Standard Terms & Conditions
These standard terms and conditions apply to the agreement between:
Us, New Healthcare Solutions Ltd, a company incorporated in Scotland (registration number SC507046) having its registered office at 39 Hanover Street, Edinburgh, EH2 2PJ (the “Provider”); and
You, the customer named on Schedule 1 (the “Customer”).
1 – Definitions & Interpreting this Document
1. In this Agreement, except to the extent expressly provided otherwise:
Means an account enabling a person to access and use the Hosted Services,
including both administrator accounts and user accounts;
Means this agreement including any Schedules, and any amendments to this
Agreement from time to time; including:
• Schedule 1 – Hosted Services particulars
• Schedule 2 – Acceptable Use Policy
Means any weekday other than a bank or public holiday in Scotland;
Means the hours of 09:00 to 17:00 GMT/BST on a Business Day;
Means the following amounts:
a. The amounts specified in Part 2 of Schedule 1 (Hosted Services particulars); and
b. Such amounts as may be agreed in writing by the parties from time to time;
Customer Confidential Information
a. Any information disclosed by or on behalf of the Customer to the Provider during the Term (whether disclosed in writing, orally or otherwise) that at the time of disclosure:
i. Was marked or described as “confidential”; or
ii. Should have been reasonably understood by the Provider to be confidential;
Means all data, including Customer Personal Data, works and materials: uploaded to or stored on the Platform by the Customer; transmitted by the Platform at the instigation of the Customer; supplied by the Customer to the Provider for uploading to, transmission by or storage on the Platform; or generated by the Platform as a result of the use of the Hosted Services by the Customer;
Customer Personal Data
Means any Personal Data that is processed by the Provider on behalf of the Customer in relation to this Agreement;
Data Protection Laws
Means, for the purposes of this Agreement, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and any other laws applicable in the United Kingdom or the European Union from time to time that relate to data protection, privacy or the use of information relating to individuals;
Means the documentation for the Hosted Services produced by the Provider and delivered or made available by the Provider to the Customer;
Means the date of execution of this Agreement;
Force Majeure Event
Means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);
Means Novacare | recruit, as specified in the Hosted Services Specification, which will be made available by the Provider to the Customer as a service via the internet in accordance with this Agreement;
Hosted Services Defect
Means a defect, error or bug in the Platform having a material adverse effect on the appearance, operation, functionality or performance of the Hosted Services, but excluding any defect, error or bug caused by or arising as a result of:
a. Any act or omission of the Customer or any person authorised by the Customer to use the Platform or Hosted Services;
b. Any use of the Platform or Hosted Services contrary to the Documentation, whether by the Customer or by any person authorised by the Customer;
c. A failure of the Customer to perform or observe any of its obligations in this Agreement; and/or
d. An incompatibility between the Platform or Hosted Services and any other system, network, application, program, hardware or software not specified as compatible in the Hosted Services Specification;
Hosted Services Specification
Means the specification for the Platform and Hosted Services set out in Part 1 of Schedule 1 (Hosted Services particulars) and in the Documentation;
Intellectual Property Rights
Means all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights (and these “intellectual property rights” include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs);
Means the general maintenance of the Platform and Hosted Services, and the application of Updates and Upgrades;
Means the mobile application linked to the Hosted Service that is made available by the Provider through the Google Play Store and the Apple App Store;
Has the meaning given to it in the GDPR;
Means the platform managed by the Provider and used by the Provider to provide the Hosted Services, including the application and database software for the Hosted Services, the system and server software used to provide the Hosted Services, and the computer hardware on which that application, database, system and server software is installed;
Means any schedule referred or attached to the main body of this Agreement;
Means any services that the Provider provides to the Customer, or has an obligation to provide to the Customer, under this Agreement;
Means support in relation to the use of, and the identification and resolution of errors in, the Hosted Services, but shall not include the provision of training services;
Supported Web Browser
Means the current release from time to time of Microsoft Edge or Google Chrome;
Means the term of this Agreement, commencing in accordance with Clause 2.1 and ending in accordance with Clause 2.2. Our minimum term is usually 12 months;
Means a hotfix, patch or minor version update to any Platform software;
Means a major version upgrade of any Platform software.
2 – Term
1. This Agreement shall come into force upon the Effective Date as identified in Schedule 1.
2. This Agreement shall continue in force for a minimum period as identified in Schedule 1, and indefinitely thereafter, subject to termination in accordance with Clause 17 or any other provision of this Agreement.
3 – Hosted Services
1. The Provider shall create an Account for the Customer and shall provide to the Customer login details for that Account on or promptly following the Effective Date.
2. The Provider hereby grants to the Customer a worldwide, non-exclusive right to use the Hosted Services by means of a Supported Web Browser for the internal business purposes of the Customer in accordance with the Documentation during the Term.
3. The rights granted by the Provider to the Customer under Clause 3.2 is subject to the following limitations:
a. The Hosted Services may only be used by the officers, employees, agents and subcontractors of the Customer; and
b. The Hosted Services may only be used by the named users identified in Schedule 1 (Hosted Services particulars), providing that the Customer may change, add or remove a designated named user in accordance with the procedure set out therein.
4. Except to the extent expressly permitted in this Agreement or required by law on a non-excludable basis, the rights granted by the Provider to the Customer under Clause 3.2 is subject to the following prohibitions:
a. The Customer must not sub-license its right to access and use the Hosted Services;
b. The Customer must not permit any unauthorised person to access or use the Hosted Services;
c. The Customer must not access all or any part of the Hosted Services in order to build a product or service which competes with the Hosted Services;
d. The Customer must not attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Platform;
e. The Customer must not use the Hosted Services to provide services to third parties;
f. The Customer must not republish or redistribute any content or material from the Hosted Services; and
g. The Customer must not make any alteration to the Platform.
5. The Customer shall use reasonable endeavours, including reasonable security measures relating to Account access details, to ensure that no unauthorised person may gain access to the Hosted Services using an Account.
6. The Provider shall use reasonable endeavours to maintain the availability of the Hosted Services to the Customer at the gateway between the public internet and the network of the hosting services provider for the Hosted Services but does not guarantee 100% availability.
7. For the avoidance of doubt, downtime caused directly or indirectly by any of the following shall not be considered a breach of this Agreement:
a. A Force Majeure Event;
b. A fault or failure of the internet or any public telecommunications network;
c. A fault or failure of the Customer’s computer systems or networks;
d. Any breach by the Customer of this Agreement; or
e. Scheduled maintenance carried out in accordance with this Agreement.
8. The Customer must comply with Schedule 2 (Acceptable Use Policy) and must ensure that all persons using the Hosted Services with the authority of the Customer or by means of an Account comply with Schedule 2 (Acceptable Use Policy).
9. The Customer must not use the Hosted Services in any way that causes, or may cause, damage to the Hosted Services or Platform or impairment of the availability or accessibility of the Hosted Services.
10. The Customer must not use the Hosted Services:
a. In any way that is unlawful, illegal, fraudulent or harmful; or
b. In connection with any unlawful, illegal, fraudulent or harmful purpose or activity.
11. For the avoidance of doubt, the Customer has no right to access the software code (including object code, intermediate code and source code) of the Platform, either during or after the Term.
12. The Provider may suspend the provision of the Hosted Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least 30 days’ written notice, following the amount becoming overdue, of its intention to suspend the Hosted Services on this basis.
4 – Maintenance Services
1. The Provider shall provide the Maintenance Services to the Customer during the Term.
2. The Provider shall where practicable give to the Customer notice of scheduled Maintenance Services that are likely to affect the availability of the Hosted Services or are likely to have a material negative impact upon the Hosted Services, without prejudice to the Provider’s other notice obligations under this main body of this Agreement.
3. The Provider shall use its reasonable endeavours to provide to the Customer no less than three business days written notice of the application of an Upgrade to the Platform.
4. The Provider shall endeavour to give the Customer written notice of the application of any security Update to the Platform and written notice of the application of any non-security Update to the Platform.
5. The Provider shall provide the Maintenance Services with reasonable skill and
6. The Provider may suspend the provision of the Maintenance Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least 30 days’ written notice, following the amount becoming overdue, of its intention to suspend the Maintenance Services on this basis.
5 – Support Services
1. The Provider shall provide the Support Services to the Customer during the Term. Support Services shall include guidance on the use of the Services, assistance with system errors and general enquiries. Support Services will be provided during business hours Monday – Friday, 09:00 to 17:00, excluding public holidays.
2. The Provider shall make available to the Customer a helpdesk in accordance with the provisions of this main body of this Agreement.
3. The Provider shall provide the Support Services with reasonable skill and care.
4. The Customer may use the helpdesk for the purposes of requesting and, where applicable, receiving the Support Services; and the Customer must not use the helpdesk for any other purpose.
5. The Provider shall respond promptly to all requests for Support Services made by the Customer through the helpdesk.
6. The Provider may suspend the provision of the Support Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least 30 days’ written notice, following the amount becoming overdue, of its intention to suspend the Support Services on this basis.
6 – Customer Data
1. The Customer hereby grants to the Provider a non-exclusive license to copy, reproduce, store, distribute, publish, export, adapt, edit and translate the Customer Data to the extent reasonably required for the performance of the Provider’s obligations and the exercise of the Provider’s rights under this Agreement. The Customer also grants to the Provider the right to sub license these rights to its hosting, connectivity and telecommunications service providers to the extent reasonably required for the performance of the Provider’s obligations and the exercise of the Provider’s rights under this Agreement, subject always to any express restrictions elsewhere in this Agreement.
2. The Customer warrants to the Provider that the Customer Data will not infringe the Intellectual Property Rights or other legal rights of any person, and will not breach the provisions of any law, statute or regulation, in any jurisdiction and under any applicable law.
3. The Provider shall create a back-up copy of the Customer Data at least daily, shall ensure that each such copy is sufficient to enable the Provider to restore the Hosted Services to the state they were in at the time the back-up was taken, and shall retain and securely store each such copy for a minimum period of 14 days.
4. Within the period of 3 Business Day following receipt of a written request from the Customer, the Provider shall use all reasonable endeavours to restore to the Platform the Customer Data stored in any back-up copy created and stored by the Provider in accordance with Clause 6.3. The Customer acknowledges that this process will overwrite the Customer Data stored on the Platform prior to the restoration.
7 – Mobile App
The parties acknowledge and agree that the use of the Mobile App, the parties’ respective rights and obligations in relation to the Mobile App and any liabilities of either party arising out of the use of the Mobile App shall be subject to separate terms and conditions, and accordingly this Agreement shall not govern any such use, rights, obligations or liabilities.
8 – No assignation of Intellectual Property Rights
1. All Intellectual Property Rights in the Services are owned by or validly licensed to the Provider.
2. Nothing in this Agreement shall operate to assign or transfer any Intellectual Property Rights from the Provider to the Customer, or from the Customer to the Provider.
9 – Charges
1. The Customer shall pay the Charges to the Provider in accordance with this Agreement.
2. If the Charges are based in whole or part upon the time spent by the Provider performing the Services, the Provider must obtain the Customer’s written consent before performing Services that result in any estimate of time-based Charges given to the Customer being exceeded or any budget for time-based Charges agreed by the parties being exceeded; and unless the Customer agrees otherwise in writing, the Customer shall not be liable to pay to the Provider any Charges in respect of Services performed in breach of this Clause 9.2.
3. All amounts stated in or in relation to this Agreement are, unless the con- text requires otherwise, stated exclusive of any applicable value added taxes, which will be added to those amounts and payable by the Customer to the Provider. The Provider may elect to vary any element of the Charges by giving to the Customer not less than 30 days’ written notice of the variation expiring on any anniversary of the date of execution of this Agreement.
10 – Payments
1. The Provider shall issue invoices for the Charges to the Customer in advance of the period to which they relate. Recurring payments may be set monthly, quarterly or annually as agreed with you in schedule 1. We do not offer refunds.
2. The Customer must pay the Charges to the Provider within the period of 7 days following the issue of an invoice in accordance with this Clause 10, providing that the Charges must in all cases be paid before the commencement of the period to which they relate.
3. The Customer must pay the Charges by debit card, credit card, direct debit or bank transfer or (using such payment details as are notified by the Provider to the Customer from time to time).
4. If the Customer does not pay any amount properly due to the Provider under this Agreement, the Provider may:
a. Charge the Customer interest on the overdue amount at the rate of 8% per annum above the Bank of England base rate from time to time (which interest will accrue daily until the date of actual payment and be compounded at the end of each calendar month); or
b. Claim interest and statutory compensation from the Customer pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.
11 – Provider’s confidentiality obligations
1. The Provider must:
a. Keep the Customer Confidential Information strictly confidential;
b. Not disclose the Customer Confidential Information to any person with- out the Customer’s prior written consent;
c. Use the same degree of care to protect the confidentiality of the Customer Confidential Information as the Provider uses to protect the Provider’s own confidential information of a similar nature, being at least a reasonable degree of care; and
d. Act in good faith at all times in relation to the Customer Confidential Information.
2. Notwithstanding Clause 11.1, the Provider may disclose the Customer Confidential Information to the Provider’s officers, employees, professional advisers, insurers, agents and subcontractors who are bound by a written agreement or professional obligation to protect the confidentiality of the Customer Confidential Information.
3. This Clause 11 imposes no obligations upon the Provider with respect to Customer Confidential Information that:
a. Is known to the Provider before disclosure under this Agreement and is not subject to any other obligation of confidentiality;
b. Is or becomes publicly known through no act or default of the Provider; or
c. Is obtained by the Provider from a third party in circumstances where the Provider has no reason to believe that there has been a breach of an obligation of confidentiality.
4. The restrictions in this Clause 11 do not apply to the extent that any Customer Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of the Provider on any recognised stock exchange.
5. The provisions of this Clause 11 shall continue in force for a period of 1 year following the termination of this Agreement, at the end of which period they will cease to have effect.
12 – Data protection
1. Each party shall comply with the Data Protection Laws with respect to the pro- cessing of the Customer Personal Data.
2. The parties acknowledge that for the purposes of the Data Protection Laws both parties are controllers of the Customer Personal Data.
3. The Customer warrants to the Provider that it has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with this Agreement.
4. Both parties agree to provide reasonable assistance to the other party in responding to any request from a data subject (including any exercise of a data subject’s rights under the Data Protection Laws) and in ensuring compliance with the other party’s obligations under the Data Protection Laws with respect to security, breach notifications, and consultations with supervisory authorities or regulators.
13 – Warranties
1. The Provider warrants to the Customer that:
a. The Provider has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement; and
b. The Provider will comply with all applicable legal and regulatory requirements applying to the exercise of the Provider’s rights and the fulfilment of the Provider’s obligations under this Agreement.
2. The Provider warrants to the Customer that:
a. The Platform and Hosted Services will conform in all material respects with the Hosted Services Specification;
b. The application of Updates and Upgrades to the Platform by the Provider will not introduce any Hosted Services Defects into the Hosted Services; and
c. The Platform will incorporate security features reflecting the requirements of good industry practice.
3. If the Provider reasonably determines, or any third party alleges, that the use of the Hosted Services by the Customer in accordance with this Agreement infringes any person’s Intellectual Property Rights, the Provider may at its own cost and expense:
a. Modify the Hosted Services in such a way that they no longer infringe the relevant Intellectual Property Rights; or
b. Procure for the Customer the right to use the Hosted Services in accordance with this Agreement.
4. The Customer warrants to the Provider that it has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement.
5. All of the parties’ warranties in respect of the subject matter of this Agreement are expressly set out in this Agreement. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of this Agreement will be implied into this Agreement or any related contract.
14 – Acknowledgements and warranty limitations
1. The Customer acknowledges that complex software is never wholly free from defects, errors and bugs; and subject to the other provisions of this Agreement, the Provider gives no warranty or representation that the Hosted Services will be wholly free from defects, errors and bugs.
2. The Customer acknowledges that complex software is never entirely free from security vulnerabilities; and subject to the other provisions of this Agreement, the Provider gives no warranty or representation that the Hosted Services will be entirely secure.
3. The Customer acknowledges that the Hosted Services are designed to be compatible only with that software and those systems specified as compatible in the Hosted Services Specification; and the Provider does not warrant or represent that the Hosted Services will be compatible with any other software or systems.
4. The Customer acknowledges that the Provider will not provide any legal, financial, accountancy or taxation advice under this Agreement or in relation to the Hosted Services; and, except to the extent expressly provided otherwise in this Agreement, the Provider does not warrant or represent that the Hosted Services or the use of the Hosted Services by the Customer will not give rise to any legal liability on the part of the Customer or any other person.
5. The Customer acknowledges that this Agreement shall not prevent the Provider from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this Agreement.
15 – Limitations and exclusions of liability
1. Nothing in this Agreement will:
a. Limit or exclude any liability for death or personal injury resulting from negligence;
b. Limit or exclude any liability for fraud or fraudulent misrepresentation;
c. Limit any liabilities in any way that is not permitted under applicable law; or
d. Exclude any liabilities that may not be excluded under applicable law.
2. The limitations and exclusions of liability set out in this Clause 15 and elsewhere in this Agreement:
a. Are subject to Clause 15.1; and
b. Govern all liabilities arising under this Agreement or relating to the subject matter of this Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in this Agreement.
3. Neither party shall be liable to the other party in respect of any losses arising out of a Force Majeure Event.
4. Neither party shall be liable to the other party in respect of any loss of profits or anticipated savings.
5. Neither party shall be liable to the other party in respect of any loss of revenue or income.
6. Neither party shall be liable to the other party in respect of any loss of use or production.
7. The Provider shall not be liable to the Customer in respect of any loss of business, contracts or opportunities.
8. Neither party shall be liable to the other party in respect of any loss or corruption of any data, database or software; providing that this Clause 15.8 shall not protect the Provider unless the Provider has fully complied with its obligations under Clause 6.3 and Clause 6.4.
9. Neither party shall be liable to the other party in respect of any special, indirect or consequential loss or damage.
10. The Provider’s total aggregate liability to the Customer, whether in contract, negligence, breach of statutory duty, or otherwise, arising under or in connection with this Agreement shall be limited to the sum of £10,000.
16 – Force Majeure Event
1. If a Force Majeure Event gives rise to a failure or delay in either party performing any obligation under this Agreement (other than any obligation to make a payment), that obligation will be suspended for the duration of the Force Majeure Event.
2. A party that becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay in that party performing any obligation under this Agreement, must:
a. Promptly notify the other; and
b. Inform the other of the period for which it is estimated that such failure or delay will continue.
3. A party whose performance of its obligations under this Agreement is affected by a Force Majeure Event must take reasonable steps to mitigate the effects of the Force Majeure Event.
17 – Termination
1. Either party may terminate this Agreement at completion of the first 90 days by giving to the other party at least 14 days written notice prior to the 90 days being reached.
2. Either party may terminate this Agreement by giving to the other party at least 90 days’ written notice of termination after the minimum period as stated under Clause 2.2.
3. Either party may terminate this Agreement immediately by giving written notice of termination to the other party if:
a. The other party:
i. Is dissolved;
ii. Ceases to conduct all (or substantially all) of its business;
iii. Is or becomes unable to pay its debts as they fall due;
iv. Is or becomes insolvent or is declared insolvent; or
v. Convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;
b. An administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party; or
c. An order is made for the winding up of the other party, or the other party passes a resolution for its winding up (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under this Agreement).
18 – Effects of termination
1. Upon the termination of this Agreement, all of the provisions of this Agreement shall cease to have effect, save that the following provisions of this Agreement shall survive and continue to have effect (in accordance with their express terms or otherwise indefinitely): Clauses 1, 3.11, 8, 10.2, 10.4, 11, 12, 15, 18, 19, 21 and 22.
2. Except to the extent that this Agreement expressly provides otherwise, the termination of this Agreement shall not affect the accrued rights of either party.
3. Within 30 days following the termination of this Agreement for any reason:
a. the Customer must pay to the Provider any Charges in respect of Services provided to the Customer before the termination of this Agreement; and
b. The Provider must refund to the Customer any Charges paid by the Customer to the Provider in respect of Services that were to be provided to the Customer after the termination of this Agreement,
c. Without prejudice to the parties’ other legal rights.
19 – Notices
1. Any notice from one party to the other party under this Agreement must be given by one of the following methods (using the relevant contact details set out in Clause 19.2 and Part 3 of Schedule 1 (Hosted Services particulars)):
a. Delivered personally or sent by courier, in which case the notice shall be deemed to be received upon delivery; or
b. Sent by email, in which case the notice shall be deemed to be received upon sending; or
c. Sent by recorded signed-for post, in which case the notice shall be deemed to be received 2 Business Days following posting,
d. Providing that, if the stated time of deemed receipt is not within Business Hours, then the time of deemed receipt shall be when Business Hours next begin after the stated time.
2. The Provider’s contact details for notices under this Clause 19 are as follows:
New Healthcare Solutions
39 Hanover Street
3. The addressee and contact details set out in Clause 19.2 and Part 1 of Schedule 1 (Hosted Services particulars) may be updated from time to time by a party giving written notice of the update to the other party in accordance with this Clause 19.
20 – Subcontracting
Subject to any express restrictions elsewhere in this Agreement, the Provider may subcontract any of its obligations under this Agreement.
The Provider shall remain responsible to the Customer for the performance of any subcontracted obligations.
Notwithstanding the provisions of this Clause 20 but subject to any other provision of this Agreement, the Customer acknowledges and agrees that the Provider may subcontract to any reputable third-party hosting business the hosting of the Platform and the provision of services in relation to the support and maintenance of elements of the Platform.
21 – General
1. No breach of any provision of this Agreement shall be waived except with the express written consent of the party not in breach.
2. If any provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this Agreement will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant provision will be deemed to be deleted).
3. This Agreement may not be varied except by a written document signed by or on behalf of each of the parties.
4. Neither party may without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.
5. This Agreement is made for the benefit of the parties and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate, rescind, or agree any amendment, waiver, variation or settlement under or relating to this Agreement are not subject to the consent of any third party.
6. Subject to Clause 15.1, this Agreement shall constitute the entire agreement between the parties in relation to the subject matter of this Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.
7. This Agreement shall be governed by and construed in accordance with Scottish law.
8. The courts of Scotland shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this Agreement.
22 – Interpretation
1. In this Agreement, a reference to a statute or statutory provision includes a reference to:
a. That statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and
b. Any subordinate legislation made under that statute or statutory provision.
2. The Clause headings do not affect the interpretation of this Agreement.
3. References in this Agreement to “calendar months” are to the 12 named periods (January, February and so on) into which a year is divided.
4. In this Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.
5. The terms “controller”, “process”, “data subject”, “personal data breach” and “supervisory authority” shall, unless the context otherwise requires, each have the respective meanings given to them in the GDPR.
Acceptable Use Policy
Schedule 2 – Acceptable Use Policy
Version 1.0, Effective from 1 April 2019
1 – Introduction
1. This acceptable use policy (the “Policy”) sets out the rules governing:
a. The use of the website at https://recruit.nova-care.uk, any successor website, and the services available on that website or any successor website (the “Services”); and
b. The transmission, storage and processing of content by you, or by any person on your behalf, using the Services (“Content”).
2. References in this Policy to “you” are to any customer for the Services and any individual user of the Services (and “your” should be construed accordingly); and references in this Policy to “us” are to New Healthcare Solutions (and “we” and “our” should be construed accordingly).
3. By using the Services, you agree to the rules set out in this Policy.
4. We will ask for your express agreement to the terms of this Policy before you upload or submit any Content or otherwise use the Services.
5. You must be at least 18 years of age to use the Services; and by using the Services, you warrant and represent to us that you are at least 18 years of age.
2 – General usage rules
1. You must not use the Services in any way that causes, or may cause, damage to the Services or impairment of the availability or accessibility of the Services.
2. You must not use the Services:
a. In any way that is unlawful, illegal, fraudulent, deceptive or harmful; or
b. In connection with any unlawful, illegal, fraudulent, deceptive or harmful purpose or activity.
3. You must ensure that all Content complies with the provisions of this Policy.
3 – Unlawful Content
1. Content must not be illegal or unlawful, must not infringe any person’s legal rights, and must not be capable of giving rise to legal action against any person (in each case in any jurisdiction and under any applicable law).
2. Content, and the use of Content by us in any manner licensed or otherwise authorised by you, must not:
a. Be libellous or maliciously false;
b. Be obscene or indecent;
c. Infringe any copyright, moral right, database right, trademark right, design right, right in passing off, or other intellectual property right;
d. Infringe any right of confidence, right of privacy or right under data protection legislation;
e. Constitute negligent advice or contain any negligent statement;
f. Constitute an incitement to commit a crime, instructions for the commission of a crime or the promotion of criminal activity;
g. Be in contempt of any court, or in breach of any court order;
h. Constitute a breach of racial or religious hatred or discrimination legislation;
i. Be blasphemous;
j. Constitute a breach of official secrets legislation; or
k. Constitute a breach of any contractual obligation owed to any person.
l. You must ensure that Content is not and has never been the subject of any threatened or actual legal proceedings or other similar complaint.
4 – Graphic material
1. Content must be appropriate for all persons who have access to or are likely to access the Content in question, and in particular for children over 12 years of age.
2. Content must not depict violence in an explicit, graphic or gratuitous manner.
3. Content must not be pornographic or sexually explicit.
4. Factual accuracy
5. Content must not be untrue, false, inaccurate or misleading.
6. Statements of fact contained in Content and relating to persons (legal or natural) must be true; and statements of opinion contained in Content and relating to persons (legal or natural) must be reasonable, be honestly held and indicate the basis of the opinion.
5 – Negligent advice
1. Content must not consist of or contain any legal, financial, investment, taxation, accountancy, medical or other professional advice, and you must not use the Services to provide any legal, financial, investment, taxation, accountancy, medical or other professional advisory services.
2. Content must not consist of or contain any advice, instructions or other information that may be acted upon and could, if acted upon, cause death, illness or personal injury, damage to property, or any other loss or damage.
6 – Etiquette
1. Content must be appropriate, civil and tasteful, and accord with generally accepted standards of etiquette and behaviour on the internet.
2. Content must not be offensive, deceptive, threatening, abusive, harassing, menacing, hateful, discriminatory or inflammatory.
3. Content must not be liable to cause annoyance, inconvenience or needless anxiety.
4. You must not use the Services to send any hostile communication or any communication intended to insult, including such communications directed at a particular person or group of people.
5. You must not use the Services for the purpose of deliberately upsetting or offending others.
6. You must not unnecessarily flood the Services with material relating to a particular subject or subject area, whether alone or in conjunction with others.
7. You must ensure that Content does not duplicate other content available through the Services.
8. You must ensure that Content is appropriately categorised.
9. You should use appropriate and informative titles for all Content.
10. You must at all times be courteous and polite to other users of the Services.
7 – Marketing and spam
1. You must not use the Services for any purpose relating to the marketing, advertising, promotion, sale or supply of any product, service or commercial offering.
2. Content must not constitute or contain spam, and you must not use the Services to store or transmit spam – which for these purposes shall include all unlawful marketing communications and unsolicited commercial communications.
3. You must not send any spam to any person using any email address or other contact details made available through the Services or that you find using the Services.
4. You must not use the Services to promote, host or operate any chain letters, Ponzi schemes, pyramid schemes, matrix programs, multi-level marketing schemes, “get rich quick” schemes or similar letters, schemes or programs.
5. You must not use the Services in any way which is liable to result in the black-listing of any of our IP addresses.
8 – Monitoring
You acknowledge that we may actively monitor the Content and the use of the Services.
9 – Data mining
You must not conduct any systematic or automated data scraping, data mining, data extraction or data harvesting, or other systematic or automated data collection activity, by means of or in relation to the Services.
10 – Hyperlinks
You must not link to any material using or by means of the Services that would, if it were made available through the Services, breach the provisions of this Policy.
11 – Harmful software
1. The Content must not contain or consist of, and you must not promote, dis- tribute or execute by means of the Services, any viruses, worms, spyware, adware or other harmful or malicious software, programs, routines, applications or technologies.
2. The Content must not contain or consist of, and you must not promote, dis- tribute or execute by means of the Services, any software, programs, routines, applications or technologies that will or may have a material negative effect upon the performance of a computer or introduce material security risks to a computer.
The purpose of this Policy is to outline how New Healthcare Solutions Ltd (trading as “Novacare”), has established measures to maintain compliance with the EU General Data Protection Regulation (hereinafter referred to as the “GDPR”). The Policy contains two components:
Section 2.0 – Measures to re-enforce accountability and governance.
Section 3.0 – Measures to demonstrate the protection of information
rights of the data subject.
NHS supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. In the course if its business, it is necessary for NHS to record, store, process, transmit, and otherwise handle private information about individuals.
NHS takes these activities seriously and provides fair, secure, and fully-legal systems for the appropriate handling of this private information. All such activities at NHS are intended to be consistent with both generally accepted privacy ethics and standard business practices.
This policy applies to all NHS employees, contractors, temporaries, and consultants, and other workers. All of these people are expected to be familiar with and fully in compliance with these policies. Workers who are not in compliance are subject to disciplinary action up to and including termination.
This policy also applies to outsourcing organisations that perform information- processing services on behalf of NHS. Use of outsourcing organisations to process personal data must always include a contractual commitment to consistently observe these policies and related NHS procedures and standards as specified by the Information Security department. All outsourcing organisations handling personal data provided by NHS must periodically issue certificates of compliance with this policy, and permit NHS to initiate independent audits to determine compliance with this policy.
3 Terms and Definitions Personal data
Any information relating to an individual. Such data includes name, address, telephone number, social security number, driver’s license number, and personal business transaction details. For example, such a person could be a purchaser of NHS products. The following policies do not apply to statistical
reports or other collections of information in which specific natural persons are not identifiable.
Processing of personal data or “processing”
Any operation or set of operations performed on personal data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, combination, blocking, erasure or destruction.
The NHS manager or executive, who determines the purposes for processing personal data, and who makes decisions about the security mechanisms to be used to protect such personal data.
The NHS manager, or third-party organization manager if processing is outsourced, who processes personal data according to the instructions provided by the Owner.
Any person, partnership, corporation, public authority, government agency, or any other entity other than the individual, Owner, Custodian, and the persons who, under the direct authority of the Owner or the Custodian, are authorized to process the data.
The person, public authority, government agency, or any other entity to whom personal data is disclosed, even if the recipient is a third party.
Any freely-given informed indication of his or her wishes by which the individual signifies his or her agreement to have his or her personal data processed, which may include disclosure.
Any non-employee of NHS who is contractually bound to provide some form of service to NHS.
Any NHS employee or partner who has been authorized to access any NHS electronic information resource.
Specific Policy Requirements
Article 5 of the GDPR requires that personal data shall be:
Processed lawfully, fairly and in a transparent manner in relation to individuals;
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
In addition, there is a requirement that, “The controller shall be responsible for, and be able to demonstrate, compliance with the principles”.
Accountability and governance
This Policy outlines comprehensive but proportionate governance measures designed to achieve and maintain compliance with the General Data Protection Regulation. These measures have been designed to minimise the risk of breaches and uphold the protection of personal data.
Roles and responsibilities
While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance. NHS is expected to put into place comprehensive but proportionate governance measures.
NHS has defined Simeon Grigorovich as the ‘Data Compliance Officer’. The DCO’s responsibilities include:
Informing and advising NHS and its employees about their obligations to comply with the GDPR and other data protection laws.
Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
Acting as the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
The DCO reports to the Board of Directors of the relevant entity on a quarterly basis.
The Board’s responsibility is to provide effective governance over NHS’s affairs for the benefit the shareholders and to balance the interest of its diverse stakeholders, including its customers, employees, international suppliers and communities.
Head of IT will report to the Enterprise Risk Management Committee (ERMC) any Data breach escalated to them. Employees are obligated to report any breach to the DCO of the company as soon as they are aware of it.
The GDPR contains explicit provisions about documenting NHS’s processing activities. NHS must maintain records on several things such as processing purposes, data sharing and retention. NHS may be required to make the records available to the Information Commissioner Office (the “ICO”) on request.
Where NHS is a controller for personal data, NHS maintains documentation in a manner consistent with Article 30(1) of the GDPR. Where NHS is processor for personal data, NHS maintains documentation in a manner consistent with Article 30(2) of the GDPR.
If NHS processes special category or criminal conviction and offence data, NHS documents:
The condition for processing under the Data Protection Bill;
The lawful basis for processing; and
Whether the personal data is erased and retained in accordance with NHS Policy.
NHS conducts regular reviews of the personal data processed and updates documentation accordingly.
Data protection by design and default
Under the GDPR, NHS has a general obligation to implement technical and organisational measures to show that NHS has considered and integrated data protection into processing activities.
NHS carries out a Data Protection Impact Assessment (‘DPIA’) (Appendix III) when:
Using new technologies; and
The processing is likely to result in a high risk to the rights and freedoms of individuals.
Processing that is likely to result in a high risk includes (but is not limited to):
Systematic and extensive processing activities, including profiling and where decisions that have legal effects or similarly
Significant effects on individuals.
large scale processing of special categories of data or personal data relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms e.g. based on the sensitivity of the processing activity.
The decision of whether to conduct a DPIA is supported by a documented risk assessment and is endorsed by the DCO.
Lawful basis for processing
Under the GDPR, there are six available lawful bases for processing. NHS has documented the relevant lawful basis for processing and the purpose of that processing in its Information Asset Register.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever NHS processes personal data:
The individual has given clear consent for you to process their personal data for a specific purpose.
The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
The processing is necessary for you to comply with the law (not including contractual obligations).
The processing is necessary to protect someone’s life.
The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The lawful basis for processing must be considered and documented in line with the ‘Data Audit’ as detailed in Appendix I of this Policy.
With new systems or processes, NHS must determine the lawful basis and purpose of processing before beginning processing (usually as a part of the DPIA).
The NHS public privacy notice includes the lawful basis for processing as well as the purposes of the processing.
If NHS is processing special category or criminal offence data, both a lawful basis for processing and a special category condition for processing must be documented in the Data Audit document and DPIA.
NHS should document both the lawful basis for processing and the special category condition to demonstrate compliance and accountability.
NHS obtains the consent of possible candidate to process the employment application through the website.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
It requires that appropriate technical or organisational measures are used.
NHS has defined and implemented an IT Security Policy and supporting management system to maintain effective and proportionate security.
The GDPR requires diligence and clarity in entering into thirdparty relationships. Whether NHS is a processor or controller, there are mandatory requirements relating to the contracts that are in place.
Whenever NHS acts as a controller a written contract must be in place with the processors. Standards to be applied to the contracts have been defined by the Information Commissioner’s Office.
Whenever NHS acts as a processor, NHS must only act on the documented instructions of a controller (as specified in a valid written contract). Standards to be applied to the contracts have been defined and are documented by the Information Commissioner’s Office.
On an annual basis, the DCO will review third party relationships to determine the risk posed by processing. This will be documented as a part of a DPIA.
Based on this assessment, the DCO will determine the most appropriate means to validate that contractual obligations in relation to data processing are being adhered to.
The DCO will present this assessment, and the results of compliance visits, to the Board at least annually.
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
NHS may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Adequate safeguards may be provided for by:
• A legally binding agreement between public authorities or bodies;
Binding corporate rules (agreements governing transfers made between organisations within in a corporate group); standard data protection clauses in the form of template transfer clauses adopted by the Commission;
Standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission;
Compliance with an approved code of conduct approved by a supervisory authority; certification under an approved certification mechanism as provided for in the GDPR; contractual clauses agreed authorised by the competent supervisory authority; or
Provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
Requests for international transfer of data must be submitted to the DCO once for each function, and type of document.
The DCO must record requests for international transfer received.
The DCO will consider the DPIA in relation to this transfer and the appropriate means of adopting safeguards.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority. In some cases, organisations will also have to report certain types of data breach to the individuals affected.
The DCO must be notified of all breaches to this Policy as soon as possible.
The DCO must record breaches and work with the information owner to consider the likely impact of the breach.
Where a breach is considered notifiable to the Information Commissioner, the DCO must immediately inform the Board.
A notifiable breach has to be reported by the DCO to the relevant supervisory authority within 72 hours of NHS becoming aware of it. The notification must contain:
• The nature of the personal data breach including, where possible:
The categories and approximate number of individuals concerned; and
The categories and approximate number of personal data records concerned.
The name and contact details of the data protection or other contact point for more information. A description of the likely consequences of the personal data breach.
A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, NHS will notify those concerned directly.
The DCO must present an analysis of breaches and near misses to the board at least annually.
All employees must be trained to recognise and escalate breaches.
Compliance and reporting
Monitoring compliance with the GDPR is a key role of the Data Compliance Officer (‘DCO’). The DCO must also report compliance to the Board.
The DCO is responsible for developing a compliance monitoring plan for this Policy.
The compliance monitoring plan should be submitted to the Board for approval at least annually.
Progress to deliver the plan, exceptions noted, breaches and near misses and updates on progress to address material deviations from compliance with the Policy must be reported to the DCO to the Board at least quarterly.
Training and awareness
Employee awareness of the GDPR, and their role to protect the privacy of data subjects, is core to NHS’s compliance programme.
Employees must be trained on the requirements of this Policy at least annually through the annual Compliance Training and the induction training for new joiners.
The GDPR provides the following rights for individuals:
The right to be informed
The right of access
The right to rectification
The right to erase
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling.
Right to be informed
The right to be informed encompasses NHS’s obligation to provide ‘fair processing information’, typically through a privacy notice.
NHS maintains a privacy notice and publishes this publicly (Appendix II).
Right of access
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Under the GDPR, individuals will have the right to obtain:
Confirmation that their data is being processed; access to their personal data; and
Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
All requests from subjects for access to their data should be submitted immediately to the DCO using the form under Appendix V. The DCO must log the request and will:
• Consider whether the request is manifestly unfounded or excessive;
Request copies of information held from information owners within NHS;
Review the information to ensure it does not impair the privacy of another data subject;
Consider whether the request warrants a fee (if it requires a significant amount of data) and respond to the original request.
A response to the request must be provided without delay and at the latest within one month of receipt. In the event the request is particularly complex or numerous, the period of compliance can be extended by a further two months. If this is the case, the DCO must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Performance against the response target of one month must be reported to the Board by the DCO at least annually.
Right to rectification
The GDPR gives individuals the right to have personal data rectified if it is inaccurate or incomplete.
Requests for rectification must be treated in the same way as requests for access. The following, additional, measures will apply: If NHS has disclosed the personal data in question to third parties, the DCO must inform them of the rectification where possible.
The DCO must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. The information owner will be responsible for ensuring the request for rectification are actioned on the information they are responsible for.
The DCO will be responsible for validating whether requests for rectification have been properly addressed.
Right to erasure
The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances. These include:
Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed. When the individual withdraws consent.
When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
The personal data must be erased in order to comply with a legal obligation. The personal data is processed in relation to the offer of information society services to a child.
NHS can refuse to comply with a request for erasure where the personal data is processed for the following reasons: to exercise the right of freedom of expression and information;
To comply with a legal obligation for the performance of a public interest task or exercise of official authority.
For public health purposes in the public interest;
Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
The exercise or defence of legal claims.
Requests for erasure of data should be submitted immediately to the DCO and will follow the same principles as for right to access and right to rectification.
If NHS has disclosed the personal data in question to third parties, the DCO must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.
Right to restrict processing
Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, NHS is permitted to store the personal data, but not further process it.
NHS is required to restrict the processing of personal data in the following circumstances:
• Where an individual contest’s the accuracy of the personal data, NHS should restrict the processing until NHS has verified the accuracy of the personal data.
Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and NHS considers whether its legitimate grounds override those of the individual.
When processing is unlawful, and the individual opposes erasure and requests restriction instead.
If NHS no longer needs the personal data but the individual requires the data to establish, exercise or defend a legal claim.
Requests to restrict processing will be submitted to the DCO and will follow the same principles as for right to access and right to rectification, with the following additional requirements:
• The DCO must inform individuals when NHS decides to lift a restriction on processing.
Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The right to data portability applies:
To personal data an individual has provided to a controller;
Where the processing is based on the individual’s consent or for the performance of a contract and when processing is carried out by automated means.
Requests for data under the right to data portability must be submitted to the DCO. The DCO is responsible for recording these and requesting the information from the information owner(s).
The DCO will also review the data to ensure the privacy of other data subjects is not adversely impacted. The DCO will provide the personal data in a structured, commonly used and machine-readable form, submitted using a secure transfer mechanism.
The information will be provided within one month of the original request. Performance against this timescale must be reported by the DCO to the Board at least annually.
Right to object
Individuals have the right to object to:
processing for purposes of scientific/historical research and statistics.
Requests that object to processing must be submitted to the DCO. The DCO is responsible for recording and assessing these. Where instructed by the DCO, NHS must immediately stop processing the personal data unless:
There are demonstrable and compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
The processing is for the establishment, exercise or defence of legal claims.
NHS must inform individuals of their right to object “at the point of first communication” and in its privacy notice.
6 Special category data and criminal offences data Introduction
This section of the policy document deals the Data Protection Act 2018 (the DPA), in respect of special category data and information about criminal offences:
Procedures for securing compliance with the principles in Article 5 of the General Data Protection Regulation (GDPR) and section 35(4) of the DPA – principles relating to processing of personal data – in connection with the processing of personal data in reliance on the condition in question; and
Policies regarding the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.
Personal data is any information by which a living individual can be identified. Individual identification can be by information alone or in conjunction with other information. Certain categories of personal data have additional legal protections when being processed. These categories are referred to in the legislation as “special category data” and are data concerning:
Racial or ethnic origin
Religious or philosophical beliefs
Trade union membership
Sex life or sexual orientation
The processing of criminal offence data also has additional legal safeguards. Criminal offence data includes information about criminal allegations, criminal offences, criminal proceedings and criminal convictions.
This policy meets the following requirements of the DPA:
Paragraph 1 of Schedule 1 requiring that an appropriate policy document be in place where the processing of special category personal information necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection
Paragraph 5 of Schedule 1 requiring that an appropriate policy document be in place where the processing of special category personal data is necessary for reasons of substantial public interest. The specific conditions under which data may be processed for reasons of substantial public interest are set out at paragraphs 6 to 28 of Schedule 1 to the DPA.
Section 42 requiring that an appropriate policy document is in place in respect of processing of personal information for law enforcement purposes
7 Securing compliance with the principles in Article 5 of GDPR
Article 5 of the GDPR sets out the data protection principles. These are our procedures for ensuring that we comply with them.
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Ensure that personal data is only processed where a lawful basis applies and where processing is otherwise lawful.
Only process personal data fairly and will ensure that data subjects are not misled about the purposes of any processing.
Ensure that data subjects receive full privacy information so that any processing of personal data is transparent.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice.
Not use personal data for purposes that are incompatible with the purposes for which it was collected. If we use personal data for a new purpose that is compatible, we will inform the data subject first.
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.
Personal data shall be accurate and, where necessary, kept up to date.
Ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Ensure that there are appropriate organisational and technical measures in place to protect personal data.
Retention and erasure
Ensure where special category personal data or criminal offences data are processed, that:
There is a record of that processing and that record will set out, where possible, the envisaged time limits for erasure of the different categories of data.
Data subjects receive full privacy information about how their data will be handled, and that this will include the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
Where we no longer require special category or criminal convictions personal data for the purpose for which it was collected, we will delete it or render it permanently anonymous.
We retain personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To work out the right retention period for personal data, we consider the following matters:
The amount, nature, and sensitivity of the personal data.
The potential risk of harm from unauthorised use or disclosure of personal data.
The purposes for which we process your personal data and whether we can achieve those purposes through other means; and
Any legal or regulatory requirements.
Once services are no longer required from us by a person, we will retain and securely destroy their personal information in accordance with our data retention schedule.
Appendix I – Privacy Notice
Monitoring of Internal Activities
In general terms, NHS does not engage in blanket monitoring of internal communications. It does, however, reserve the right at any time to monitor, access, retrieve, read, or disclose internal communications when a legitimate business need exists that cannot be satisfied by other means, the involved individual is unavailable and timing is critical to a business activity, there is reasonable cause to suspect criminal activity or policy violation, or monitoring is required by law, regulation, or third-party agreement.
At any time, NHS may log web sites visited, files downloaded, and related information exchanges over the Internet. NHS may record the numbers dialled for telephone calls placed through its telephone systems. Department managers may receive reports detailing the usage of these and other internal information systems and are responsible for determining that such usage is both reasonable and business-related.
All files and messages stored on NHS processing systems are routinely backed up to tape, disk, and other storage media. This means that information stored on NHS information processing systems, even if a worker has specifically deleted it, is often recoverable and may be examined at a, later date by system administrators and others designated by management.
At any time and without prior notice, NHS management reserves the right to examine archived electronic mail, personal computer file directories, hard disk drive files, and other information stored on NHS information processing systems. This information may include personal data. Such examinations are typically performed to assure compliance with internal policies, support the performance of internal investigations, and assist with the management of NHS information processing systems.
Any violation of this policy may result in disciplinary action, up to and including termination of employment. NHS reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. NHS does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’s duties.
Accordingly, to the extent permitted by law, NHS reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the Human Resources Department as soon as possible.
ISO 27002 – 15.1.4 Data protection and privacy of personal information.
What are cookies?
Cookies are small text files that get stored on your computer when you visit certain web pages. Local storage is an industry standard technology that allows us to store and retrieve small amounts of data on your computer, mobile phone or other device.
Types of Cookie
We set some cookies directly, and we also make use of some services which set their own cookies. We believe it is important to be clear about any cook– ies that are being set, so we have provided a list to explain this to you. When you use our website, there are three types of cookies that may be set on your device. Here we explain what these are and why we use them.
These cookies are essential in helping you to make use of the features and services we offer. Without these cookies, the services you want to use cannot be provided. These cookies do not gather information about you that could be used to identify you, and they do not monitor or remember where you have been on the internet.
These cookies allow us to provide you with a better online experience when you use our website. They do not gather or store any information which would allow us to identify you personally.
Performance cookies help us to understand how our customers use our site, so we can keep our products and services relevant, easy to use and up to date. For example, we can see which products and services are most popular, identify when and where errors occur, and test different versions of a page in order to provide an improved online experience.
Sometimes, the services we use to collect this information may be operated by other companies on our behalf. They may use similar technologies to cookies, known as “web beacons” or “tags”. These are anonymous and, as they are only used for statistical purposes, they do not contain or collect any informa– tion that identifies you.
1 Who We Are
We are New Healthcare Solutions Ltd (trading as “Novacare”), a company incorporated in Scotland with registered number SC507046 and having our registered office address at 39 Hanover Street, Edinburgh, Scotland, EH2 2PJ
We are a data controller for the purposes of the General Data Protection Reg– ulation (Regulation (EU) 2016/679) and related data protection legislation.
2 How to contact us
If you have any questions about this privacy notice, including any requests to
exercise your legal rights, please contact us using the details set out below. Initial inquiries should be directed to Mr Stephen Wilson as follows:
By post: 39 Hanover Street, Edinburgh EH2 2PJ
By phone: 0131 510 4003
By email: GDPR@nova-care.uk
You have the right to make a complaint at any time to the Information Com– missioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
3 Our commitment
We are committed to protecting your personal data and your privacy. This pri– vacy notice aims to give you information on how we collect and process your personal data.
It is important that you read this privacy notice when we are collecting or pro- cessing personal data about you so that you are fully aware of how and why we are using your personal data.
It is important that the personal data we hold about you is accurate and cur- rent. Please keep us informed if your personal data changes during your relationship with us.
This version of our privacy notice was last updated on 20 November 2018.
4 To whom does this privacy notice apply?
This privacy notice applies to the following categories of data subjects:
Temporary workers or contractors who have applied to enter into a “con– tract for services” with our clients through our novacare I recruit platform (“temporary works”).
Job seekers or other applicants for permanent employment in the public and private sector who have applied to enter into a “contract for services” with our clients through our novacare I recruit platform (“candidates”).
Employees or other representatives of our clients whose personal data we must process in order to fulfil our contractual obligations
Individuals who are our business contacts where the individual or the individual’s organisation supplies goods or services to us, provides pro- fessional services, provides a candidate reference, has expressed an interest in us or has any other business relationship with us (including where the individual’s organisation is a public authority, an industry body or regulatory authority or similar) (“business contacts”).
All individuals who visit our website www.nova-care.uk or our social media accounts (“website users”).
This privacy notice does not apply to employees and other current, former or prospective staff of New Healthcare Solutions Ltd. We have separate privacy notices for such purposes.
We do not knowingly collect any personal data relating to children.
6 About the personal data that we collect and process
“Personal data” or “personal information” is any information relating to or about an individual from which that person can be directly or indirectly identified. It does not include data where the identity has been removed (anonymous data).
There are “special categories” of more sensitive personal data which require a higher level of protection. This includes health data, racial or ethnic origin, political or religious affiliations or criminal records.
We may from time to time obtain special categories of personal data (in par- ticular health data) about candidates in the course of providing our services to our clients. We may also from time to time obtain information about “crimi- nal convictions and offenses” about candidates. We only obtain such special category data with the consent of the candidate.
The table set out in SCHEDULE 1 summaries the personal data we collect and process, how we use it (“our processing purposes”) and why we use it (“the lawful bases of processing”).
We may also collect, use and share “Aggregated Data” such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggre– gate your Usage Data to calculate the percentage of users accessing a specific feature of our website. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
7 How is your personal data obtained?
We use different methods to collect personal data from and about you includ–
You may give us your identity, contact, financial, transactional or similar per– sonal data when you correspond with us by post, phone, e-mail or otherwise, including when you use our novacare I Recruit platform.
Direct interactions with business contacts and client contacts.
You may give us your identity, contact, financial, transactional and other busi– ness related personal data when you correspond with us, including when:
You or your organisation negotiate and/or enter into a contract with us; or
You or your organisation provide services or products to us or your or your organisation receive services from us; or
You provide a reference for a candidate; or
You provide us with your business card.
Automated technologies or interactions.
As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this per– sonal data by using cookies, and other similar technologies.
Third parties or publicly available sources.
We may receive personal data about you from various third parties and public sources as set out below:
i. Where you are a client contact or business contact, your organisa- tion or business may provide us with your identity and contact data;
We may obtain identity and contact data from publicly available sources such as social media (such as LinkedIn or Twitter), Compa– nies House or other organisations’ websites;
We may obtain contact, financial and transaction data from provid– ers of payment and credit card services;
We may obtain technical data (relating to the use of our website or novacare I Recruit platform) from analytics providers or search information providers.
8 Failure to provide personal data
Where we need to collect personal data by law, or under the terms of a con- tract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time.
If you are an individual consumer, we will only provide you with direct marketing communications where you have consented to receive such com– munication or you have contacted us directly to request specific information about our services. You can subscribe to such marketing communications, and you can adjust your marketing preferences at any time by contacting us at GDPR@nova-care.uk
If you represent another business, we may provide you with direct marketing communications where we feel that this may be relevant to your business (provided that you have not opted out of such communications). When we use your personal data for such purposes, we do so on the basis that it is in our legitimate interests to pursue direct marketing, provided that it constitutes fair processing of your personal data to do so.
You can also opt-out or unsubscribe from all or some of these marketing com– munications at any time by contacting us at GDPR@nova-care.uk
Where you opt out of receiving these marketing communications, this opt-out will not apply to personal data provided to us for any other purpose.
10 Do We Share with Third Parties?
There may be circumstances in which we may also need to share your personal data with certain third parties (strictly on a confidential, business need-to- know basis).
Where you are a candidate, we will share your personal data with our client where you have applied for a job with that client through our Novacare recruit platform.
We will only share your special category personal data with a client with your explicit consent. Please note that if you decline to share any personal data with a potential employer then your application may not be considered.
Other third parties to which we may transfer your personal data include:
Your business or organisation, for the purpose of providing our services to your business or organisation, or receiving products or services from your business or organisation.
Service providers acting as processors who provide IT and system admin– istration services.
Professional advisers including lawyers, bankers, accountants, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
Any relevant accreditation body or trade association.
Any relevant regulatory authority or law enforcement agency, including HM Revenue & Customs, courts or tribunals who require reporting of pro– cessing activities in certain circumstances.
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Any sharing of your personal data will only take place where you have pro– vided your consent, we are legally obliged to do so, where it is necessary for the performance of a contract with you or where it is in our legitimate inter- ests to do so, including as follows:
To maintain network and information security.
To provide services to our clients.
To develop and improve our services in order to remain competitive.
To establish, protect and defend our legal rights.
To pursue our commercial objectives where this does not override your rights and freedoms as a data subject.
11 International Transfer of Personal Data
We generally do not transfer your personal data out of the European Economic Area (EEA). However, whenever we are required to transfer your personal data out of the EEA (for example where a client is located outside of the EEA), we ensure a similar degree of protection is afforded to it by ensuring that appro– priate safeguards are implemented, including any of the following:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commis– sion: Adequacy of the protection of personal data in non-EU countries.
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, European Commis– sion: Model contracts for the transfer of personal data to third countries.
Where we use providers based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide simi– lar protection to personal data shared between the European Union and the USA. For further details, see European Commission: EU-US Privacy Shield.
You have provided your explicit consent to the transfer of your personal data outside of the EEA.
The transfer is necessary for the purposes of performing a contract between us and you.
12 Automated decision making and profiling
We may make automated decisions about you during the assessment stage of the recruitment process. This may result in a candidate being deemed not suitable for a position by means of a solely automated assessment. We only undertake this activity with the candidate’s explicit consent.
13 How long do we retain your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the pur- poses for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Please contact us at GDPR@nova-care.uk for further details about our reten- tion periods.
14 Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner’s Office of a breach where we are legally required to do so.
15 Your rights
Your personal data is protected by legal rights, which include your rights to:
Request access to your personal data
(commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you.
This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data.
This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, following your request.
Object to processing of your personal data.
Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are process– ing your personal data for direct marketing purposes.
Request restriction of processing of your personal data.
This enables you to ask us to suspend the processing of your personal data in the following scenarios: if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to estab- lish, exercise or defend legal claims;
or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party (data portability).
We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used theinformation to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data.
However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of these rights, please contact us at GDPR@nova- care.uk
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also con– tact you to ask you for further information in relation to your request to speed up our response.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You also have the right to complain to the Information Commissioner’s Office, which regulates the processing of personal data, about how we are processing your personal data.
Personal data will be processed by us where you consent to the processing or where that processing is necessary for 1) the performance of a contract with you; or 2) compliance with a legal obligation to which we are subject; or 3) the purposes of our legitimate interests (or those of a third party).
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us at GDPR@nova-care.uk if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
1 Whose personal data? Website users
Any visitor to our website
What personal data do we collect?
Technical data including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website)
Usage data (including information about your visit and how you use our web– site)
How do we use your personal data?
To improve the user experience and administer the functionality of our web– site
To respond to general and specific enquiries
Why do we use your personal data?
Necessary for our legitimate interests (to maintain network security and web– site relevance for visitors to our website)
Necessary to comply with a legal obligation
2 Whose personal data? Temporary workers and candidates
What personal data do we collect?
Identity data (including full name and title, nationality, immigration status, National insurance (NI) number, tax code and other tax information, date of birth, proof of identity and proof of residence)
Contact data (including business address, email address and telephone num- bers)
Employment data (including professional qualifications, employment history, continuous professional development (CPD) undertaken, and re-validation information to ensure you meet the requirements)
Marketing and communications data (including your preferences in receiv- ing marketing from us and your communication preferences)
Special category data (including health data such as sickness leave, parental leave, disability information and any other health data relevant to the position being applied to, or data relating to racial or ethnic origin or other data rele- vant to equal opportunity monitoring)
Criminal convictions data (including information relating to any unspent criminal convictions or offences)
How do we use your personal data?
For recruitment purposes, pay roll purposes , assignments with clients, health and safety, human resource requirements,regulatory requirements and stat- utory reasons such as HMRC requirements
Why do we use your personal data?
Necessary for us to perform services for you
Necessary to comply with a legal obligation
Where you have consented to receive marketing information
Where we process any special category data, we do soonly with your explicit consent
Where we process any criminal convictions data, we do so only with your explicit consent
3 Whose personal data? Client contacts
Any contact person of an existing or former client
What personal data do we collect?
Identity data (including full name and title)
Contact data (including business address, email address and telephone
Employment data (including job title and role)
Transaction data (including information obtained by providing services to your organisations and other details of our interactions including financial information, correspondence and conversations)
Marketing and communications data (including your preferences in receiv- ing marketing from us and your communication preferences)
How do we use your personal data?
To process and deliver services to your organisation including:
Providing information about our services on request;
Carrying out our services;
Managing payments, fees and charges;
Collecting and recovering money owed to us;
Dealing with any client complaints and receiving feedback;and
Corresponding with you in connection with our services.
To manage our relationship with you as our client contact
To notify your organisation about changes to our terms and conditions or privacy notice
Why do we use your personal data?
Necessary for us to perform contracts with our corporate clients
Necessary for our legitimate interests (to respond to your correspond- ence with us, to keep our records up to date, manage client relationships and to recover debts due to us)
Necessary to comply with a legal obligation
4 Whose personal data? Business contacts
Actual, former or prospective business contacts, including:
Staff or other contacts at our third party suppliers (including professional advisors)
Individuals or representatives of organisations who have expressed an interest in our business, and
Anyone else with whom we have contact in a business context
What personal data do we collect?
Identity data (including full name and title)
Contact data (including business address, email address and telephone num-
Employment (including job title and role, employer)
Transaction data (including details about products and services provided by you (or your organisation) to us, details of payments to and from you (or your organisation) and other details of our interactions including correspondence and conversations)
Marketing and communications data (including your preferences in receiv- ing marketing from us and your communication preferences)
How do we use your personal data?
To manage our business relationships with suppliers and sub-contractors,pro– fessional advisors, regulatory authorities and others, which will include:
Seeking or maintaining business relationships with various organisa– tions, including accreditation and regulatory authorities;
Assessing the suitability of any existing or potential supplier or other business relationship;
Negotiating and entering into appropriate contracts for the supply of goods or services to us, carrying out any obligations under such con- tracts(including obligations of payment)and if necessary enforcing any such contracts;
Undertaking on-going monitoring and management of our relationship with suppliers and other professional and businesscontacts;
Interacting with other organisations or persons (including partners, other advisers or sub-contractors) in the course of providing services to our clients; and
Investigating any complaints or enquiries.
Why do we use your personal data?
Performance of a contract with you (where relevant)
Necessary for ourlegitimate interests (to manage third party relation- ships, to seek supply arrangements appropriate for our business, to run our business efficiently and profitably, to enhance, modify and improve our services,and to pursue our commercial objectives where this does not over ride your rights and freedoms as a data subject)
Necessary to comply with a legal obligation
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at GDPR@nova-care.uk
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Further details on how we handle special category data are set out in our Special Category Data Policy. Please contact us for further information or a copy of the policy.
Further details on how we handle criminal convictions data are set out in our Criminal Convictions Data Policy. Please contact us for further information or a copy of the policy.
Helping care companies to speed up recruitment, attract better staff and improve compliance.
New Healthcare Solutions Ltd t/a Novacare. Registered in Scotland (SC507046). Registered address: 3F1, 39 Hanover Street, Edinburgh, EH2 2PJ