning given to it in the GDPR;

“Processor Shared Personal Data”

means such item(s) forming part of the Shared Personal Data as are more particularly specified in Annex 1 of this Agreement;

“Processor Personnel”

means all directors, officers, employees, agents, consultants and contractors of the Processor and/or of any Sub-Processor engaged in the performance of its obligations under this Agreement;

“Shared Personal Data”

means the Personal Data to be shared;

“Sub-Processor”

means any third party appointed to Process the Processor Shared Personal Data on behalf of the Processor;

“Third Country”

means any country other than the UK [, a European Union Member State or a member of the European Economic Area at the time of transfer of the Processor Shared Personal Data]; and

“Supervisory Authority”

has the meaning given to it in the GDPR

1.2Clause, Annex and paragraph headings shall not affect the interpretation of this Agreement.
1.3The Annexes form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.

1.4Unless the context otherwise, requires, words in the singular shall include the plural and in the plural shall include the singular.
1.5A reference to a person shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.6A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision, and such statute, statutory provision and subordinate legislation as amended, updated or re-enacted from time to time during the Term.

1.7References to clauses and annexes are to the clauses and annexes of this

Agreement and references to paragraphs are to paragraphs of the relevant Annex. 

1.8Any words following the terms “including”, “include”, “in particular”, “for example” or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.

1.9In the case of any ambiguity between any provision contained in the main body of this Agreement and any provision contained in the Annexes, the provision in the main body of this Agreement shall take precedence.
1.10A reference to writing or written excludes fax but includes email. 

2.COMMENCEMENT AND DURATION

2.1This Agreement shall commence on the Commencement Date and continue in force until one of the following events occurs:
2.1.1The Practice terminates the appointment of the Processor by giving not less than one (1) month’s prior notice to the Processor,

at which point this Agreement shall terminate with immediately effect.
2.2On the expiry or termination of this Agreement, the Processor shall cease to Process the Processor Shared Personal Data.

3.DATA PROCESSING
3.1For the purposes of the Data Protection Legislation, the Practice is the Controller and hereby appoints the Processor as its Processor, on the basis that the only Processing that the Processor is authorised to do is the Processing described in Annex 1.
3.2The Processor shall notify the Practice immediately if it considers that any of the Practice's instructions does not comply with the Data Protection Legislation and/or with Law. If the Processor acts on the Practice’s instructions without giving any such notification, the Processor shall be deemed to have evaluated such instructions and concluded that they comply with the Data Protection Legislation and with Law.
3.3If the Processing to be carried on by the Processor is to any extent subject to Article 35 and/or Article 36 of GDPR, the Processor shall provide reasonable assistance to the Practice in the preparation of the Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of the Practice, include:
3.3.1a systematic description of the envisaged Processing operations and the purpose of the Processing;
3.3.2an assessment of the necessity and proportionality of the Processing operations;
3.3.3an assessment of the risks that the Processing shall pose to the rights and freedoms of Data Subjects; and
3.3.4the measures proposed or envisaged to address such risks, including appropriate technical and organisational measures to ensure the protection of the Processor Shared Personal Data.

3.4The Processor shall, in relation to any Processor Shared Personal Data Processed by it:
3.4.1Process that Processor Shared Personal Data only in accordance with Annex 1 and in accordance with the Practice’s written instructions (including with respect to transfers of Personal Data to a Third Country or International Organisation), unless the Processor is required to do otherwise by Law (and if so required by Law the Processor shall promptly notify the Practice before Processing the Processor Shared Personal Data unless prohibited by Law);

3.4.2keep the Processor Shared Personal Data confidential and not disclose it to any third party without the prior written consent of the Practice;
3.4.3take appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by such Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Processor Shared Personal Data, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, including as appropriate:

3.4.3.1the pseudonymisation and encryption of the Processor Shared Personal Data;
3.4.3.2the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

3.4.3.3the ability to restore the availability and access to the Processor Shared Personal Data in a timely manner in the event of a physical or technical incident; and
3.4.3.4a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;

3.4.4ensure that:
3.4.4.1the Processor Personnel do not Process any Processor Shared Personal Data except in accordance with this Agreement (and in particular Annex 1);
3.4.4.2it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Processor Shared Personal Data and ensure that they:
3.4.4.2.1are aware of and comply with the Processor’s duties under this Clause 3; 
3.4.4.2.2are subject to appropriate confidentiality undertakings that are enforceable by the Processor and/or are under an appropriate statutory obligation of confidentiality;
3.4.4.2.3are informed of the confidential nature of the Processor Shared Personal Data and do not publish, disclose or divulge any of the Processor Shared Personal Data to any third party unless directed in writing to do so by the Practice or as

otherwise permitted by this Agreement; and
3.4.4.2.4have undergone adequate training in the use, care, protection and handling of Personal Data;
3.4.5not transfer the Processor Shared Personal Data outside of the EU (for so long as the United Kingdom remains a member of the EU) or outside of the United Kingdom (if the United Kingdom ceases to be a member of the EU), or to any International Organisation unless the prior written consent of the Practice has been obtained and the following conditions are fulfilled:
3.4.5.1the Processor has, prior to such transfer, established, or procured the establishment of, appropriate safeguards in relation to the transfer of the Processor Shared Personal Data;
3.4.5.2each Data Subject whose Personal Data is transferred has enforceable rights and effective legal remedies which are enforceable against the Processor, and the Processor has ensured prior to any such transfer that such rights and remedies are available; and
3.4.5.3the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection for all Processor Shared Personal Data that is transferred (or procures that such protection is provided); and
3.4.5.4the Processor complies with all reasonable instructions notified to it in advance of such transfer by the Practice with respect to such transfer.
3.5Subject to Clause 3.6, the Processor shall notify the Practice immediately if it: 3.5.1receives any Data Subject Access Request (or purported Data Subject Access Request);
3.5.2receives any request to rectify, block or erase any Processor Shared Personal Data;
3.5.3receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
3.5.4receives any communication from any Supervisory Authority or any other regulatory authority in connection with Processor Shared Personal Data; 3.5.5receives a request from any third party for disclosure of Processor Shared Personal Data where compliance with such request is required by Law; or 3.5.6becomes aware of any Personal Data Breach (and such notification shall be made not later than twenty-four (24) hours following the Processor becoming aware of each Personal Data Breach).
3.6The Processor’s obligation to notify the Practice under Clause 3.5 shall include an obligation to provide information in accordance with Clause 
3.7, and an obligation to provide further information to the Practice in phases, as further details become available.
3.7The Processor shall assist and co-operate with the Practice in relation to the Practice’s compliance with its obligations under Data Protection Legislation

(including each complaint, communication or request made under Clause 3.5 as well as any other complaint, communication or request relating to any Processor Shared Personal Data), and shall do so within the timescales reasonably required by the Practice. In particular the Processor shall promptly provide the Practice with:

3.7.1full details and copies of each complaint, communication or request received by the Processor (or received by the Practice and relating to any Processor Shared Personal Data);
3.7.2such assistance as is reasonably requested by the Practice to enable the Practice to comply with each Data Subject Access Request within the relevant timescales specified in or under the Data Protection Legislation;

3.7.3copies of any Processor Shared Personal Data specified by the Practice, and details of the Processing of such Processor Shared Personal Data by or on behalf of the Processor;
3.7.4assistance as requested by the Practice in relation to any Personal Data Breach;

3.7.5assistance to ensure that Processing of Processor Shared Personal Data by or on behalf of the Processor complies with any exercise by any relevant Data Subject of any of his or her rights under Data Protection Legislation, including to ensure that the Processor Shared Personal Data relating to such Data Subject is (for example) deleted and/or rectified and/or made subject to restrictions in accordance with such exercise of such rights; and

3.7.6assistance as requested by the Practice with respect to any request from a Supervisory Authority, or any consultation by the Practice with a Supervisory Authority.
3.8The Processor shall maintain complete and accurate records and information of the Processing it carries out in connection with this Agreement, which shall contain as a minimum:

3.8.1its details, the Practice’s details and the details of the Processor’s data protection officer (if applicable) or, if the Processor is not subject to a mandatory requirement under Data Protection Legislation to appoint such an officer, the details of the person who has overall responsibility for the Processor’s compliance with the Data Protection Legislation;

3.8.2the categories of Processing of the Processor Shared Personal Data that are carried out by or on behalf of the Processor;
3.8.3the details of any transfers to any Third Countries, where applicable, and the safeguards in place for each such transfer; and

3.8.4accurate records of the technical and organisational measures that the Processor has in place in accordance with clause 3.4.3.
3.9The Processor shall allow for and contribute to audits of its Processing activities (including the records maintained under clause 3.8) by the Practice or the Controller’s designated auditor.

3.10Each Party shall designate its own data protection officer if required by the Data Protection Legislation or (if not so required) shall designate one of its senior managers as being responsible for overseeing and managing the Party’s compliance with Data Protection Legislation.

3.11Before allowing any Sub-Processor to Process any Processor Shared Personal Data, the Processor must:
3.11.1notify the Practice in writing of the intended Sub-Processor and Processing; 3.11.2obtain the written consent of the Practice to the Processor appointing or using the proposed Sub-Processor to Process certain Processor Shared Personal Data;

3.11.3enter into a written agreement with the Sub-Processor which appoints the Sub-Processor on terms and conditions that comply with Data Protection Legislation and are no less onerous on the Sub-Processor, and no less protective of the Processor Shared Personal Data and of Data Subjects, than the provisions of this Agreement; and

3.11.4provide the Practice with such information regarding the proposed Sub- Processor as the Practice may reasonably require.
3.12If any authorisation is given under clause 
3.11.2, the Processor shall not make any changes concerning the addition or replacement of other Processors without first obtaining the Practice’s written consent to such changes.

3.13The Processor shall remain fully responsible for, and liable in respect of, all acts or omissions of its sub-Processors.
3.14The Practice may, at any time on not less than thirty (30) days’ notice, amend this Clause 3 by replacing it with any applicable Controller to Processor standard clauses.

3.15In the event of a notification under clause 3.5.6, the Practice shall at its sole discretion determine whether to provide notification to the Data Subject, any third party or Supervisory Authority, and the Processor shall not notify the Data Subject, any third party or Supervisory Authority unless such disclosure is required by Law or is otherwise approved by the Practice.

3.16At the Practice’s request (and in any event within three (3) days of each such request) the Processor shall make available to the Practice all information necessary to demonstrate the Processor’s compliance with its obligations under this clause 3, including the records referred to in clause 3.8.

3.17At the written direction of the Practice given at any time (whether during the continuance of this Agreement, on the termination or expiry of this Agreement, or at any time after its termination or expiry), the Processor shall promptly (and in any event within three (3) days) return to the Practice and, if and when the Practice specifies, delete, the Processor Shared Personal Data or any part of it that

is specified by the Practice (together with all copies of such Processor Shared Personal Data), unless the Processor is required by Law to retain the Processor Shared Personal Data.
3.18Nothing in this clause 3 shall relieve the Processor of its own direct responsibilities and liabilities under the Data Protection Legislation, where applicable.

3.19The Parties agree to take account of any guidance issued by the Information Commissioner. The Practice may on not less than thirty (30) days’ notice to the Processor amend this Agreement to ensure that it complies with any guidance issued by the Information Commissioner.

4.DISPUTE RESOLUTION
4.1The parties shall attempt to resolve any dispute arising out of or relating to this contract through negotiations between senior executives of the parties, who have authority to settle the same. If the matter is not resolved by negotiation within 30 days of receipt of a written 'invitation to negotiate', the parties will attempt to resolve the dispute in good faith through an agreed Alternative Dispute Resolution (ADR) procedure, or in default of agreement, through an ADR procedure as recommended to the parties by the President or the Vice President, for the time being, of the Chartered Institute of Arbitrators. If the matter has not been resolved by an ADR procedure within 60 days of the initiation of that procedure, or if any party will not participate in an ADR procedure, the dispute may be referred to arbitration by any party. The seat of the arbitration shall be England and Wales. The arbitration shall be governed by both the Arbitration Act 1996 and Rules as agreed between the parties. Should the parties be unable to agree on an arbitrator or arbitrators, or be unable to agree on the Rules for Arbitration, any party may, upon giving written notice to other parties, apply to the President or the Vice President, for the time being, of the Chartered Institute of Arbitrators for the appointment of an Arbitrator or Arbitrators and for any decision on rules that may be necessary. Nothing in this clause shall be construed as prohibiting a party or its affiliate from applying to a court for interim injunctive relief.
5.VARIATION
5.1Subject to Clauses 3.14 and 3.19, any amendment or variation to this Agreement shall be in writing and signed by duly authorised representatives of each of the Parties.
5.2If the Data Protection Legislation changes in a way that the Agreement is no longer adequate for the purpose of governing lawful Processing exercises, the Parties agree they will negotiate in good faith to review the Agreement in the light of the new legislation.
6.NOTICES
6.1Any notice or other communication given by either Party under or in connection with this Agreement shall be in writing and shall be:

6.1.1delivered by hand, courier or by recorded post or other next working day recorded delivery service at its registered office (if a company) or its principal place of business (in any other case); or
6.1.2sent by email.
6.2Any notice or communication shall be deemed to have been received:
6.2.1if delivered by hand or courier, on the date on which the delivery receipt is signed;
6.2.2if sent by recorded post or other next working day recorded delivery service, at the time recorded by the delivery service; and
6.2.3if delivered by email, at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume, and in this clause 6.2 “business hours” means 9.00am to 5.00pm Monday to Friday on a working day, and in this clause 6 “working day” means that is not a weekend or public holiday in the place of receipt.
6.3This clause 6 shall not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
7.SEVERABILITY
7.1If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.
7.2If any provision or part-provision of this Agreement is deemed deleted under clause 7.1, the Parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
8.WAIVER
8.1No failure or delay by any Party to exercise any right, power or remedy will operate as a waiver of it nor will any partial exercise preclude any further exercise of the same or of some other right to remedy.
9.THIRD PARTY RIGHTS
9.1A person who is not a Party to this Agreement shall have no rights pursuant to the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
10.ENTIRE AGREEMENT
10.1This Agreement supersedes all prior representations and agreements between the Parties (whether written or oral) relating to the subject matter of the Agreement and sets forth the entire agreement and understanding between the Parties.
10.2Each Party warrants to the other that it has not relied on any representation or agreement (whether written or oral) not expressly set out or referred to in the

Agreement.
11.COUNTERPARTS
11.1This Agreement may be executed in one or more counterparts. Any single counterpart or a set of counterparts executed, in either case, by the Parties shall constitute a full original of this Agreement for all purposes.
12.GOVERNING LAW AND JURISDICTION

12.1This Agreement shall be governed by and construed in accordance with the laws of Jersey and each of the parties hereto irrevocably submit to the exclusive jurisdiction of the Courts of Jersey as regards any matter or claim arising out of or in connection with to this Agreement.



ANNEX 1 Data Processing

Description

Details

Subject matter of the Processing

Claims Reconciliation and Support Service

Duration of the Processing

The processor remotely accesses the practice clinical system. “Reconciliation records” generated as a result will be retained for 7 years.

Searches are run and pseudonymised data extracted and saved on the processors system. These “reconciliation records” consist of patient clinical system unique ID, medication name and issue dates.

This is considered a low risk activity. It is not possible to identify the individual without access to the clinical system.


Nature and purposes of the Processing

The consultation record for each patient is manually reviewed by the processor. Additional issue dates are added to the “reconciliation records”. No patient identifiable information is removed from the system by the processor. To establish a clear audit trail additional accounts may be created within the clinical system and will be deactivated once the reconciliation is complete.

If an unclaimed item is discovered a prescription is issued. On an EMIS system the prescription is stored within EMIS and not removed from the system. S1 does not offer this facility and therefore a PDF is created of the prescriptions. This PDF contains the patient details required to create an FP10 and the medication details. This PDF is stored on the processors local hard drive for the duration of the reconciliation and then securely destroyed.

The “reconciliation records” are stored on a secure portal for the practice to access and validate.

The purpose of the processing is to identify episodes of care that have occurred where a reimbursable item has been used and not claimed.

Type(s) of Personal Data available to the processor

Racial or Ethnic Origin, Sex Life or Sexual Orientation, Health Data (Patient) , Genetic Data.

Data Subject

All patients registered with the practice.


v.1.1 Change Log: Added: To establish a clear audit trail additional accounts may be created within the clinical system and will be deactivated once the reconciliation is complete.