Draft of Agreement on Data Processing (research) between (org nr...) og Akershus University Hospital HF (org nr )

Similar documents
Annex 1: Standard Contractual Clauses (processors)

SUPPLIER DATA PROCESSING AGREEMENT

OTrack Data Processing Terms

Processor Agreement SURF Model Agreement

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

Template Commission pursuant to Section 11 BDSG

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

TEMPLATE FOR PROCESSOR AGREEMENTS BETWEEN MUNICIPALITIES AND IT SUPPLIERS - version 1.0 of 3 April 2017

AGREEMENT FOR ACCESS, WHICH MAY RESULT IN PERSONAL DATA PROCESSING

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

PERSONAL DATA PROCESSING AGREEMENT

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

Zab Zab Application Privacy Policy Terms and Conditions

Exhibit MC - Standard Contractual Clauses (processors)

Data Protection Transfer Agreement. Reference Number: CORP_142-a01 Policy

Instructions on the processing of personal data in the election process

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

CHAPTER I. Definitions

Security Video Surveillance Policy

Telekom Austria Group Standard Data Processing Agreement

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

1. Processing of personal data legal basis, purpose and scope Legal basis fulfillment of statutory legal requirements

DATA PROCESSING AGREEMENT. (1) You or your organization or entity as The Data Controller ( The Client or The Data Controller ); and

SIMON READHEAD Q.C. PRIVACY NOTICE

DATA SHARING AND PROCESSING

EMPOWER SOFTWARE HOSTED SERVICES AGREEMENT

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

Charities & Not-for-Profits Overview of Data Protection Law

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Appendix 1 Data Processing Agreement

Fragomen Privacy Notice

Model Data Processing Agreement (GDPR)

FUJITSU Cloud Service K5: Data Protection Addendum

DocuSign Envelope ID: 93578C7C-0B BEE9-0536AB6EDE32

PIPEDA and Your Practice

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

Data processing agreement

BINDING CORPORATE RULES PRIVACY policy. Telekom Albania. Çaste që na lidhin.

Meisterplan Software as a Service Terms and Conditions (hereinafter referred to as Terms of Service )

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Data Processing Addendum

Sales Order (Processing Services)

Terms of Use Terminated-Vested Cashout Website

The whistleblowing procedure is based on the following principles:

DATA PROCESSING ADDENDUM

A combined file and information system description and information document regarding the Data System for Administrative Matters

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

Estonian National Electoral Committee. E-Voting System. General Overview

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

FULLY EXECUTED Contract Number: Contract Effective Date: 08/08/2014 Valid From: 07/01/2014 To: 12/31/2099

Information leaflet about processing of personal data for Newsletter Recipients (hereinafter Data Subject)

Customer Data Annual Privacy Agreement

Between. address (which you used when signing the Main Contract with Shore) - the "Principal" - and

Policy To Protect Personal Information

Interstate Commission for Adult Offender Supervision

SSLI \6.0 v1.0

Working document 01/2014 on Draft Ad hoc contractual clauses EU data processor to non-eu sub-processor"

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Meisterplan Software as a Service Terms and Conditions (hereinafter referred to as Terms of Service )

Data Processing Agreement

Morningstar ByAllAccounts Service User Agreement

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS

FOUR SEASONS HOTELS BOGOTÁ PERSONAL DATA TREATMENT POLICY HOTELES CHARLESTON BOGOTÁ S.A.S.

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

TEXAS DEPARTMENT OF PUBLIC SAFETY 5805 NORTH LAMAR BOULEVARD POST OFFICE BOX 4087, AUSTIN, TX /

CLINICAL TRIAL AGREEMENT [Identification of the trial, Person in charge of research] Sponsor of the Trial: Institution:

DATA PROTECTION POLICY STATUTORY

ENERCALC Software License Agreement

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

Conditions for Processing Banking Transactions via the Corporate Banking Portal and HBCI/FinTS Service

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

HIPAA DATA USE AGREEMENT

Key Considerations for Implementing Bodies and Oversight Actors

Provider Electronic Trading Partner Agreement

Personal Data Protection Law

DFN-AAI Service Provider Agreement

END USER APPLICATION, LICENSE, NON-DISCLOSURE AND COMPLIANCE WITH EXPORT REGULATIONS AGREEMENT (EULA)

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

Certified Translation from German. Licence Agreement. 1. Subject-matter of the Agreement

The Lawyer s Ethical and Legal Duties to protect Private Information

Data Protection Policy. Malta Gaming Authority

WITNESSETH: 2.1 NAME (Print Provider Name)

Access to Information and Protection of Privacy Act

MARYLAND Maryland MVA Real ID Act - Impact Analysis

EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

SOFTWARE AS A SERVICE (SaaS) TERMS and CONDITIONS FOR REMOTE ACCESS SERVICE SOLD BY VIDEOJET

PERSONAL INFORMATION PROTECTION ACT

BUSINESS ASSOCIATE AGREEMENT

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Coordinated text from 10 August 2011 Version applicable from 1 September 2011

DATA PROTECTION LAWS OF THE WORLD. Egypt

AGE FOTOSTOCK SPAIN, S.L. NON-EXCLUSIVE PHOTOGRAPHER AGREEMENT FOR RIGHTS MANAGED LICENSING

UGANDA REVENUE AUTHORITY TERMS AND CONDITIONS FOR WEB PORTAL USE

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

HOUSE RESEARCH Bill Summary

Transcription:

Versjon 2 Draft of Agreement on Data Processing (research) between (org nr...) og Akershus University Hospital HF (org nr. 983 971 636) 1 The parties of the agreement... 1 2 Purpose and area for the agreement... 1 3 Duration and termination of the agreement... 1 4 The obligations for the parties according to the Act on Personal Data... 1 5 Termination of agreement... 2 5.1 Replacement of data... 2 5.2 Data subject to deletion or destruction... 2 6 Purpose of the use of Personal Data under the agreement... 2 7 Specification of Data related to identification of patients... 2 8 Persons in charge during running of the agreement... 2 9 Requirements (standards of) to information security... 3 9.1 Request to technical measures... 3 9.2 Entrance control... 3 9.3 Requests to control on entrance of Processor s site... 4 9.4 Security audit, verification and testing... 4 10 Secrecy... 4 11 Breach of Agreement and sanctions... 4 12 Reliability of subcontractors... 5 13 Transport of the Agreement... 5 14 Choice of law and legal venue... 5 15 Law relevant to the Agreement... 5 16 Signing... 5 Where text in yellow or italics: delet instructions and ad relevant text 1 The parties of the agreement This agreement is set up for the following parties Akershus University Hospital HF as the controller (the data controller, hereafter called Ahus) and name of firm... (the data processor, hereafter called the Processor). 2 Purpose and area for the agreement The purpose of this Agreement is to state what purpose the information in question can be expoited for as to the use and security of Personal data which are handed over by Ahus to Processor. If for any reason Processor wants to entrust personal data from Ahus to a third party or subcontractor for storing, analyze or otherwise use the data, this must be described in this Agreement. Title of the project: xxxxxxxxx (When research or responsible person on other kind of project) Personal data delivered or derived according to this Agreement might be saved in different formats as a file, system, application or on a server, back-up copies and alike, will further on in this Agreement be called the Datasystem. 3 Duration and termination of the agreement This agreement is valid from, and has a duration until. On xx months written notice the agreement may be terminated. 4 The obligations for the parties according to the Act on Personal Data Ahus is responsible to the Norwegian authorities in accordance to the Personal Data Act, and regulations by the Authorities, (see no 15 for full naming): o Personal Health Data Filing System Act o Secondary law of Personal Data Agreement on Data processing (research)_v1 Side 1 av 6

o «Code of Conduct» www.normen.no, This implies that Ahus is responsible to see to that the claims in the acts and regulations also are fulfilled at the Processors site regarding handling of Personal Data by Processor belonging to Ahus. This is according to Data Personal Act 15 and the secondary law of personal data 2-15. Other use of the Personal Data, require prior written consent from Ahus. When processing personal data on behalf of Ahus, the Processor is obliged to follow the routines and instructions set by Ahus at any given time. When the set of data include health information combined to facts which can lead to reveal the personal identity of single patients, that is through coded lists, personal numbers, date of birth, number from the national registration authorities (NPR-number), telephone number or other likewise; the Act Personal Health Data Filing System, also sets limits to the purpose of use of the data. The Processor is obliged to give Ahus access to his written technical and organizational measures for security, and to provide assistance so that Ahus can fulfill its responsibilities pursuant to the Acts and the Regulations which are the sources of the Code of Conduct. Unless otherwise agreed or pursuant to statutory regulations, Ahus is entitled to get access to all personal Data being processed on behalf of Ahus and the Datasystems used for this purpose. The Processor shall provide the necessary assistance for this without cost for Ahus. The Processor must observe professional secrecy in regard to the documentation and Personal Data to which he has access in accordance with this agreement. This provision also applies after the agreement has been discontinued without limitation to time. Security measures must be established to keep Personal Data related to Ahus, divided from those of other agreements with other Controllers as well as the Processor s own. In case the agreement has a longitude of more than 3 years, the Processor must every third year, report to Ahus on whether (if) Personal Data are still stored according to the Code of Conduct including Acts and regulations. This is the case also if no alterations have taken place. 5 Termination of agreement 5.1 Replacement of data At termination of the agreement all data related and in possession of Processor must be replaced or delivered in return to Ahus. 5.2 Data subject to deletion or destruction Processor must delete or destroy all material in a secure and definite/irreversible manner which contains data such as documents, data, diskettes, CDs, backup-copies, storage devices and so forth, or return it all to Ahus. 6 Purpose of the use of Personal Data under the agreement <Fill in, and tell what use the data is meant for. If in any case data from Ahus will be connected to other sets of data prior written consent must be given by Ahus. > 7 Specification of Data related to identification of patients <Fill inn, and explain whether data under the agreement either directly tells the identity of patients or the signs of identity are deleted. If there is a key to the identity this must be described along with how, where and by whom it is stored. > 8 Persons in charge during running of the agreement Persons in charge of the parties during this agreement: Ahus: <name, address, email and phone number, role >,... Processor: < name, address, email and phone number, role >,... Agreement on Data processing (research)_v1 Side 2 av 6

9 Requirements (standards of) to information security Both parties are at any time during the agreement, responsible to ensure that requirements to security of Personal Data are treated according to the Personal Data Act 13 and the secondary personal Data, and its Chapter 2. Data on health must also be treated according to requirements set forth in the Personal Health Data Filing System Act and according to Code of Conduct and its best practice routines. Processor must report on risks according to likelihood of an incident occurring and on the consequence of such an incident at Processors or Suppliers sites and/or devices. Such documentation must be brought forth at the request of Ahus, see Code of Conduct and best practice routine no 7. Processor is expected to have set defined goals as to measure accepted risks on security, strategy, organization and liability according to the Code of Conduct and its best practice routines as described in the sheets following, and necessary system for internal control. Suspicion on or breach of confidentiality, availability, integrity or quality for Personal Health Data is to be reported to the Personal data ombudsman at Ahus immediately. Processor is obliged to have routines on logging of mistakes and discrepancies of importance to the security derived from Ahus. When if such incidents are revealed processor must as soon as possible and within 24 hours warn Ahus and immediately take charge to minimize the damage to the interests of Ahus. Security audits at Processors site by Ahus may take place on files, systems, application routines etc covered by this agreement. The purpose will be to validate that the practicing of this agreement is according to standards set by Code of Conduct. Periodical internal reports from Processor may be included to the verification. 9.1 Request to technical measures Requests to technical measures: Access to Personal Data covered by this agreement has to be authorized through individual codes of authentication combined to passing codes in numbers: Authorizes personal only must be given access to data stored and belonging to Ahus. Sensitive personal data must be protected against unintended, unlawful sharing and delivery to strangers. Hinderances to unauthorized moving and or copying of sensitive personal data from devices designed for storage must be established. Encrypted communication is requested if when sensitive personal data is passed through networks which lacks security level 4. 9.2 Entrance control Processor is responsible regarding handling of information by employees and that of Subprocessors, Written prior statement on confidentiality of both given access to Personal Data under this agreement and deriving from Ahus must be available on request. The statement must be valid forever even after the end of access and running time of the Agreement, and until Ahus gives written consent to evoke the confidentiality. Processor must have routines which covers authorization and authentication to verify that access has been limited to those persons who are in need to cope with tasks he is dedicated to. Level of access must be within necessary limits to fulfill the Agreement. Processor must keep overview of authorizes personal, which can be made available on the request of Ahus. In case Ahus find that one person should not deal with the Agreement the person in question will be taken off. In case Processor use portable client machinery to carry out the agreement, Processor must have routines to ensure they are used only for the purpose of this agreement and to get support from subcontractors on running application or giving advice to users. Agreement on Data processing (research)_v1 Side 3 av 6

In case third parties or subcontractors are given access preliminary authorization and authentication must be used, and verification must be available as mentioned elsewhere in this Agreement. 9.3 Requests to control on entrance of Processor s site Personal ID-card with mechanisms for authorization and authentication or alike must be in use. Limited entrance to specific areas (rooms for running and server) according to need must be set. Unauthorized persons must be followed. Automatically locks must be installed on doors at following kind of areas: datahall/room for servers, rooms for running and support, technical rooms for connections, switches and routers, and the like. 9.4 Security audit, verification and testing Ahus is entitled to view and make visits for verification on site as to see how the systems are set up including what security measures which are in use. This also includes access to documentation, interviews, notes form meetings, tests, measures of control on movements (traffic) on net, as well as at activities on server, supplied with other kinds of verification, which Ahus finds relevant. Processor accepts that Ahus may carry out such steps itself, or chose a third party to perform the verification. All technical devices, documentation on organization and those which describe administering of the service which is delivered to Ahus, may be subject to verification. On two weeks written notice Processor will perform the documentation mentioned above. If Ahus during verification finds breaches on security to data Processor immediately and without delay un necessary delay will take steps to make corrections. Plans to carry out corrections and identification on the items will be presented. As part of the agreement and without costs to Ahus, Processor will contribute with personal of relevant professional skills, for necessary amount of time for corrections related to reestablishment of security of the Datasystem in question. This will be the case of breaches and in case of necessity for restorations are due to actions or lack of such, at hands of Processor and / or subcontractor. 10 Secrecy All information derived from this agreement will by both parties, be treated according to professional secrecy. This includes information which is confidential such as personal data, security or contractual measures and information which may be of vital importance to the owner or which may harm the owner if the information came to knowledge of a third professional party. This provision includes all personal responsible to Processor and his subcontractors given access on his behalf to carry out the agreement. They all must sign a declaration on secrecy. On request a copy must be available from Processor to Ahus. The content of the declaration must be in accordance to that of Ahus, and may be subject to change if Ahus finds it not in accordance to the Code of Conduct. Precautions must be taken by both parties to storage devices regarding unlawfully use or access from unauthorized persons or at the hands of a third party. This provision also applies indefinitely of time and without regard to the continuation of the Agreement, and including all personal or others who has had access to the practicing this Agreement. 11 Breach of Agreement and sanctions In the event of breach of this agreement, Ahus can instruct the Processor to stop further handling of the information with immediate effect. Breach of agreement will be stated if one of the parties does not fulfill his obligations described in the agreement or Code of Conduct, unless this is due to situations of Force Majeur. Written statement of breach of Agreement must be presented without unduly delay to be valid. The party which states breach of agreement is entitled to keep back his obligations described in the Agreement, limited to within reasonable time for the responsible party to take necessary steps to diminish or repair the effect of the breach. Both parties are obliged to ensure as little damage to the Data is made until the case is settled as to whom is responsible for the trouble caused. Agreement on Data processing (research)_v1 Side 4 av 6

In the event of thoroughly breach of the agreement, the other party may after written notice with due time to repair the damage terminate the agreement immediately and claim for compensation for loss this may have caused him. 12 Reliability of subcontractors If one of the parties engages subcontractors to fulfill his part of the agreement, the party is still responsible to carry out the agreement as described as if he himself had fulfilled the agreement. Prior written consent from Ahus is pursuant to engage subcontractors by Processor. Subcontractors must sign on a statement which describes that he will be loyal to the agreement included questions related to secrecy and according to Code of Conduct. 13 Transport of the Agreement In the event other governmental institutions of Norway should take over the agreement from Ahus as a whole or for parts, the agreement will still be valid on the same conditions. Processor may claim his costs related to this covered by Ahus. Processor may transport the agreement upon prior written acceptance by Ahus. Denial of acceptance is only due on fair reasons. Economical claims related to the transport of this Agreement is allowed but Processor is still obliged to carry out his obligations as described in the agreement until his successor is able to take over in full scale. 14 Choice of law and legal venue This agreement is subject to Norwegian jurisdiction and the parties agree on The District Court of Nedre Romerike as the legal venue. This also applies after termination of the agreement. 15 Law relevant to the Agreement Act 2014-06-20-43, Act relating to personal health data filing systems and the processing of health data; called Personal Health Data Filing System Act Secondary law on personal data 2000-12-15-1265 Act 2000-04-14-31 relating to the processing of personal data; called Personal Data Act Code of conduct for information security in the healthcare, care, and social services sector (Normen, called Code)) www.normen.no, is primarily based upon the privacy and health legislation s requirements to establish satisfactory information security for systems containing health and personal data, as described and agreed upon by individual organizations and the sector in general. 16 Signing This agreement has been drawn up in 2 two copies, of which the parties retain one copy each. Nordbyhagen, the.... Akershus University Hospital HF (signatur) Assistant Managing director Tone IkdahlDirector research and innovation Tormod Fladby Processor (signatur) Agreement on Data processing (research)_v1 Side 5 av 6

Position:.. Name: (in typed letters) Position:.. Name: Agreement on Data processing (research)_v1 Side 6 av 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback