The PDR agreement
The registers that are collected together at the UCR registry deal with huge amounts of data linked to individual people. Processing these data must comply with current laws and regulations.
The person who processes the personal data in their organization and decides which data are to be processed and what the data are to be used for is called the Personal Data Controller and is normally an authority or a legal person.
In a national quality register, the tasks of the Personal Data Controller are divided between two legal persons.
- One who reports locally (PDC)
- and one who deals with central processing (CPDC)
Common to both roles or concepts is that this responsibility can only be held by a legal person.
The Personal Data Controller (PDC) for reporting data to a registry is the local care provider whose data are being reported.
The PDC is responsible for safeguarding that, when reporting, all personal data are handled correctly in accordance with the Patient Data Protection Act and the Public Access to Information and Secrecy Act. The PDC could just as easily be called the local PDC to further clarify the local affiliation.
A quality register must have a Central Personal Data Controller (CPDC). Only one or two authorities in the health and care section are permitted to process personal data at the central registry level. With regard to central processing, the CPDC is responsible for all data processing. This responsibility includes security issues and correction of data in the registry, if necessary.
The Steering Group of a quality register receives its mandate from the CPDC. Based on the goal of the quality register, the CPDC should draw up a mandate or directive on which the Steering group can base their work. This should include a clear statement of the authorities and responsibilities held by the Steering group.
The person who processes personal data on behalf of the Personal Data Controller is called the Personal Data Representative (PDR). A Personal Data Representative is never part of the Personal Data Controller's organization.
The Personal Data Representative is only permitted to process personal data in compliance with set instructions and guidelines from the Personal Data Controller. In other words, the Representative does not have the right to add or delete anything nor decide the purpose of processing personal data.
With regard to the registers at UCR, the county council boards have the role of the Central Personal Data Controller (CPDC) while UCR has the role of the Personal Data Representative (PDR).
A written agreement must be signed between the Personal Data Controller and the Personal Data Representative. The agreement, called the PDR contract, must clearly state that the Personal Data Representative is only permitted to process personal data in compliance with instructions from the Personal Data Controller, and that the Representative must take appropriate technical and organizational measures to safeguard personal data.
For assistance in drawing up a PDR agreement, contact UCR.
For more in-depth information on the laws and regulations applying to register holders, see Checklist for quality registers regarding laws and regulations as well as the respective links.