EHCP - Terms and Conditions

This Personal Data Processing Agreement (“Agreement”) sets out the terms, requirements and conditions on which EHCP Limited (“EHCPL”) will Process Personal Data when providing the services

TERMS

  1. Definitions and Interpretation

    The following definitions and rules of interpretation apply in this Agreement.

    1. Definitions:

      Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

      Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given in the Data Protection Legislation.

      Controller: has the meaning given in section 6, DPA 2018.

      Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended;

      Data Subject: the identified or identifiable living individual to whom the Personal Data relates.

      Data Subject Rights: means any of the rights detailed in Chapter III of the UK General Data Protection Regulation (UK GDPR).

      EEA: the European Economic Area.

      Personal Data: means any information relating to an identified or identifiable living individual that is processed by EHCPL on your behalf as a result of, or in connection with, the provision of the services and will have the same meaning as set out in the Data Protection Legislation.

      Processing, processes, processed, process: any activity that involves the use of the Personal Data and will have the same meaning as set out in the Data Protection Legislation.

      Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

      Purposes: the services to be provided by EHCPL and any other purpose specifically identified in ANNEX A.

      Records: has the meaning given in Clause 12.

      Term: this Agreement's term as defined in Clause 10.

      UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

    2. The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
    3. A reference to writing or written excludes fax but not email.
    4. In the case of conflict or ambiguity between any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail.
  2. Personal data types and processing purposes
    1. You and EHCPL agree and acknowledge that for the purpose of the Data Protection Legislation:
      1. you are the Controller and EHCPL is the Processor.
      2. you retain control of the Personal Data and remain responsible for your compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written Processing instructions it gives to EHCPL.
      3. ANNEX A describes the subject matter, duration, nature and purpose of the Processing and the Personal Data categories and Data Subject types in respect of which EHCPL may Process the Personal Data to fulfil the Purposes.
  3. EHCPL's obligations
    1. EHCPL will only Process the Personal Data to the extent, and in such a manner, as is necessary for the Purposes in accordance with your written instructions. EHCPL will not Process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. EHCPL must promptly notify you if, in its opinion, your instructions do not comply with the Data Protection Legislation.
    2. EHCPL will comply with any written instructions from you requiring EHCPL to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing.
    3. EHCPL will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties (other than as necessary in relation to disclosing Personal Data to the relevant local authorities and EHCP’s advisers) unless you or this Agreement specifically authorises the disclosure, or as required by law, court or regulator (including the Commissioner). If a law, court or regulator (including the Commissioner) requires EHCPL to Process or disclose the Personal Data to a third-party, EHCPL will aim to first inform you of such legal or regulatory requirement and give you an opportunity to object or challenge the requirement, unless the law prohibits the giving of such notice.
    4. EHCPL will ensure that their staff, contractors, volunteers, advisors or any other individual who is authorised to access or Process the Personal Data on their behalf have committed themselves to keep the Personal Data confidential, either through an appropriate term in an employment contract, or through a non-disclosure agreement.
    5. EHCPL will reasonably assist you with meeting your compliance obligations under the Data Protection Legislation, taking into account the nature of EHCPL's Processing and the information available to EHCPL, including in relation to Data Subject Rights, security of Processing, data protection impact assessments, reporting or notifying the Commissioner or Data Subjects about any Personal Data Breaches, and consulting with the Commissioner under the Data Protection Legislation.
    6. EHCPL will notify you of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting EHCPL's performance of the services.
  4. Your Obligations
    1. You will ensure that you have all necessary permissions and consents to provide us with and allow us to process and share Personal Data relating to both yourself and your child/ren.
    2. You remain wholly responsible for compliance with any obligations relating to Data Controllers under the Data Protection Legislation.
    3. You will ensure that you have appropriate lawful grounds under the Data Protection Legislation to transfer or share the Personal Data to EHCPL. Where these lawful grounds are consent, or explicit consent, you will ensure that you comply with any obligations relating to the acquiring and demonstration of consent under the Data Protection Legislation.
    4. You will ensure that you have provided any Data Subject’s to whom the Personal Data relates with any required information or privacy notices where required under the Data Protection Legislation.
    5. You will ensure that the Personal Data you provide to EHCPL is limited to what is necessary for the provision of the Services; the Personal Data is accurate and where necessary, kept up to date by informing ECHPL promptly of any inaccuracies or incorrect Personal Data.
  5. Security
    1. EHCPL will implement appropriate technical and organisational measures against accidental, unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in ANNEX B.
    2. EHCPL will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
      1. the pseudonymisation and encryption of Personal Data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      4. a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
  6. Personal Data Breaches
    1. EHCPL will notify you in writing if it becomes aware of (and the circumstances surrounding):
      1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data and will aim to restore such Personal Data as soon as possible.
      2. any accidental, unauthorised or unlawful Processing of the Personal Data; or
      3. any Personal Data Breach.
    2. Following any accidental, unauthorised or unlawful Personal Data Processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter and ECHPL will provide you with reasonable assistance to enable you to comply with your obligations relating to Personal Data Breaches under the Data Protection Legislation.
  7. Transfers of Personal Data
    1. EHCPL will not transfer or otherwise Process the Personal Data outside the UK without ensuring that the transfer is to a country with an adequacy regulation with the United Kingdom, or where appropriate and necessary safeguards are in place in accordance with Chapter V of the UK GDPR
  8. Subcontractors
    1. EHCPL may use any necessary third parties or subcontractors to Process the Personal Data (“sub-processors”) and will notify you of such sub-processors on written request (including their name and location and, where possible, the contact information for the person responsible for privacy and data protection compliance). The list of preapproved sub-processors is detailed in Annex A to this Agreement
    2. Where EHCPL appoints third parties or sub-processors to Process the Personal Data, EHCPL will ensure that:
      1. The sub-processor has provided sufficient guarantees that they can implement appropriate organisational and technical measures to comply with the Data Protection Legislation;
      2. There is a contract or other legally binding instrument in place between EHCPL and the sub-processor which provides for at least equivalent terms with respect to protecting the Personal Data and compliance with the Data Protection Legislation; and
      3. EHCPL will remain liable to you for the sub-processor’s performance of their compliance with the Data Protection Legislation.
    3. Where EHCPL appoints further sub-processor to Process the Personal Data on their behalf, EHCPL will provide you with reasonable notice of the changes and provide you with a reasonable opportunity to object to the addition of the processor, however, if we do not receive notice of such objection within a minimum of 10 working days of sending you such notification we shall be entitled to assume that you approve such sub-processor(s).
    4. Where you object to the appointment of or changes to sub-processors, ECHP will endeavour to work with you to resolve the matter. However, where the sub-processor is considered necessary for the provision of the Services and you have objected to their use, it means that ECHP may need to withdraw the Services with 10 working days’ and treat the Personal Data in accordance with clause 11 of this Agreement.
  9. Complaints, Data Subject Rights requests and third-party rights
    1. EHCPL will promptly notify and provide you with information regarding any Data Subject’s Rights Requests, including any requests from individuals to access their Personal Data, have their record rectified, have their Personal Data ported to a third party, restriction of Processing, for it to be erased or generally object to the processing of their Personal Data.
    2. EHCPL will also notify you of any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
    3. EHCPL will cooperate with you in responding to any Data Subject Rights Request or complaint.
    4. EHCPL will not provide any response to any Data Subject, correspondent or the Commissioner without your authorisation, unless the matter wholly relates to compliance matters concerning EHCPL or unless required to by law.
  10. Term and Termination
    1. This Agreement will remain in full force and effect so long as EHCPL is Processing Personal Data on your behalf or until you delete your account (or request that it is deleted).
    2. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations, the parties may agree to suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the parties are unable to bring the Personal Data Processing into compliance with the Data Protection Legislation, either party may terminate this Agreement on written notice to the other party.
  11. Data Return and Destruction
    1. At your request, EHCPL will give you, or a third-party nominated in writing by you, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by you.
    2. On termination of this Agreement for any reason, EHCPL will securely delete or destroy or, if directed in writing by you, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
    3. If any law, regulation, or government or regulatory body requires EHCPL to retain any documents, materials or Personal Data that EHCPL would otherwise be required to return or destroy, it will notify you in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
  12. Records and Audit
    1. EHCPL will aim to keep records of its processing activities that are sufficient to enable you to verify EHCPL's compliance with its obligations under this Agreement and the Data Protection Legislation.
    2. EHCPL will provide you with any other records or information relating EHCPL’s compliance with the Data Protection Legislation and this Agreement.
    3. Where the records and information in clauses 12.1 or 12.2 are reasonably deemed by you to be insufficient to demonstrate compliance, you will be entitled to conduct an annual audit or appoint an independent auditor to conduct an audit in accordance with clause 12.4
    4. Where an audit is conducted, it shall be:
      1. Proportionate and reasonable with respect to the nature of the Processing and given the information already made available to you;
      2. Be restricted only to the subject matter of the Processing of the Personal Data to which this Agreement relates;
      3. Be conducted in a secure and confidential manner;
      4. Be conducted during normal business hours, and be minimally disruptive; and
      5. At your own expense.
  13. Indemnification
    1. You agree to indemnify, keep indemnified and defend EHCPL at your own expense against all costs, claims, damages or expenses incurred by EHCPL or for which EHCPL may become liable due to any failure by you to comply with any of your obligations under this Agreement and/or the Data Protection Legislation.

ANNEX A

Personal Data processing purposes and details

Subject matter of processing:

The processing of personal data by EHCP Limited on behalf of parents/guardians for the purposes of providing ‘the Services’. The Services include:

Providing a platform for service users to store, manage and apply for Education, Health and Care Plans (EHCP), including liaising with the relevant local authority; and the subsequent storage and management of ECHPs and other relevant records for annual reviews and associated activities relating to ECHPs.

Duration of Processing

the processing will be for the duration of the application plus 6 months if successful or if the application is unsuccessful for a period of [6 months] after the final rejection and appeal. Further details are contained in the Data Retention Policy [INSERT LINK]

Nature of Processing

The data will be processed via the secure EHCP Limited platform, which acts as a ‘digital envelope’ in order for parents or guardians to securely store and manage the relevant documentation.

Purposes of Processing

The personal data is being processed to deliver ‘the services’ via the secure platform to make the ECHP application, management and review process quicker and easier for parents/guardians.

Personal Data Categories: the personal data will include:
  • Names and contact details for parents or guardians;
  • names of the child/ren;
  • Biographical information about the child/ren;
  • details of the child/ren’s health conditions (including details of any mental or physical health diagnosis or treatment, disabilities, health provision medical notes and medications);
  • location (to determine the relevant local authority);
  • Details relating to Education (educational and school history, progress, outcomes);
  • Special Educational Needs and provision;
  • Relevant Social Care needs;
  • Economic information such as benefits, support or payments made in support of the EHCP
  • Social information such as friendships, independence, relationships, family, employment and volunteering
  • Views, opinions, future plans etc.
Data Subject Types:

The types of personal data will relate to

  • Parents, guardians,
  • their child/ren; and
  • employees of the relevant local authority
Approved Sub-processors:

Name: Technical Direct Ltd

Services: Data hosting and technical support services

Location of Processing: United Kingdom

Name: Microsoft

Services: Data hosting and IT Infrastructure

Location of Processing: United Kingdom/European Economic Area

ANNEX B

Security measures

ECHP Limited will implement appropriate organisational and technical measures to ensure the confidentiality, integrity and availability of Personal Data is protected; and to protect against breaches of security resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Organisational Measures

  • Policies and procedures relating to data protection and information security.
  • Obligations of confidentiality for employees, volunteers or other individuals authorised to process Personal Data on behalf of ECHPL.
  • Pre employment or pre volunteering checks on individuals prior to appointment including Disclosure and Barring Service (DBS) checks where required.
  • Mandatory data protection training.