NON-DISCLOSURE AGREEMENT (NDA)

 

Pharmacy Data Sharing & Renomination Services

 

 This Non-Disclosure Agreement (“Agreement”) is entered into between:

 

(1) The Pharmacy

 

(“Disclosing Party” / “Data Controller”)

 and

 (2) DHM Digital Limited, trading as Pharma Connect

 

Company Number: 16953956

 Registered Address:

 Moorgate Crofts Business Centre,

 South Grove, Rotherham, S60 2DH

 

(“Receiving Party” / “Data Processor”)

 

Together referred to as the “Parties”.

 

 

     Purpose of This Agreement

 

The purpose of this Agreement is to enable the secure, lawful, and confidential sharing of limited patient information by the Pharmacy with Pharma Connect solely for the purpose of delivering a patient renomination and engagement service.

  This Agreement governs how data is shared, used, protected, accessed, reported on, and deleted.

  Scope of Confidential Information

  For the purposes of this Agreement, “Confidential Information” includes:

  2.1 Pharmacy Confidential Information

 

 Business data

  Operational information

  Commercial terms

  Reports, analytics, or performance data

  Internal processes disclosed during service delivery

 

 2.2 Patient Data (Strictly Limited)

 

 The Pharmacy may provide only the minimum data required for the renomination service, specifically:

  Patient full name

  Patient postal address

  Patient telephone number

  Date the EPS nomination was moved away

  No clinical data, medical history, prescription details, NHS numbers, or diagnostic information are required or permitted.

 

 Permitted Use of Patient Data

 

 Pharma Connect agrees that patient data may only be used for:

  Creating a controlled, secure working dataset (e.g. spreadsheet)

  Contacting patients for the sole purpose of nomination / renomination support

  Recording outcomes of patient contact

  Providing outcome reporting back to the Pharmacy

 

 Patient data must not be used for:

 

 Marketing unrelated services

  Profiling

  Analytics beyond the agreed service

  Sale or disclosure to any third party

  Any purpose outside the written instruction of the Pharmacy

 

 Data Protection & GDPR Compliance

 

 4.1 The Pharmacy remains the Data Controller at all times.

 

4.2 Pharma Connect acts solely as a Data Processor.

 

4.3 All processing is conducted in accordance with:

 

 UK GDPR

 

 Data Protection Act 2018

  ICO guidance

  NHS data protection principles (where applicable)

  Pharma Connect will process data only on documented instruction from the Pharmacy.

 

 Data Security Measures

 

 Pharma Connect confirms that all patient data will be protected using healthcare-grade security controls, including:

  Encrypted file storage and transfer

  Restricted, role-based access

  No shared or public storage systems

  Secure password management

 Access logging and monitoring

  No local storage on personal devices

  Patient data will never be uploaded to unsecured platforms or shared folders.

 

 Data Access & Reporting Process

 

 6.1 Patient data will be held in a secure spreadsheet or dataset.

 

6.2 Each patient record will be updated with an outcome status following contact.

 

6.3 Upon completion of the campaign:

 

 Secure access will be provided to the Pharmacy

  The Pharmacy may review and accept the outcomes

  No further processing will take place without written approval

  Data Deletion & Confirmation

 

 7.1 Once the Pharmacy confirms acceptance of the outcomes:

 

 All patient data will be permanently deleted from Pharma Connect systems

  Any backups containing the data will be removed in line with secure deletion procedures

 

 7.2 Written confirmation of deletion will be provided by email.

 

 No patient data will be retained beyond the operational need.

  Confidentiality Obligations

  Each Party agrees to:

  Keep Confidential Information strictly confidential

  Restrict access to authorised personnel only

  Use Confidential Information solely for the agreed purpose

  Not disclose Confidential Information to any third party without written consent

  These obligations survive termination of this Agreement.

 

 Sub-Processors

 

 Pharma Connect may use GDPR-compliant infrastructure providers (e.g. hosting, secure messaging services) strictly as sub-processors.

  All sub-processors:

  Operate under written contracts

  Are prohibited from using data for any independent purpose

  Are restricted to minimum access required

  A list of sub-processors is available on request.

 

 Data Breach Notification

 

 In the unlikely event of a data breach:

  Pharma Connect will notify the Pharmacy without undue delay

  Full details will be provided, including mitigation steps

  Pharma Connect will cooperate fully with any regulatory requirements

 

 Term & Termination

 

 This Agreement becomes effective on the date of signature and remains in force:

  For the duration of the service, and

  Indefinitely in respect of confidentiality obligations

  Either Party may terminate with written notice.

  Termination does not affect data protection or confidentiality obligations.

 

 Limitation of Liability

 

 Pharma Connect shall not be liable for:

  Errors resulting from inaccurate data supplied by the Pharmacy

  Regulatory action caused by misuse of data by the Pharmacy

  Events beyond reasonable control

  Nothing in this Agreement limits liability for data breaches caused by Pharma Connect’s negligence.

 

 Governing Law

 

 This Agreement is governed by the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction.