Draft of Agreement on Data Processing (research) between (org nr...) og Akershus University Hospital HF (org nr )

Transcription

1 Versjon 2 Draft of Agreement on Data Processing (research) between (org nr...) og Akershus University Hospital HF (org nr ) 1 The parties of the agreement Purpose and area for the agreement Duration and termination of the agreement The obligations for the parties according to the Act on Personal Data Termination of agreement Replacement of data Data subject to deletion or destruction Purpose of the use of Personal Data under the agreement Specification of Data related to identification of patients Persons in charge during running of the agreement Requirements (standards of) to information security Request to technical measures Entrance control Requests to control on entrance of Processor s site Security audit, verification and testing Secrecy Breach of Agreement and sanctions Reliability of subcontractors Transport of the Agreement Choice of law and legal venue Law relevant to the Agreement Signing... 5 Where text in yellow or italics: delet instructions and ad relevant text 1 The parties of the agreement This agreement is set up for the following parties Akershus University Hospital HF as the controller (the data controller, hereafter called Ahus) and name of firm... (the data processor, hereafter called the Processor). 2 Purpose and area for the agreement The purpose of this Agreement is to state what purpose the information in question can be expoited for as to the use and security of Personal data which are handed over by Ahus to Processor. If for any reason Processor wants to entrust personal data from Ahus to a third party or subcontractor for storing, analyze or otherwise use the data, this must be described in this Agreement. Title of the project: xxxxxxxxx (When research or responsible person on other kind of project) Personal data delivered or derived according to this Agreement might be saved in different formats as a file, system, application or on a server, back-up copies and alike, will further on in this Agreement be called the Datasystem. 3 Duration and termination of the agreement This agreement is valid from, and has a duration until. On xx months written notice the agreement may be terminated. 4 The obligations for the parties according to the Act on Personal Data Ahus is responsible to the Norwegian authorities in accordance to the Personal Data Act, and regulations by the Authorities, (see no 15 for full naming): o Personal Health Data Filing System Act o Secondary law of Personal Data Agreement on Data processing (research)_v1 Side 1 av 6

2 o «Code of Conduct» This implies that Ahus is responsible to see to that the claims in the acts and regulations also are fulfilled at the Processors site regarding handling of Personal Data by Processor belonging to Ahus. This is according to Data Personal Act 15 and the secondary law of personal data Other use of the Personal Data, require prior written consent from Ahus. When processing personal data on behalf of Ahus, the Processor is obliged to follow the routines and instructions set by Ahus at any given time. When the set of data include health information combined to facts which can lead to reveal the personal identity of single patients, that is through coded lists, personal numbers, date of birth, number from the national registration authorities (NPR-number), telephone number or other likewise; the Act Personal Health Data Filing System, also sets limits to the purpose of use of the data. The Processor is obliged to give Ahus access to his written technical and organizational measures for security, and to provide assistance so that Ahus can fulfill its responsibilities pursuant to the Acts and the Regulations which are the sources of the Code of Conduct. Unless otherwise agreed or pursuant to statutory regulations, Ahus is entitled to get access to all personal Data being processed on behalf of Ahus and the Datasystems used for this purpose. The Processor shall provide the necessary assistance for this without cost for Ahus. The Processor must observe professional secrecy in regard to the documentation and Personal Data to which he has access in accordance with this agreement. This provision also applies after the agreement has been discontinued without limitation to time. Security measures must be established to keep Personal Data related to Ahus, divided from those of other agreements with other Controllers as well as the Processor s own. In case the agreement has a longitude of more than 3 years, the Processor must every third year, report to Ahus on whether (if) Personal Data are still stored according to the Code of Conduct including Acts and regulations. This is the case also if no alterations have taken place. 5 Termination of agreement 5.1 Replacement of data At termination of the agreement all data related and in possession of Processor must be replaced or delivered in return to Ahus. 5.2 Data subject to deletion or destruction Processor must delete or destroy all material in a secure and definite/irreversible manner which contains data such as documents, data, diskettes, CDs, backup-copies, storage devices and so forth, or return it all to Ahus. 6 Purpose of the use of Personal Data under the agreement <Fill in, and tell what use the data is meant for. If in any case data from Ahus will be connected to other sets of data prior written consent must be given by Ahus. > 7 Specification of Data related to identification of patients <Fill inn, and explain whether data under the agreement either directly tells the identity of patients or the signs of identity are deleted. If there is a key to the identity this must be described along with how, where and by whom it is stored. > 8 Persons in charge during running of the agreement Persons in charge of the parties during this agreement: Ahus: <name, address, and phone number, role >,... Processor: < name, address, and phone number, role >,... Agreement on Data processing (research)_v1 Side 2 av 6

3 9 Requirements (standards of) to information security Both parties are at any time during the agreement, responsible to ensure that requirements to security of Personal Data are treated according to the Personal Data Act 13 and the secondary personal Data, and its Chapter 2. Data on health must also be treated according to requirements set forth in the Personal Health Data Filing System Act and according to Code of Conduct and its best practice routines. Processor must report on risks according to likelihood of an incident occurring and on the consequence of such an incident at Processors or Suppliers sites and/or devices. Such documentation must be brought forth at the request of Ahus, see Code of Conduct and best practice routine no 7. Processor is expected to have set defined goals as to measure accepted risks on security, strategy, organization and liability according to the Code of Conduct and its best practice routines as described in the sheets following, and necessary system for internal control. Suspicion on or breach of confidentiality, availability, integrity or quality for Personal Health Data is to be reported to the Personal data ombudsman at Ahus immediately. Processor is obliged to have routines on logging of mistakes and discrepancies of importance to the security derived from Ahus. When if such incidents are revealed processor must as soon as possible and within 24 hours warn Ahus and immediately take charge to minimize the damage to the interests of Ahus. Security audits at Processors site by Ahus may take place on files, systems, application routines etc covered by this agreement. The purpose will be to validate that the practicing of this agreement is according to standards set by Code of Conduct. Periodical internal reports from Processor may be included to the verification. 9.1 Request to technical measures Requests to technical measures: Access to Personal Data covered by this agreement has to be authorized through individual codes of authentication combined to passing codes in numbers: Authorizes personal only must be given access to data stored and belonging to Ahus. Sensitive personal data must be protected against unintended, unlawful sharing and delivery to strangers. Hinderances to unauthorized moving and or copying of sensitive personal data from devices designed for storage must be established. Encrypted communication is requested if when sensitive personal data is passed through networks which lacks security level Entrance control Processor is responsible regarding handling of information by employees and that of Subprocessors, Written prior statement on confidentiality of both given access to Personal Data under this agreement and deriving from Ahus must be available on request. The statement must be valid forever even after the end of access and running time of the Agreement, and until Ahus gives written consent to evoke the confidentiality. Processor must have routines which covers authorization and authentication to verify that access has been limited to those persons who are in need to cope with tasks he is dedicated to. Level of access must be within necessary limits to fulfill the Agreement. Processor must keep overview of authorizes personal, which can be made available on the request of Ahus. In case Ahus find that one person should not deal with the Agreement the person in question will be taken off. In case Processor use portable client machinery to carry out the agreement, Processor must have routines to ensure they are used only for the purpose of this agreement and to get support from subcontractors on running application or giving advice to users. Agreement on Data processing (research)_v1 Side 3 av 6

4 In case third parties or subcontractors are given access preliminary authorization and authentication must be used, and verification must be available as mentioned elsewhere in this Agreement. 9.3 Requests to control on entrance of Processor s site Personal ID-card with mechanisms for authorization and authentication or alike must be in use. Limited entrance to specific areas (rooms for running and server) according to need must be set. Unauthorized persons must be followed. Automatically locks must be installed on doors at following kind of areas: datahall/room for servers, rooms for running and support, technical rooms for connections, switches and routers, and the like. 9.4 Security audit, verification and testing Ahus is entitled to view and make visits for verification on site as to see how the systems are set up including what security measures which are in use. This also includes access to documentation, interviews, notes form meetings, tests, measures of control on movements (traffic) on net, as well as at activities on server, supplied with other kinds of verification, which Ahus finds relevant. Processor accepts that Ahus may carry out such steps itself, or chose a third party to perform the verification. All technical devices, documentation on organization and those which describe administering of the service which is delivered to Ahus, may be subject to verification. On two weeks written notice Processor will perform the documentation mentioned above. If Ahus during verification finds breaches on security to data Processor immediately and without delay un necessary delay will take steps to make corrections. Plans to carry out corrections and identification on the items will be presented. As part of the agreement and without costs to Ahus, Processor will contribute with personal of relevant professional skills, for necessary amount of time for corrections related to reestablishment of security of the Datasystem in question. This will be the case of breaches and in case of necessity for restorations are due to actions or lack of such, at hands of Processor and / or subcontractor. 10 Secrecy All information derived from this agreement will by both parties, be treated according to professional secrecy. This includes information which is confidential such as personal data, security or contractual measures and information which may be of vital importance to the owner or which may harm the owner if the information came to knowledge of a third professional party. This provision includes all personal responsible to Processor and his subcontractors given access on his behalf to carry out the agreement. They all must sign a declaration on secrecy. On request a copy must be available from Processor to Ahus. The content of the declaration must be in accordance to that of Ahus, and may be subject to change if Ahus finds it not in accordance to the Code of Conduct. Precautions must be taken by both parties to storage devices regarding unlawfully use or access from unauthorized persons or at the hands of a third party. This provision also applies indefinitely of time and without regard to the continuation of the Agreement, and including all personal or others who has had access to the practicing this Agreement. 11 Breach of Agreement and sanctions In the event of breach of this agreement, Ahus can instruct the Processor to stop further handling of the information with immediate effect. Breach of agreement will be stated if one of the parties does not fulfill his obligations described in the agreement or Code of Conduct, unless this is due to situations of Force Majeur. Written statement of breach of Agreement must be presented without unduly delay to be valid. The party which states breach of agreement is entitled to keep back his obligations described in the Agreement, limited to within reasonable time for the responsible party to take necessary steps to diminish or repair the effect of the breach. Both parties are obliged to ensure as little damage to the Data is made until the case is settled as to whom is responsible for the trouble caused. Agreement on Data processing (research)_v1 Side 4 av 6

5 In the event of thoroughly breach of the agreement, the other party may after written notice with due time to repair the damage terminate the agreement immediately and claim for compensation for loss this may have caused him. 12 Reliability of subcontractors If one of the parties engages subcontractors to fulfill his part of the agreement, the party is still responsible to carry out the agreement as described as if he himself had fulfilled the agreement. Prior written consent from Ahus is pursuant to engage subcontractors by Processor. Subcontractors must sign on a statement which describes that he will be loyal to the agreement included questions related to secrecy and according to Code of Conduct. 13 Transport of the Agreement In the event other governmental institutions of Norway should take over the agreement from Ahus as a whole or for parts, the agreement will still be valid on the same conditions. Processor may claim his costs related to this covered by Ahus. Processor may transport the agreement upon prior written acceptance by Ahus. Denial of acceptance is only due on fair reasons. Economical claims related to the transport of this Agreement is allowed but Processor is still obliged to carry out his obligations as described in the agreement until his successor is able to take over in full scale. 14 Choice of law and legal venue This agreement is subject to Norwegian jurisdiction and the parties agree on The District Court of Nedre Romerike as the legal venue. This also applies after termination of the agreement. 15 Law relevant to the Agreement Act , Act relating to personal health data filing systems and the processing of health data; called Personal Health Data Filing System Act Secondary law on personal data Act relating to the processing of personal data; called Personal Data Act Code of conduct for information security in the healthcare, care, and social services sector (Normen, called Code)) is primarily based upon the privacy and health legislation s requirements to establish satisfactory information security for systems containing health and personal data, as described and agreed upon by individual organizations and the sector in general. 16 Signing This agreement has been drawn up in 2 two copies, of which the parties retain one copy each. Nordbyhagen, the.... Akershus University Hospital HF (signatur) Assistant Managing director Tone IkdahlDirector research and innovation Tormod Fladby Processor (signatur) Agreement on Data processing (research)_v1 Side 5 av 6

6 Position:.. Name: (in typed letters) Position:.. Name: Agreement on Data processing (research)_v1 Side 6 av 6