ONCARE DATA PROCESSING TERMS

Last updated – 3rd January 2020

1. Definitions and Interpretation

1.1 “Agency” ” has the meaning set out in the Agreement.

1.2 “Agency Personal Data” means personal data provided or made available to OnCare, or collected or created for the Agency, in connection with the Agreement, as described in more detail in Annex 1. 

1.3 “Agreement” means OnCare’s Terms and conditions, as supplemented by the OnCare Customer Payment Terms, and these data processing terms.

1.4 “Applicable Law” means (i) any and all laws, statutes, regulations, by-laws, orders, ordinances and court decrees that apply to the performance and supply of the services or the processing of Client Personal Data, and (ii) the terms and conditions of any applicable approvals, consents, exemptions, filings, licences, authorities, permits, registrations or waivers issued or granted by, or any binding requirement, instruction, direction or order of, any applicable government department, authority or agency having jurisdiction in respect of that matter.

1.5 “Data Protection Legislation” means:

A) the Data Protection Act 2018 (the “DPA”);

B) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”) and any equivalent or implementing legislation;

C) all other applicable laws (including judgments of any relevant court of law) and regulations relating to the processing of personal data, data privacy, electronic communications, marketing and/or data security,

in each case as amended, extended, superseded or re-enacted from time to time;

1.6 “Sub-processor” means another processor engaged by OnCare for carrying out processing activities in respect of the Agency Personal Data on behalf of the Agency.

1.7 “EEA” means the European Economic Area;

1.8 “Regulator” means any person having regulatory or supervisory authority over all or any part of the Services or Customer’s business in relation to the Processing of personal data;

1.9 “Services” means the provision of access to the OnCare platform, as further specified in the terms of the Agreement.

1.10 “controller”, “processor”, “personal data”, “personal data breach”, ”data subject”, and “processing” have the meanings given to these terms under Data Protection Legislation.

1.11 general words are not to be given a restrictive meaning because they are followed by examples, and any words introduced by the word “including” or any similar expression are to be construed as illustrative and will not limit the sense of the related general words;

1.12 use of the singular includes the plural and vice versa, and use of any gender includes the other genders;

1.13 a reference to a Party includes that Party’s personal representatives, successors and permitted assignees;

1.14 the headings are included for convenience only and are not intended to affect the interpretation of this Addendum; and

1.15 in the event that there is a conflict or ambiguity between a provision of these Data Processing Terms and any other provision of the Agreement, the provision in these Terms shall prevail to the extent of any such conflict or ambiguity.

2. Data Processing Provisions

Roles

2.1 Each of the Parties acknowledges and agrees that for the purposes of the Data Protection Legislation, Agency is the Controller, and OnCare is the Processor in relation to the Processing by OnCare of any Agency Personal Data.

The Description of Personal Data, data subjects and processing etc

2.2 Annex 1 to this Schedule:

A) describes the processing of Personal Data permitted in connection with the Agreement;  

B) lists the Sub-Processors (if any) who the Agency agrees may process Agency Personal Data; and

OnCare obligations in relation to processing Agency Personal Data

2.3 OnCare will:

Agency’s written instructions

A) unless Applicable Law requires otherwise, only process Agency Personal Data (including transfers to international organisations or countries outside the EEA) in accordance with the Agency’s documented instructions as set out in this Schedule or otherwise in writing from time to time;

B) unless prohibited by Applicable Law, notify the Agency if Applicable Law requires it to process Agency Personal Data other than in accordance with Processing Instructions (such notification to be given before such processing commences); and

C) only process Agency Personal Data to the extent and in such a manner as is necessary for OnCare to provide the Services and to perform its other obligations under this Agreement in accordance with this Agreement and not for any other purpose;

D) notify the Agency if OnCare (or any of its DP Sub-processors) believes any of the Agency’s instructions relating to the processing Agency Personal Data breaches any Data Protection Legislation;

OnCare personnel

E) only disclose Agency Personal Data to, and ensure that access to Agency Personal Data is limited to, those of its personnel who are bound by confidentiality obligations in relation to Agency Personal Data;

Security

F) implement appropriate technical and organisational measures to ensure a level of security appropriate to the data security risks presented by processing Agency Personal Data, including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

Breach

G) notify the Agency without undue delay if it (or any of its Sub-processors) becomes aware that OnCare (or any of its sub-processors) suffers a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to any Agency Personal Data; where and insofar as OnCare cannot provide all the relevant information at the same time, it may provide this information in phases without undue further delay;

Return or deletion of Personal Data

H) when OnCare ceases to provide Services relating to processing pursuant to this Agreement:

i) at the Agency’s option, delete or return to the Agency all Personal Data; and 

ii) delete all copies of Agency Personal Data except insofar as OnCare reasonably considers it is required by law to continue to store such copies.

International transfer

2.4 OnCare will not transfer Personal Data (or direct the transfer of any Personal Data) to an international organisation or to any country outside the European Economic Area without the express prior written consent of the Agency unless:

A) such transfer is to a country or international organisation which at the time of transfer is formally recognised by the European Commission (or the UK Information Commissioner’s Office if the UK is no longer a member of the European Union) as providing an adequate level of data protection; or

B) OnCare has put in place appropriate safeguards, such as standard data protection clauses, to protect such Personal Data and ensure that the relevant Data Subjects have enforceable data subject rights and effective legal remedies as required by Data Protection Legislation;

Information, co-operation and assistance

2.5 OnCare will take appropriate technical and organisational measures to assist the Agency in fulfilling the Agency’s obligations to respond to any request by any data subject to exercise any data subject right under articles 15-23 inclusive of the GDPR or any equivalent or implementing legislation, in each case only to the extent that the data subject’s request relates to the processing of Agency Personal Data by OnCare pursuant to this Agreement.

2.6 OnCare will at the Agency’s request assist the Agency in complying with the Agency’s obligations under articles 32-36 inclusive of the GDPR or any equivalent or implementing legislation, in each case only to the extent that the Agency’s request relates to the processing of Personal Data by OnCare pursuant to this Agreement.

Records, audit and inspection

2.7 OnCare will:

A) keep full and accurate written records relating to all Processing of Agency Personal Data on behalf (directly or indirectly) of the Agency as required by Data Protection Legislation (“DP Records”);

B) make available to the Agency all the DP Records upon written request by it; and

C) subject to reasonable written advance notice from the Agency, permit the Agency to conduct (and OnCare shall contribute to) audits and inspections of OnCare’s systems and processes in relation to the processing of Agency Personal Data subject to the Agency ensuring:

i) that such audit or inspection is undertaken during normal business hours and with minimal disruption to OnCare’s business and the business of other clients of OnCare; and

ii) that all information obtained or generated by the Agency or its auditor(s) in connection with such audits and inspections is kept strictly confidential (save for disclosure to a regulatory authority or as otherwise required by Applicable Law);

Sub-processing

2.8 OnCare is hereby generally authorised by the Agency to engage any sub-processor, provided that OnCare shall: (i) ensure in each case that the sub-processor is bound by data protection obligations that are substantially the same as, and in any event no less onerous than, those contained in these Data Processing Terms; (ii) subject to the terms of the Agreement (including but not limited to any limitations on liability agreed therein) remain fully liable to the Agency for the performance of that sub-processor’s obligations; and (iii) provide details of all such sub-processors to the Agency upon written request. OnCare shall inform the Agency of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Agency the opportunity to object to such changes. Notwithstanding anything to the contrary in the Agreement, the Parties expressly agree that such notice shall be provided via email to an email address or addresses nominated by the Agency from time to time. 

2.9 The Agency agrees that OnCare may continue to use those sub-processors already engaged by OnCare as at the date of commencement of the Services provided that in each case as practicable OnCare meets the obligations set out in Clause 2.7.1 (i), (ii) and (iii) above. 

Agency obligations in relation to processing Personal Data

2.10 The Agency will:

A) comply with its obligations under the Data Protection Legislation which arise in relation to this Agreement and the receipt of the Services;

B) not do or omit to do anything which causes OnCare (or any sub-processor) to breach any of its obligations under the Data Protection Legislation; 

2.11 The Agency represents, warrants and undertakes to OnCare that:

A) the Agency (and any other sub-contractor of the Agency) has obtained Agency Personal Data in accordance with the Data Protection Legislation and has provided (or will provide) all necessary notices to data subjects whose personal data comprises part of Agency Personal Data; and

B) it has (or will at the required time have) one or more valid grounds for OnCare’s (and any sub-processors and their sub-sub-processors’) processing of Agency Personal Data in accordance with this Agreement

so that OnCare’s (and any sub-processors and their sub-sub-processors) processing of Agency Personal Data in accordance with this Agreement complies with the Data Protection Legislation.


Annex 1

1. The subject matter, and duration of the processing of Agency Personal Data

Personal data is processed in connection with the provision of the OnCare platform. It may be processed for the duration of the Agreement, for as long as the Agency continues to use the platform.

2. The nature and purpose of the processing of Agency Personal Data

Agency Personal Data will be processed in order to 

  • Set up, provide and monitor the services;
  • provide technical support;
  • for storage purposes; and
  • for payment processing

Agency Personal Data will be processed as necessary for the provision of the OnCare Platform. 

The OnCare platform has the following functionality:

  • enabling Agencies to administer, manage and monitor the care visits and/or social care services carried out by their respective Care Workers;
  • enabling Care Workers to create Care Visit Reports. A “Care Visit Report” means a report created by a Care Worker which contains details of that Care Worker’s care visit to a Client, with such report being accessible via the OnCare platform); and
  • enabling Agencies and approved Family Members to view Care Visit Reports relating to specific Clients.

3. A description of the types of Personal Data and categories of data subjects

Types of personal data This applies to:
Contact details, such as: first name, last name, email address Care workers, agency office staff, clients (care recipients), friends/family with account access, key client contacts
Client Identity data, such as: title, first name, last name, email address, telephone number title, date of birth, key contacts, likes/dislikes/hobbies, languages spoken, history and background Clients (care recipients)
Mobile Telephone Number (if sms updates have been requested) Friends/family with account access
Care data, such as: property access details, care outcomes, care plan/care needs, risk assessment, mobility information, perceived emotional state, scheduled care/previous care visits, notes and alerts from visits, notes relating to upcoming GP appointments, friends/family access associated to the OnCare account, communications logged against the client (GP calls, family requests) Clients (care recipients)
Care Delivery details, such as: scheduled/previous visits, other care staff present at visits, activities carried out during visits, notes taken during visit, average ratings received from clients, GPS locations of each check in and check out Care workers
Vocational data, such as: qualifications, work history, photograph Care workers
Agency data, such as: which agencies care workers and agency office staff represent Care workers, agency office staff
Agency Office Staff details, such as: job title, work telephone number, business bank details, bank details (for sole workers), signatures for payment terms Agency office staff
Records of Correspondence you have with us  Care workers, agency office staff, clients (care recipients), friends/family with account access, key client contacts
Technical data, such as: device, browser, internet protocol (IP) address, operating system and platform used, password and login data, user ID numbers, location. Care workers, agency office staff, clients (care recipients), friends/family with account access
Usage Data information about use of the platform  Care workers, agency office staff, clients (care recipients), friends/family with account access

4. The obligations and rights of the Agency as controller

As set out in this Agreement.