Supplier Privacy & Security Requirements

Definitions

The following terms have the definitions set out below when used in these supplier privacy and security requirement (these “Requirements”):

“Data Protection Legislation” means the Data Protection Act 2018, the General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) (when in force), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner, and any similar legislation put in place as a result of the United Kingdom’s exit from the European Union. References in these Requirements to “data controller”, “data processor”, “processing”, “data protection officer” and “personal data” shall have the same meaning as defined in Data Protection Legislation.

“OH” means any member of the Open Health Group named here OPEN Health | Statutory Details that has entered into a Purchase Order with the Supplier.

“Parties” means OH and the Supplier.

“Personnel” means the Supplier and its personnel who are providing the Services.

“Purchase Order” means the applicable purchase order entered into between OH and the Supplier pursuant to the terms and conditions of which these Requirements are incorporated.

"Regulator" means any regulatory body with responsibility for ensuring compliance with Data Protection Legislation.

“Security Breach” means accidental or deliberate, unauthorised or unlawful acquisition, destruction, loss, alteration, corruption, access, use or disclosure of personal data processed under the Purchase Order or breach of Supplier’s security obligations as set out in these Requirements and the Purchase Order.

“Services” means the Services set out in the relevant Purchase Order.

“Supplier” means the individual or entity that has entered into a Purchase Order.

General Provisions

In these Requirements, unless otherwise specified or the context otherwise requires

• references to statutory provisions shall be construed as references to any statutory modification or re-enactment thereof (whether before on or after the date hereof) for the time being in force and to any former statutory provision replaced (with or without modification) by the provision referred to and shall include all statutory instruments or orders from time to time made pursuant thereto and any replacement legislation required as a result of the exit from the European Union by the United Kingdom;
• references to persons shall include references to any individual, firm, client, corporation, body corporate, government, state or agency of state, trust or foundation, or any association, partnership or unincorporated body of two or more of the foregoing (whether or not having separate legal personality and wherever incorporated or established);
• references to the singular shall include references to the plural and to the masculine shall include references to the feminine and vice versa;
• the headings in these Requirements and the use of underlining are included for convenience only and shall not affect the interpretation or construction of these Requirements; and
• any phrase in these Requirements introduced by the term "include", "including", "in particular" or similar expression will be construed as illustrative and will not limit the sense of the words preceding that term.

Supplier Personnel

The Supplier agrees that with regard to the Supplier’s Personnel and the Supplier’s personal data:

• OH will hold computer records and personnel files relating to Supplier and its Personnel. These may include inter alia references, bank details and remuneration details and other records. OH requires such personal data for personnel, administration and management purposes and to comply with its obligations regarding the keeping of worker records. 
• The Supplier acknowledges and agrees that the Supplier’s name, payment received under the relevant Purchase Order as well as other relevant information, as deemed appropriate by OH, may be disclosed, reported or transferred to a third party if required by applicable law or if otherwise reasonably required by OH.
• The Supplier hereby warrants and confirms that it has made its Personnel aware of all of the terms set out in these Requirements and to the extent required it has obtained its Personnel’s explicit consent to such terms. 
• The Supplier agrees and acknowledges that OH has a legitimate interest to share the Personnel’s experience and/or credentials for marketing purposes to its clients and potential clients and to regulatory authorities, tax authorities (including the Inland Revenue and the MHRA), to any potential purchasers of OH or its business (on a confidential basis) and to its clients and potential new clients (on a confidential basis), and as required by law. The Supplier agrees that OH may transfer such data to and from OH Affiliates and Clients including any of OH Affiliates and Clients located outside the European Economic Area or the United Kingdom.
• It is a condition of the Purchase Order that the Supplier and its Personnel shall comply with these Requirements OH at all times. Failure to do so will entitle OH to terminate the Purchase Order immediately without notice.

Data and Security Requirements

1. When performing the Services and meeting its obligations under the Purchase Order, the Supplier agrees to adhere to the principles of medical confidentiality, relevant regulations and regulatory guidance and all applicable Data Protection Legislation with respect to personal data protection in any relevant countries, including any replacement legislation required in a member state as a result of an exit from the European Union and the following data and security requirements shall apply to such processing activity.
2. The parties acknowledge and agree that in the event the Supplier processes personal data as a data processor or Sub-processor (as defined below) the Purchase Order will identify such processing including the subject matter and duration of the processing; nature and purpose of the processing; the type of personal data being processed; and the categories of data subject. The parties agree that in respect of any personal data processed in connection with such a Purchase Order OH shall be the “data controller” or “processor” (as applicable) and the Supplier shall be the “data processor” or “sub processor”.
3. Each party acknowledges and agrees that each party has respective rights and obligations under applicable Data Protection Legislation. The Supplier shall, at its own expense (except where otherwise expressly stated in this clause) and without prejudice to its other rights or obligations, in respect of its processing of such personal data:
   1. process the personal data only to the extent, and in such a manner, as is necessary for the purposes of the Purchase Order and in accordance with OH’s written instructions from time to time and the Supplier shall not process or permit the processing of the personal data for any other purpose. If the Supplier is unsure as to the parameters of the instructions issued and/or believes that the instructions may conflict with the requirements of Data Protection Legislation or other applicable laws, the Supplier shall immediately contact OH for clarification and where requested provide reasonable details in support of any assertion that the instructions may be in conflict;
   2. only make copies of the personal data in accordance with any limitations on the Purchase Order and to the extent reasonably necessary;
   3. not extract, re-utilise, use, exploit, redistribute, re-disseminate, copy or store the personal data other than as permitted under the terms of the Purchase Order;
   4. comply with its obligations under Data Protection Legislation, including where applicable appointing a data protection officer, and the provisions of OH’s or OH’s client’s IT and data security policies as notified to the Supplier from time to time;
   5. only permit access to personal data to those Supplier personnel who require such access in order to carry out their roles in the performance of the Supplier's obligations under the Purchase Order and ensure the reliability of all personnel and Sub processors who have access to the personal data and shall in particular ensure that any person authorised to process personal data in connection with the Purchase Order is subject to a duty of confidentiality that at a minimum is equal to the duty of confidentiality imposed on the Supplier under the Purchase Order;
   6. not do anything or omit to do anything that may put OH or any member of OH’s group in breach of its obligations under Data Protection Legislation and take such steps as OH may reasonably request from time to time to enable OH to comply with Data Protection Legislation; and
   7. having regard to the state of technological development and the cost of implementing any measures, take appropriate technical and organisational measures against the unauthorised or unlawful processing of personal data and against the accidental loss or destruction of, or damage to personal data, to ensure a level of security appropriate to: a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage of the personal data; and b) the nature of the personal data to be protected. Such measures shall be of at least the minimum standard required by Data Protection Legislation and be of a standard no less than the standards compliant with good industry practice and any specific local regulatory guidance and requirements for the protection of personal data.
4. For the avoidance of doubt, nothing in the Purchase Order shall relieve the Supplier of its responsibilities and liabilities under Data Protection Legislation.

Sub processors

1. The Supplier shall not engage any processor to process personal data (or otherwise sub-contract or outsource the processing of any personal data to a third party) without the prior written consent of OH acting in its sole discretion. Where OH authorises the Supplier to appoint a third party to process the personal data (a “Sub processor”), such authorisation is conditional on the Supplier:
2. entering into a written contract with the Sub processor that is on terms that are compatible with and at least as protective as these Requirements and provides sufficient guarantees to implement appropriate technical and organisation measures in compliance with the Data Protection Legislation; and
3. remaining liable for all acts or omissions of the Sub processors as if they were acts or omissions of the Supplier.

Data Processing Location

The Supplier shall only permit personal data to be processed in locations expressly approved in writing by OH including those locations set out in Purchase Order. The Supplier shall not transfer the personal data outside the European Economic Area or the United Kingdom without the prior written consent of OH. OH acknowledges and agrees that personal data may be transferred to those locations set out in the Purchase Order in accordance with the transfer mechanisms set out in the Purchase Order (“Transfer Mechanism”) provided that the Supplier complies, or procures the relevant third party complies, with its relevant obligations under the relevant Transfer Mechanism. The parties agree that if the relevant Transfer Mechanism ceases to exist or are no longer considered by OH to be a lawful method of transferring personal data outside of the European Economic Area or the United Kingdom, the Supplier shall cease or procure that the relevant third party cease the processing of such personal data until such time as the Supplier has in accordance with OH’s instructions entered into an alternative transfer mechanism to enable the personal data to be transferred outside of the EEA or the United Kingdom in a compliant manner.

Information Management

The Supplier shall return or destroy (as directed in writing by OH) all personal data it has in its possession and promptly delete existing copies unless applicable law requires storage of the personal data. If OH elects for destruction rather than return of the personal data, the Supplier shall as soon as reasonably practicable ensure that all personal data is destroyed and deleted from the Supplier systems and provide a certificate of destruction and /or written confirmation of compliance with this clause within 14 days of request.

Security Breach Response

1. The Supplier shall notify OH without undue delay and in any event within 24 hours of any reasonably suspected Security Breach by emailing dataprivacy@openhealth.co.uk. Such notice shall summarize the impact on OH and any client of OH and corrective actions taken or to be taken by the Supplier.
2. The Supplier shall conduct a reasonable investigation of the reasons for and circumstances of any Security Breach, and take all necessary and advisable actions to rectify, prevent, contain, mitigate and remediate the Security Breach. The Supplier shall collect, preserve and document all evidence regarding the cause, response, remedial actions and impact related to the Security Breach and provide such documentation to OH upon request.
3. The Supplier shall assist and fully cooperate with any internal investigation or external investigation by third parties, including OH’s clients or law enforcement, of a Security Breach, through the provision of information, employees, interviews, materials, databases or any and all other items required to fully investigate and resolve any such incidents. The Supplier agrees to take such remedial actions as the parties mutually agree is required in response to a Security Breach, such agreement not to be unreasonably withheld by the Supplier.
4. The Supplier shall not to disclose without OH’s prior written approval any information related to the suspected Security Breach to any third party other than a third party hired to investigate/mitigate such Security Incident, except as required by law.

Inspection and Audit

1. The Supplier shall:
   1. keep at its normal place of business a written record of personal data processing carried out in the course of the Services and of its compliance with its obligations set out in the Purchase Order (“Records”); and
   2. permit OH, its clients or third-party representatives; or a Regulator or its third party representatives, on reasonable notice during normal business hours, but without notice in case of any reasonably suspected breach of this clause by the Supplier, access to inspect, and take copies of, the Records and any other information held at the Supplier's and/or Sub processors’ premises or on the Supplier’s and/or Sub processors’ systems relating to the Purchase Order, for the purpose of auditing the Supplier's compliance with its obligations under this Schedule. The Supplier shall give all necessary assistance to the conduct of such audits.
2. Upon the provision of reasonable notice, OH or its Clients or other designee may undertake a privacy and security assessment, forensic investigation and/or audit of the Supplier systems and privacy and information security programme. In the event that such inspection or audit finds that the Supplier is not in compliance with this Schedule or applicable Data Protection Legislation, the Supplier shall take all reasonable steps to promptly remedy any breach identified.

Cooperation and Information Requests

1. The Supplier shall:
   1. assist OH by appropriate technical and organisational measures in responding to, and complying with, data subject requests. In particular, the Supplier shall immediately comply with any request from OH requiring Supplier at Supplier’s cost to amend, transfer or delete the personal data, either during or after the currency of the Purchase Order;
   2. at its own expense, without undue delay and in any event within 24 hours of becoming aware notify OH in by emailing dataprivacy@openhealth.co.uk, and provide such co-operation, assistance and information as OH may reasonably require if Supplier receives any complaint, notice or communication which relates directly or indirectly to the processing of the personal data under the Purchase Order or to either party’s or any member of OH’s group compliance with Data Protection Legislation; and
   3. provide OH with full co-operation and assistance in relation to OH’s and its Clients obligations and rights under Data Protection Legislation including providing OH and Regulators (as applicable) with all information and assistance necessary to carry out privacy impact assessments or otherwise to assess or demonstrate compliance by the parties with Data Protection Legislation.
2. In the event the Supplier receives a request, inquiry, complaint, or demand relating to the personal data processed under a Purchase Order by OH or an individual, entity, government or regulatory entity, the Supplier shall respond to OH or notify OH in writing of the third party request and include a copy of the request, within 24 hours, unless prohibited by applicable laws.
3. In the event such request, inquiry, complaint, or demand is from a government or regulatory entity, the Supplier shall disclose to the government or regulatory entity the minimum personal data necessary to comply with law.
4. In the event the request, inquiry, complaint, or demand is from the data subject, the Supplier shall not respond without OH’s prior written approval, unless required by applicable law.
5. The Supplier shall cooperate with OH in the course of any investigation of or claim against OH relating to the processing of personal data, including providing OH access to its relevant internal practices, databases and other records relating to the personal data and the Services being provided.

Rights and Remedies

1. The Supplier, or its representatives, shall be responsible for expenses incurred by OH as a result of a breach of this Schedule, including, without limitation: (i) expenses to provide notice of a Security Breach to affected individuals; (ii) expenses to investigate or remediate a Security Breach or failure to comply with Data Protection Legislation; (iii) expenses to respond to or address any investigation by Clients or regulators or law enforcement.
2. The Supplier shall indemnify OH on demand against all claims, liabilities, costs, expenses, damages and losses (including all interest, penalties and legal costs (calculated on a full indemnity basis) and all other professional costs and expenses) suffered or incurred by OH arising out of the Supplier’s breach of its obligations in this Schedule (“Claims”). Each party acknowledges that Claims include any claim or action brought by a data subject arising from Supplier’s breach of its obligations in this Schedule. Notwithstanding any other provision of the Purchase Order, no cap on the Services Provider’s liability shall apply to a breach of this Schedule by the Supplier.

Miscellaneous

The Supplier’s obligations and OH rights set forth in this Schedule shall continue as long as Supplier, or any third party acting on Supplier’s behalf, processes personal data, including after expiration of the Purchase Order. OH’s subsidiaries (and their Affiliates, subsidiaries, successors and assigns) are third party beneficiaries of this Schedule.