Introduction
These additional terms under which Prometheus Safe and Secure (PSS) & Prometheus Complex Care (PCC) (collectively referred to as “we” or “our”) process personal data on behalf of health and care trusts and other organisational clients (referred to as “you” or “your”)—both as a data processor and, in some instances, as a data controller—are outlined in this framework.
It serves as a supplement to any data processing agreements between us and our clients and provides further detail regarding our processing activities and compliance with data protection legislation.
It is essential that these guidelines are aligned with the data processing agreements we hold with clients, as they are based on our own regulatory and statutory obligations concerning the provision of our services and personal data processing.
These terms cover all services provided, including secure patient transport by Prometheus Safe & Secure and bed watch services by Prometheus Complex Care.
Each entity (PSS and PCC) operates as an independent data controller but manages its operations through a unified management team, with an internal data processing agreement to address overlaps in responsibilities, processes, and staffing.
You independently serve as a data controller also, however, there are occasions when you will need to process data for which we are the controller, making you a processor as well. This framework aims to define our respective responsibilities under data protection legislation and our controller/processor relationship when it comes to processing personal data.
Details of Processing
Subject Matter
Secure transport and bed watch services for vulnerable patients by PSS and PCC.
Duration of Processing
The processing of personal data will start and end according to our data processing agreement with you or as agreed upon otherwise in writing.
Nature and Purpose of Processing
To provide transportation and monitoring services as instructed by you on behalf of vulnerable patients and vulnerable children, ensuring safety and compliance with health and safety regulations and other regulations and statutory requirements we may have to adhere to in relation to our business activities.
Type of Personal Data that We Process.
We process the minimal amount of personal data necessary to fulfil our services. This includes personal data such as Name and Contact details or other identifiable personal information as well as information that falls under special category data, i.e. health data.
You are the data controller for the data you provide to us.
Type of Personal Data that You Process.
You may require information from us, in order to accept our services. This includes personal data of our employees such as name and contact details and other identifiable information as well special category data where appropriate. We are the data controller for the data we provide to you.
We will only provide you with data that is justifiable and has a legal basis for processing by you and additional conditions for processing where it relates to special categories of data (Article 6,9 & 10 UK GDPR). When we make decisions on the provision of personal data of our employees, we must weigh up the rights of an individual compared to the necessity of you needing it. It is your responsibility to provide us with justification and legal basis for processing.
We are the controller of the information that we give to you.
We are not an agency, and as such, the responsibility for conducting employee suitability checks and ensuring eligibility to work in this country rests with us. We are committed to ensuring that our staff are both qualified and suitable for their roles. We are more than willing to offer assurances about our recruitment processes and methods for checking employee suitability, as well as any other information you may require upon request. However, we do not routinely provide detailed employee information beyond what is necessary for them to deliver the service. Any requests for additional information will be considered and responded to on a case-by-case basis.
It is your responsibility to justify and establish legal bases for requesting any information that we are the controller of.
Please ensure you specify your requirements before the contract begins so we can establish a clear agreement on the services we provide and the information you need from us to proceed.
As a service provider and organisation, we are bound by various legislative and regulatory responsibilities, necessitating the creation and maintenance of certain records. Furthermore, we have a responsibility to keep patients and our employees safe. This includes instances where we handle patient information controlled by you.
Personal Data that we are the Controller and Processor of
When we generate new data assets that incorporate some information already provided by you, we assume the role of the data controller for these documents or data items. This means that we are a controller and a processor of the same personal data – this is compliant with UK GDPR as we are processing the information for different purposes.
This means that we are processing some personal data as a processor for the controller’s (your) purposes and only on its (your) instruction, but also process that same personal data for our own separate purposes.
We will only do so where we have a basis in law or a regulatory requirement.
Some of the legislative and regulatory organisations and legislation we have to abide by are:
- Data Security Protection Toolkit (DSPT)
- Care Quality Commission CQC
- Health & Safety Act 1974
- Safeguarding Vulnerable Groups Act 2006
- Mental Capacity Act 2005
- Mental Health Act 1983
- Data Protection Act 2018 and UK GDPR
Categories of Data Subjects
- Patients, including vulnerable individuals and children
- Next of kin or other responsible persons acting on behalf of patients
- Employees of PSS and PCC
- Employees of our clients (where appropriate).
Controller and Processor Obligations
As Data Controllers
Both parties (we and you) act as data controllers within our own right for the data we individually manage. When you are the data controller, you maintain overall control of the personal data processed by us, except where we have a legal or statutory obligation to retain the information, even after you request its deletion or return and vice versa.
When new information is created by us, sometimes using some of the data you provide, these data assets are controlled by us. We manage the security, accessibility, and compliance of these assets under data protection regulations.
As data controllers, both parties must adhere to UK GDPR and other relevant data protection legislation. We have implemented a robust data protection and information governance framework involving policies, standard operating procedures, regular audits, and continuous monitoring by our Information Governance Leads and Senior Information Risk Owners (SIROs). Our board maintains oversight and accountability.
As Data Processors
We process personal data strictly based on documented instructions from you, the data controller. This includes adhering to stipulations about personal data transfers unless required otherwise by law.
We ensure that all employees authorised to process personal data have committed to maintaining confidentiality, our data protection policies and processes and have received adequate training, according to DPST and data protection legislation requirements.
We implement security measures as stipulated by Article 32 of the UK GDPR, which include measures such as encryption, ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems, and regularly assessing the effectiveness of these security measures.
Shared Responsibilities
Both parties must ensure compliance with the Data Security Protection Toolkit, which supports the fulfilment of legal, statutory, and regulatory obligations concerning data protection.
Both parties are expected to cooperate transparently, especially in the creation and management of data assets, ensuring that all data protection practices align with legal standards and protect the rights of data subjects.
This delineation of roles ensures that both we and our clients are clear about our responsibilities and the boundaries of our authority over the data, enhancing compliance and safeguarding the interests of all parties involved, especially those of the data subjects.
Specific Terms and Clauses Required
Using Sub-processors
We engage sub-processors, including expert consultants and contractors who specialise in data protection legislation and information security requirements and other subject matters, to occasionally process information on our behalf. We will not engage any additional processors without obtaining prior specific or general written authorisation from the Controller.
Contracts with sub-processors include all data protection obligations as per UK GDPR requirements, specifically Article 28(3) and (4) and requirements as outlined within this framework and any processing agreements between us and you.
Data Subjects’ Rights
The Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the UK GDPR.
Assisting the Controller
The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor.
End-of-Contract Provisions
At the choice of the Controller, the Processor shall delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless UK law or regulatory requirements dictate otherwise.
Audits and Inspections
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.