MoU - UK Anti-Doping Limited

Information Sharing Agreement between the NHS Counter Fraud Authority and the UK Anti-Doping Limited

Contents

Between

This MOU is made on the 30th of July 2020

  1. United Kingdom Anti-Doping Limited of Fleetbank House, 2-6 Salisbury Square, London, EC4Y 8AE, United Kingdom("UK Anti-Doping"); and
  2. NHS COUNTER FRAUDAUTHORITY (NHSCFA) of Fourth Floor, Skipton House, 80 London Road, London , SE1 8LH
  3. NHS COUNTER FRAUD SERVICES (NHS Walesof First Floor Block B, Mamhilad House, Mamhilad Park Estate, Pontypool, NP4 0YP.1

Each a 'Party', and collectively 'the Parties'.

Definitions

'Data controller', 'data processor', 'data subject' 'personal data', "processing", 'personal data relating to criminal convictions and offences' and 'special category personal data'shall each have the meaning given to them under Data Protection Legislation.

'Data Protection Legislation' means the GDPR, the Data Protection Act 2018, the Directive of Privacy and Electronic Communications 2002/58/EC and any other laws and regulations enacted under those laws, successor laws or other applicable laws relating to the processing of personal data applicable to the Parties from time to time.

'GDPR' means Regulation (EU) 2016/679.

Purpose

UK Anti-Doping and the NHSCFAhave agreed to work together and wish to record the basis on which they will collaborate in relation to anti-doping matters ('Collaboration'). This Memorandum of Understanding ('MOU') sets out: 

  • the principles of collaboration; and
  • the principles and commitments the Parties will adopt when they collect, store and disclose to each other information, which may include personal data and/or special category personal data and/or personal data relating to criminal convictions and offences,in eachcase relating to potential doping activities. Suchinformation is referred to as 'Information' in this MOU. Any and allsharing of Information pursuant to this MOU will be undertaken solely in connection with the Permitted Purposes (as defined below).

UK Anti-Doping

UK Anti-Doping is responsible for delivering the United Kingdom's anti-doping programme, as well as helping to ensure that UK Government meets its commitments pursuant to the UNESCO and Council of Europe Anti-Doping Conventions. UK Anti-Doping is a Signatory to the World Anti-Doping Code and subject to its provisions and those of the associated International Standard for the Protection of Privacy and Personal Information. 

The NHSCFA

NHSCFAis an independent Special Health Authority. NHSCFA leads on work to identify and tackle fraud across the NHS. Its purpose is to safeguard NHS resources so that the NHS is better equipped to care for the nation's health, providing support, guidance and direction to the NHS. This work enables effective prevention, detection and enforcement action to take place against fraud and fraudulent activity. NHSCFA also collects, collates and analyses information that holds intelligence value, which in turn broadens the understanding of fraud risks in the NHS.

NHSCFA has duties and enforcement powers under the NHS Act 2006, the Health and Social Care Act 2012 and the NHS Counter Fraud Authority (Establishment, Constitution and Staff and other Transfer Provisions) Order 2017, issued by the Secretary of State for Health. NHSCFA is responsible for:

Leading on work to protect NHS staff, patients and resources from fraud, bribery and corruption, educating and informing those who work for, who are contracted to or who use the NHS about fraud in the health service and how to tackle it.

preventing and deterring fraud in the NHS by reducing it and removing opportunities for it to occur or to re-occur and 

holding to account those who have committed fraud against the NHS by detecting and prosecuting offenders and seeking redress where viable.

Principles of collaboration

TheParties agree to adopt the following principles when collaborating ('Principles'):

  • collaborate and co-operate. Establish and adhere to the governance structure set out in this MoU to ensure that activities are delivered and actions taken as required;
  • be accountable. Take on, manage and account to each other for performance of the respective roles and responsibilities set out in this MoU;
  • be open. Communicate openly about major concerns, issues or opportunities relating to the Collaboration;
  • learn, develop and seek to achieve full potential. Share information, experience, materials and skills to learn from each other and develop effective working practices, work collaboratively to identify solutions, eliminate duplication of effort, mitigate risk and reduce cost;
  • adopt a positive outlook. Behave in a positive, proactive manner;
  • adhere to statutory requirements and best practice. Comply with applicable laws and standards including EU procurement rules, data protection and freedom of information legislation. In particular theParties agree to comply with the requirements of the Sharing Protocol (as described in Clause 16 below);
  • act in a timely manner. Recognise time-critical elements of the Collaboration and respond accordingly to requests for support;
  • manage stakeholders effectively;
  • deploy appropriate resources. Ensure sufficient and appropriately qualified resources are available and authorised to fulfil the responsibilities set out in this MoU; and
  • act in good faith and compliance with these Principles.

If either Party has any issues, concerns or complaints about the Collaboration, or any matter in this MoU, that Party shall notify the other Party and the Parties shall then seek to resolve the issue by a process of consultation. If the issue cannot be resolved within a reasonable period of time, the matter shall be escalated to the Parties' respective senior management or executives.

The Parties intend that any intellectual property rights created in the course of the Collaboration shall vest in the Party whose employee or consultant created them (or in the case of any intellectual property rights created jointly by employees and/or consultants of both Parties in the Party that is principal Party for the part of the Collaboration that the intellectual property right relates to).

Sharing framework

The Parties agree in their capacity as data controllers to share Information at their discretion, in order to assist each other (as appropriate) solely in relation to the following 'Permitted Purposes':

  • the Parties' respective anti-doping activities undertaken in accordance with the UK Anti-Doping Rules, UK National Anti-Doping Policy, including intelligence and information sharing; and/or 
  • the Parties' respective anti-doping activities undertaken in accordance with the World Anti-Doping Code (being the version of the World Anti-Doping Code in effect at the time the Information is shared and encompassing the version of the International Standard for the Protection of Privacy and Personal Information in effect at the time Information is shared); and/or
  • investigations regarding the commission of related criminal, disciplinary or regulatory offences or breaches;and/or
  • any other activity agreed in writing by the Parties which is directly relevant to the functions of either Party or requires a joint response by the Parties. For example, but not limited to, intelligence gathering to prevent fraud across the NHS network or to promote drug-free sport or where it relates to the illegal prescribing, supplying, administering or disposing of NHS drugs within or for an NHS body.

When either Party shares Information with the other Party, it will share that Information, and the other Party shall treat such Information, according to the Sharing Protocol described in clause 16 below. If the Parties wish to disclose Informationto each other electronically, it will be shared in a secure format (in line with good industry standards and Data Protection Legislation requirements as to security).

UK Anti-Doping and the NHSCFAshall take all measures necessary to ensure their respective compliance with Data Protection Legislation and any other regulations or restrictions that apply to their disclosure of Information to third parties.

Each Party warrants and represents that it has all necessary rights, consents and permissions to share Information with the other Party pursuant to this MOUand that the other Party is entitled to use such information in the manner envisaged by this MOU. 

Each Party warrants and represents that it shall only use the Information for the Permitted Purposes and shall not use such information for any other purpose unless it has obtained the other Party's prior written consent.

Sharing protocol

Where a Party shares Information with the other, the Parties shall:

  • only process the Information for the PermittedPurposes or for such other purposes as subsequently agreed between the Parties in writing;
  • ensure that all Information is processed in a manner that ensures appropriate security of such data, taking into account the fact that the processing of certain of theInformation will be high risk and contain highly sensitive types of data, including special category personal data, and personal data relating to criminal convictions and offences;
  • ensure that all relevant data subjects are given an appropriate notice, compliant with Data Protection Legislation, explaining the processing of personal dataand in particular the nature and purposes of the data sharing, other than where a Party is entitled to restrict or withhold the provision of such notice under the Data Protection Legislation;
  • where, due to the law applying to the relevant Party, a consent would be required to share Information with the other Party, it shall ensure that an appropriate consent is obtained in accordance with such applicable law;
  • where, pursuant to the Data Protection Legislation, the sharing of Information and/or use of such Information by the recipient is permitted pursuant to an anti-doping, law enforcement, crime prevention, sports integrity or other similar lawful processing condition, the relevant Party (or Parties) shall ensure that all requirements necessary to be able to rely on such condition are complied with in respect of the sharing and/or use of such Information;
  • other than as set out in this MOU, not disclose any Information to any third party without the other Party's prior written consent (and subject to suitable safeguards as the other Party may specify) and ensure that any Information it discloses is not irrelevant or excessive with regard to the Permitted Purposes; 
  • promptly respond to requests or notices from data subjects (or any relevant regulator), in each case in relation to the Information, in accordance with the requirements prescribed by the Data Protection Legislation in consultation with the other Party and advise data subjects and/or the relevant regulator of the need to contact the other Party as necessary;
  • notify the other Party where appropriate when a request from a data subject might reasonably be expected to affect the other Partyand provide reasonable assistance (at the other Party's cost) as is necessary to the other Party to enable it to comply with such requests or notices;
  • ensure that all Information they disclose is accurate and, where necessary, kept up to date. Where appropriate, the disclosing Party shall provide corrected or updated Information at agreed intervals;
  • notify the other Party without undue delay in writing if it suspects or becomes aware of any breach of security of Information, or loss or corruption or deletion of, or damage to Information which has been shared with or by the other Party and where this has the potential to cause disruption or reputational damage to the other Party (including any dispute or claim brought by a data subject or a regulator concerning the processing of Information against either or both of the Parties);
  • ensure that Information will not be kept in a form that permits identification of data subjects for longer than necessary and will be destroyed or returned to the disclosing Party (according to the disclosing Party's instructions) in an appropriate manner when no longer required, provided always that a Party may retain any Information by the other Party, to the extent that it is necessary to retain such Information pursuant to applicable law; and
  • take steps, should the NHSCFA be located or otherwise process data outside the European Economic Area, to promptly agree and sign thecurrent version of the standard contractual clauses for the transfer of personal data to data controllers established in third countries adopted by the European Commission.the NHSCFA acknowledges that UK Anti-Doping will be a data exporter and the NHSCFA will be a data importer.

Documents (including Information) disclosed by either Party will be assigned a level of protection by the disclosing Party for its handling, processing, storage and movement in accordance with Cabinet Office Government Security Classifications. The levels of protection assigned to documents are as follows: 'Official'; or 'Official - Sensitive'. 

Official: 'Official' means any document that may be shared with third parties by either Partyat its discretion. 

Official – Sensitive: 'Official – Sensitive' means any document that the disclosing Party has determined as being such, in that disclosure to unauthorised third parties may result in adverse consequences for the individual or the organisation.

Both Parties agree that, in relation to documents labelled as being 'Official – Sensitive', it will not communicate, or otherwise make available, the document (or any Information contained in that document) to any third party without prior written clearance from the disclosing Party in respect of each such disclosure; or use the document or any Information within it for any commercial, industrial or other purpose, or copy, adapt, or otherwise reproduce the document or Information.

In the event that either Party receives a request made to it in accordance with the Freedom of Information Act 2000 or any subordinate or replacement legislation on the transparency of public records ('FOIA'), the Party must immediately inform the disclosing Party of such FOIA and shall not disclose any Information or documents provided to it by the disclosing Party without the disclosing Party's prior written consent. The disclosing Party shall be responsible for determining at its absolute discretion whether a document (or Information contained within a document or otherwise disclosed to it) requires disclosure to any third party, or is exempt from disclosure, pursuant to any FOIA.

Each Party is responsible for maintaining a record of the relevant Party's processing activities in respect of the Information including copies of any requests for Information, details of the Information accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to a request.

Point of Contact

The Parties agree to, when possible, share Information using a single point of contact. The single point of contact for UK Anti-Doping will be the Senior Intelligence Coordinator. The single point of contact for the NHSCFAwill be the National Operations Manager

The NHSCFAwill, wherever possible, send Information to UK Anti-Doping to the e-mail address intelligence@ukad.org.uk. UK Anti-Doping will, wherever possible, send Information to the NHSCFAto the e-mail address ciu@nhscfa.gsi.gov.uk

Term

This MOUshall commence and become effective on the date that each Party has signed the MOU of its signature by the Parties (the 'Effective Date') and remain in effect for twelve (12) months unless terminated by either Party by giving the other one month's notice in writing of its intention to do so.

The provisions of the MOU that, by their nature and content, must survive the completion, rescission, termination or expiration of the MOU in order to achieve the fundamental purposes of the MOU, shall so survive and continue to bind the Parties.

Costs and Liabilities

Except as otherwise provided, the Parties shall each bear their own costs and expenses incurred in complying with their obligations under this MoU.

To the extent permitted by any applicable law and/or regulation, neither Party (the 'first Party') shall be liable to the other Party for any losses suffered by the other Party in connection with this MOU, whether such losses are caused by the acts or omissions of the first Party or otherwise.

Status

This MoU is not intended to be legally binding, and no legal obligations or legal rights shall arise between the parties from this MoU. Notwithstanding the foregoing, the Parties enter into this MoU intending to honour their respective obligations.

Nothing in this MoU is intended to, or shall be deemed to, establish any partnership or joint venture between the Parties, constitute either Party as the agent of the other Party, nor authorise either of the Parties to make or enter into any commitments for or on behalf of the other Party

Governing law

Subject to clause 27 above, this MOU and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

General

This MOU may be entered into by the Parties in any number of counterparts. Each counterpart shall, when executed and delivered, be regarded as an original, and all the counterparts shall together constitute one and the same instrument.

No variation of this MOU shall be valid unless it is in writing and signed by or on behalf of each of the Parties.

If the data protection laws change in a way that this MOU is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties agree to negotiate in good faith to review this MOU in light of the new requirements.

The duly authorised signatories of the Parties to this MOU have executed this MOU as of the date set out above.