Data Processing Agreement
AJQ Software Limited t/a GetReferd (“GetReferd”, “ we, “us”, “our“), take the privacy of all our stakeholders seriously. We always attempt to make our policies on managing your data easy to understand. We safeguard patient data and the privacy of all our stakeholders. Should you have any questions then please email firstname.lastname@example.org.
Getreferd is incorporated in Ireland (Company Number 579646) and our registered office is at 20 Harcourt Street, Dublin 2. We provide a platform which allows healthcare providers (“Referring Healthcare Provider”) to refer a patient (“ Referred Patient”) to other healthcare providers for further care.
We acknowledge that for the purposes of the Data Protection Act 2018 and the General Data Protection Regulation ((EU) 2016/679) (together “Data Protection Legislation”) we are processors of the Referred Patient’s personal data on behalf of the Referring Healthcare Provider who is the controller of the personal data . Our Terms of Service above (“Terms of Service”) sets out our legal agreement with the Referring Healthcare Provider as regards the processing of Referred Patients’ personal data and incorporate this privacy addendum by reference.
GetReferd is registered with the Data Protection Commissioners in Ireland under Reference DP73-u-947570666.
2. Data Collection:
Referral by Healthcare Provider
Data is collected when a patient is referred to a Healthcare Provider and the information that is processed is for the sole purposes of the referral consideration and process.
We collect the following information about Referred Patients:
· email address (optional)
- date of birth
· doctor’s referral notes
· doctor’s referral relevant file attachment
· In the case of minors, the contact details of the Referred Patient’ Guardian
Data Provided by the Patient
A Patient may inform us by responding to text message or via our website or mobile application that they no longer wish to attend their appointment with the medical professional to whom they have been referred.
The above information together with any personal data relating to Referred Patients that arises as a result of our processing of same in accordance with the Terms of Service is hereafter referred to as the “Patient Information”.
3. Data Processing and who we share the Referred Patient’ information with:
As we are data processors in respect of the Patient Information, we will only process such information on the instruction of the controller of the personal data, the Referring Healthcare Provider.
We do not sell any Patient Information to any person. We provide Patient Information to the receiving Healthcare Provider that takes the Referred Patient’s appointment. We also use the Patient Information to send the notifications of the referral status and the booked referral appointment to the Referred Patient.
We will only transfer Patient Information outside of the EU on the express instruction of the Referring Healthcare Provider and where the Referring Healthcare Provider has obtained the explicit consent of the Referred Patient (having notified the Referred Patient that the transfer may be to a country which does not afford their information the same level of protection as is within the EU).
We use the following sub-processors:
· Amazon Webservices Limited
· 8bytes Development Limited (providers of outsourced software development)
· Slack (providers of project management
· ChargeBee (providers of billing and subscription services)
· Stripe (providers of payment services)
· Twilio (providers of sms messaging services)
· Hubspot (providers of CRM)
· Amazon Web Services INC (providers of encrypted data storage services).
We have written contracts in place with our sub-processors which contains the provisions required by the General Data Protection Regulation to be set out in a data processor agreement.
If we wish to appoint any further sub-processors in respect of the Patient Information we will notify the Referring Healthcare Provider in advance in accordance with the Terms of Service.
5. Security and Confidentiality
All Patient Information is held on a secure HIPAA compliant AWS server held in Ireland which is double encrypted for additional security. On occasion our employees may have access to Patient Information to provide referral support, but again any hardware used is double encrypted with VPN software. No Getreferd employee will contact a Referred Patient as part of the referral process.
All Getreferd employees are made aware of their obligations of confidentiality as regards the Patient Information and are subject to strict contractual obligations in this regard.
We always use Patient Information in accordance with the Data Protection Legislation.
We may at times collate, aggregate and analyze non-personally identifiable data to understand patient appointment demand, demographics, trends and user preferences. This information will be for internal use and could be shared with stakeholders to better manage demand of their services.
6. Data Subject Rights
Data subjects have rights under GDPR including the right to:
- Request access to their personal data (commonly known as a "data subject access request"). This enables the data subject to receive a copy of their personal data from the controller of the data and to check that the controller is lawfully processing it.
- Request correction of the personal data that is held about the data subject. This enables the data subject to have any incomplete or inaccurate information corrected.
- Request erasure of their personal data. This enables the data subject to ask the controller to delete or remove personal data where there is no good reason for the controller continue process it. Data subjects also have the right to ask the data controller to delete or remove their personal data where they have exercised their right to object to processing (see below).
- Object to processing of the data subject’s personal data where the data controller is relying on a legitimate interest (or those of a third party) and there is something about the data subject’ particular situation which makes them want to object to processing on this ground. The data subject also has the right to object where the data controller is processing their personal data for direct marketing purposes.
- Request the restriction of processing of the data subject’s personal data. This enables the data subject to ask the data controller to suspend the processing of personal data about the data subject, for example if you want the controller to establish its accuracy or the reason for processing it.
- Request the transfer of the data subject’ personal data to another party.
We will notify the Referring Healthcare Provider within two working days if we receive a request from a Referred Patient for access to their Patient Information or to exercise any of their related rights under the Data Protection Legislation.
We will notify the relevant Referring Healthcare Provider immediately if we receive any complaint, notice or communication that relates directly or indirectly to the processing of Patient Information or to either our own or the Referring Healthcare Provider’s compliance with the Data Protection Legislation.
We will give the Referring Healthcare Provider our full co-operation and assistance in responding to any complaint, notice, communication or data subject request. We have implemented the following technical and organisational measures, to enable the Referring Healthcare Provider to comply with (a) the rights of the Referred Patients as set out above and (b) information or assessment notices served on the Referring Healthcare Provider by any supervisory authority under the Data Protection Legislation:
· Having a data subject request response plan including a protocol to notify the Referring Healthcare Provider of a request by a Referred Patient.
· Creating a data subject access request response team.
For the avoidance of doubt, the Referring Healthcare Provider should respond to complaints or data subject access requests, and we will not disclose any Patient Information without the Referring Healthcare Provider’s approval. We will respond to complaints or data subject access requests on instruction from the Referring Healthcare Provider.
7. Data Breaches
We have taken the following steps to ensure we can detect and report data breaches in a timely manner:
· Implementing security measures into IT systems, networks, processing operations, and business practices to detect security incidents.
· Having a security breach response plan including a protocol to notify data controllers of the breach.
· Creating a security breach response team.
· Having a log for recording security incidents and security breaches, including a summary of the incident, its effects, and the responsive action taken.
We will promptly and without undue delay notify the relevant Referring Healthcare Provider if any Patient Information is lost or destroyed or becomes damaged, corrupted, or unusable. We will endeavour to promptly restore such Patient Information.
We will within 24 hours and without undue delay notify the relevant Referring Healthcare Provider if we becomes aware of:
(a) any accidental, unauthorised or unlawful processing of Patient Information; or
(b) any data breach affecting Patient Information.
and shall give the Referring Healthcare Provider the following information:
(i) a description of the nature of (a) and/or (b), including the categories and approximate number of both Referred Patients and Patient Information records concerned;
(ii) the likely consequences; and
(iii) description of the measures taken, or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
We will keep detailed, accurate and up-to-date written records regarding any processing of Patient Information we carry out for a Referring Healthcare Provider, including but not limited to, the access, control and security of the Patient Information, approved subcontractors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures implemented (Records).
We will ensure that the Records are sufficient to enable the Referring Healthcare Provider to demonstrate its compliance with its obligations under Data Protection Legislation regarding the engagement of data processors. We will provide the Referring Healthcare Provider with copies of the Records upon request.
At least once a year, we will conduct site audits of its Patient Information processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
On the Referrring Healthcare Provider’s written request, we will make all of the relevant audit reports available to the Referrring Healthcare Provider for review, including as applicable reports relating to our ISO/IEC 27001 certification. The Referrring Healthcare Provider will treat such audit reports as the Provider's confidential information under the Terms of Service and this Addendum.
We will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan.
On termination of our contract with the Referring Healthcare Provider in accordance with the Terms of Service, we will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any relevant Patient Information in our possession or control.
If any law, regulation, or government or regulatory body requires us to retain any documents or materials that we would otherwise be required to return or destroy, we will notify the Referring Healthcare Provider in writing of that retention requirement, giving details of the documents or materials that we must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.