Common use of SERVICE USER HEALTH RECORDS Clause in Contracts

SERVICE USER HEALTH RECORDS. The provider must create, maintain, store and retain service user health records for all service users. Providers should manage and retain and destroy service user data in accordance with the law and comply with any applicable guidance. The provider must use health records solely for the purposes of its obligation under the contract and must give the service user full and accurate information about their treatment. Where appropriate and required by guidance, service user’s NHS number should be identified in their service user health records. All organisations which could have access to patient identifiable data should have a Caldicott Guardian. The role of the Caldicott Guardian is advisory, providing a focal point for confidentiality and information sharing issues and the management of service user information at Cabinet level. Under the Data Protection ▇▇▇ ▇▇▇▇ (DPA) all providers and commissioners should manage service user identifiable data in accordance with the law and put in place appropriate controls to ensure the accuracy and traceability of any information stored on systems are designed to protect the confidentiality of service user information. The parties to the contract should help each other, as appropriate, to comply with the provisions of the DPA. Where the provider is acting as a Data Processor on behalf of the council, the provider shall only process personal data necessary to perform its contractual obligations and in accordance with any instruction given by the council, and ensure it has put in place the appropriate technical and organisational measures against unauthorised or unlawful processing of the data. The provider must also supply the council with the information required in respect of harm that may be suffered by a service user whose information has been affected by a breach of the DPA and, promptly notify the council of any breach of the security measures to protect personal information. The provider is obliged to ensure it is not omitting to do anything knowingly or negligently which places the council in breach of the provisions of the DPA. The provider must supply the council with any information it reasonably requests to satisfy the council that it is complying with the DPA. The provider must take steps to ensure its staff are competent to handle personal data and are properly trained in data protection. The provider must promptly notify the council of any requests to disclose or gain access to personal data. • If council data is corrupted, lost or sufficiently degraded as a result of the Provider’s omission or negligence so as to be unusable, the council may: o require the Provider (at the Provider’s expense) to restore or procure the restoration of such data and the Provider must do so as soon as practicable but not later than 3 months after the identification of the loss, corruption or degradation and/or o Itself restore or procure the restoration of such data. The Provider must reimburse the council for any reasonable expenses incurred in doing so. • If at any time the Provider suspects or has reason to believe that council data has or may become corrupted, lost or degraded in any way for any reason, the Provider must notify the council immediately and inform the council of the remedial action the Provider proposes to take. • The Provider shall not store, copy, disclose or use council data except as necessary for the performance by the Provider of its obligations under this Contract or as otherwise expressly authorised in writing by the council. • To the extent that council data is held and / or processed by the Provider the Provider shall supply that council data to the council as requested by the council in a format specified by the council. • Upon receipt or creation by the Provider of any council data and during any collection, processing, storage and transmission by the Provider of any council data the Provider shall take all precautions necessary to preserve the integrity of the council data and to prevent any corruption or loss of the council data. • The Provider shall perform secure back-ups of all council data and shall ensure that any system on which the Provider holds any council data including any back-up system is a secure system.

SERVICE USER HEALTH RECORDS. The provider must create, maintain, store and retain service user health records for all service users. Providers should manage and retain and destroy service user data in accordance with the law and comply with any applicable guidance. The provider must use health records solely for the purposes of its obligation under the contract and must give the service user full and accurate information about their treatment. Where appropriate and required by guidance, service user’s NHS number should be identified in their service user health records. All organisations which could have access to patient identifiable data should have a Caldicott Guardian. The role of the Caldicott Guardian is advisory, providing a focal point for confidentiality and information sharing issues and the management of service user information at Cabinet level. Under the Data Protection ▇▇▇ ▇▇▇▇ Act 1998 (DPA) all providers and commissioners should manage service user identifiable data in accordance with the law and put in place appropriate controls to ensure the accuracy and traceability of any information stored on systems are designed to protect the confidentiality of service user information. The parties to the contract should help each other, as appropriate, to comply with the provisions of the DPA. Where the provider is acting as a Data Processor on behalf of the council, the provider shall only process personal data necessary to perform its contractual obligations and in accordance with any instruction given by the council, and ensure it has put in place the appropriate technical and organisational measures against unauthorised or unlawful processing of the data. The provider must also supply the council with the information required in respect of harm that may be suffered by a service user whose information has been affected by a breach of the DPA and, promptly notify the council of any breach of the security measures to protect personal information. The provider is obliged to ensure it is not omitting to do anything knowingly or negligently which places the council in breach of the provisions of the DPA. The provider must supply the council with any information it reasonably requests to satisfy the council that it is complying with the DPA. The provider must take steps to ensure its staff are competent to handle personal data and are properly trained in data protection. The provider must promptly notify the council of any requests to disclose or gain access to personal data. •  If council data is corrupted, lost or sufficiently degraded as a result of the Provider’s omission or negligence so as to be unusable, the council may: o require the Provider (at the Provider’s expense) to restore or procure the restoration of such data and the Provider must do so as soon as practicable but not later than 3 months after the identification of the loss, corruption or degradation and/or o Itself restore or procure the restoration of such data. The Provider must reimburse the council for any reasonable expenses incurred in doing so. •  If at any time the Provider suspects or has reason to believe that council data has or may become corrupted, lost or degraded in any way for any reason, the Provider must notify the council immediately and inform the council of the remedial action the Provider proposes to take. •  The Provider shall not store, copy, disclose or use council data except as necessary for the performance by the Provider of its obligations under this Contract or as otherwise expressly authorised in writing by the council. •  To the extent that council data is held and / or processed by the Provider the Provider shall supply that council data to the council as requested by the council in a format specified by the council. •  Upon receipt or creation by the Provider of any council data and during any collection, processing, storage and transmission by the Provider of any council data the Provider shall take all precautions necessary to preserve the integrity of the council data and to prevent any corruption or loss of the council data. •  The Provider shall perform secure back-ups of all council data and shall ensure that any system on which the Provider holds any council data including any back-up system is a secure system.