Common use of DATA PROTECTION AND FREEDOM OF INFORMATION Clause in Contracts

DATA PROTECTION AND FREEDOM OF INFORMATION. For the purposes of this clause 7 the following definitions apply: Data Protection Legislation : (i) the UKGDPR, the LED and any applicable national implementing Laws as amended from time to time (ii) the DPA 2018 to the extent that it relates to processing of personal data and privacy; (iii) all applicable Law about the processing of personal data and privacy; Data Loss Event : any event that results, or may result, in unauthorised access to Personal Data held by a Party under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach (as defined in the GDPR). DPA 2018 : Data Protection Act 2018 UKGDPR : the General Data Protection Regulation LED : Law Enforcement Directive (Directive (EU) 2016/680) Personal Data : takes the meaning given in the UKGDPR Data Protection 7.1 The Parties shall comply with the notification requirements under the Data Protection Legislation (DPL). 7.2 All Parties shall duly observe their obligations under the DPL which arise in connection with this Agreement and each Party will ensure that Personal Data is processed only in accordance with its own policies on data protection, information security and retention of Personal Data to comply with its obligations under the Data Protection Legislation. 7.3 No Party shall perform its obligations under this Agreement in such a way as to cause the other Parties to breach any of their applicable obligations under the Data Protection Legislation. Each Party shall notify the others without undue delay in the event of a Data Loss Event. 7.4 The Parties shall collaborate to ensure compliance with their statutory obligations under the DPL, in particular, by providing five working days’ notice to the others if any Party receives a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to another Party’s obligations under the Data Protection Legislation. 7.5 Each Party will provide full co-operation and assistance in relation to any complaint or request made, including by providing the other Parties with full details of the complaint or request; providing any Personal Data it holds in relation to a Data Subject (within the timescales required); and providing any information requested. 7.6 Each Party acknowledges that they are subject to the requirements of the Freedom of Information Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIR”) and, should the request relate to the Service, shall assist and co-operate with each other to enable the Party, by whom the request has been received, to comply with disclosure requirements under the FOIA.

DATA PROTECTION AND FREEDOM OF INFORMATION. For 17.1 The Employer acknowledges that the purposes Main Provider is subject to the requirements of this clause 7 the following definitions apply: Data Protection Legislation : (i) the UKGDPRLegislation, the LED Freedom of Information Act 2000 and any applicable national implementing Laws the Environmental Information Regulations 2004, all as amended or replaced from time to time (ii) time.The Main Provider acknowledges that the DPA 2018 Employer is subject to the extent that it relates to processing requirements of personal data and privacy; (iii) all applicable Law about the processing of personal data and privacy; Data Loss Event : any event that results, or may result, in unauthorised access to Personal Data held by a Party under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach (as defined in the GDPR). DPA 2018 : Data Protection Act 2018 UKGDPR : the General Data Protection Regulation LED : Law Enforcement Directive (Directive (EU) 2016/680) Personal Data : takes the meaning given in the UKGDPR Data Protection 7.1 The Parties shall comply with the notification requirements under the Data Protection Legislation (DPL)as amended or replaced from time to time. 7.2 All Parties 17.2 The Employer shall duly observe their offer such prompt and reasonable assistance to the Main Provider as the Main Provider may request from time to time, to assist it in complying with its information disclosure obligations under the DPL which arise legislation at Clause 17.1. 17.3 The Main Provider and the Employer acknowledge that each Party is individually a Data Controller in connection with this Agreement respect of any Personal Data processed by it and each Party will ensure that Personal Data is processed only in accordance with its own policies on data protection, information security and retention of Personal Data agrees to comply with its obligations under the Data Protection Legislation. 7.3 No 17.4 In the event that one Party wishes to exchange Personal Data with the other Party then that Party (the requesting Party) shall perform its obligations under this Agreement in make a written request to the other Party setting out why it considers such a way as transfer to cause be compliant with the Data Protection Legislation. It shall be for the other Parties Party to breach any of their applicable determine whether it is willing to exchange such data in accordance with its obligations under the Data Protection Legislation. Each Party shall notify The Parties will where possible in order to facilitate the others without undue delay in exchange of information anonymise or aggregate such information to the event of a Data Loss Eventdegree that it does not identify any individual.The Parties may agree additional terms or conditions upon which such data is to be shared. 7.4 17.5 The Parties shall collaborate and shall procure that any of their staff and agents involved in the provision of this agreement and any sub-contractor shall comply with their obligations under Data Protection Legislation and shall enter into appropriate arrangements with third parties. 17.6 Upon the termination or expiry of this agreement each Party shall ensure that all Personal Data held by it shall be up-to-date and accurate.Where it is necessary in order for the efficient transition of services to the other Party or to a third party to be achieved then the transferring Party shall, having first satisfied itself that such transfer is compliant with all laws, transfer current and required Personal Data to the other party or to the third party in a secure manner and shall take all reasonable steps, at its own cost, to provide the Personal Data in a usable and compatible format. 17.7 Historical personal data shall be retained by the Parties in accordance with legal retention requirements. Personal Data which cannot be lawfully retained shall be securely deleted in accordance with Data Protection Legislation and Good Industry Practice. 17.8 For the avoidance of doubt, it is stated here that neither Party is a Data Processor on behalf of the other Party in furtherance of their obligations under this agreement. In the event it is established at any time during this agreement that Personal Data is to be processed by the one party on behalf of the other, the parties shall: 17.8.1 immediately enter into a data processing agreement on reasonable terms to be determined by the Main Provider to ensure full compliance with their statutory Data Protection Legislation; and 17.8.2 indemnify and keep the other party indemnified in full for any and all consequences (including a Personal Data breach) arising as a result of that party’s failure to comply with any of its obligations under this clause 17. 17.9 Failure by the DPLEmployer to enter into a data processing agreement in accordance with clause 17.8.1 shall be deemed a material/serious breach which shall entitle the Main Provider to immediately terminate the agreement without consequence or any liability under this agreement; 17.10 Any clause in this Contract limiting a party’s liability in respect of any obligations, in particularclaims, by providing five working days’ notice to the others if any Party receives a request from a Data Subject to have access to that person's Personal Data; losses, damages or a complaint or request relating to another Party’s obligations otherwise under the Data Protection LegislationLegislation shall not apply 17.11 Each Party (the indemnifying Party) agrees to fully indemnify and keep indemnified and defend at its own expense the other Party against all costs, claims, damages or expenses incurred by the other Party or for which the other Party may become liable due to any failure by the indemnifying Party or its employees or agents or sub-contractors to comply with their obligations under this Clause 17. 7.5 Each Party will provide full co-operation and assistance in relation to any complaint or 17.12 Where the Employer receives a request made, including by providing the other Parties with full details of the complaint or request; providing any Personal Data it holds in relation to a Data Subject (within the timescales required); and providing any for information requested. 7.6 Each Party acknowledges that they are subject to the requirements of under the Freedom of Information Act 2000 (“FOIA”) and or the Environmental Information Regulations 2004 (“EIR”) andrelating to the operation of this agreement, should the Employer shall promptly pass the request relate to the Service, Main Provider and shall assist and co-operate with each other not respond directly to enable any such request without the Party, by whom the request has been received, to comply with disclosure requirements under the FOIAMain Provider’s prior written consent.

DATA PROTECTION AND FREEDOM OF INFORMATION. For 17.1 The Subcontractor acknowledges that the purposes Training Provider is subject to the requirements of this clause 7 the following definitions apply: Data Protection Legislation : (i) the UKGDPRLegislation, the LED Freedom of Information Act 2000 and any applicable national implementing Laws the Environmental Information Regulations 2004, all as amended or replaced from time to time (ii) time. The Training Provider acknowledges that the DPA 2018 Subcontractor is subject to the extent that it relates to processing requirements of personal data and privacy; (iii) all applicable Law about the processing of personal data and privacy; Data Loss Event : any event that results, or may result, in unauthorised access to Personal Data held by a Party under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach (as defined in the GDPR). DPA 2018 : Data Protection Act 2018 UKGDPR : the General Data Protection Regulation LED : Law Enforcement Directive (Directive (EU) 2016/680) Personal Data : takes the meaning given in the UKGDPR Data Protection 7.1 The Parties shall comply with the notification requirements under the Data Protection Legislation (DPL)as amended or replaced from time to time. 7.2 All Parties 17.2 The Subcontractor shall duly observe their offer such prompt and reasonable assistance to the Training Provider as the Training Provider may request from time to time, to assist it in complying with its information disclosure obligations under the DPL which arise legislation at Clause 17.1. 17.3 The Training Provider and the Subcontractor acknowledge that each Party is individually a Data Controller in connection with this Agreement respect of any Personal Data processed by it and each Party will ensure that Personal Data is processed only in accordance with its own policies on data protection, information security and retention of Personal Data agrees to comply with its obligations under the Data Protection Legislation. 7.3 No 17.4 In the event that one Party wishes to exchange Personal Data with the other Party then that Party (the requesting Party) shall perform its obligations under this Agreement in make a written request to the other Party setting out why it considers such a way as transfer to cause be compliant with the Data Protection Legislation. It shall be for the other Parties Party to breach any of their applicable determine whether it is willing to exchange such data in accordance with its obligations under the Data Protection Legislation. Each Party shall notify The Parties will where possible in order to facilitate the others without undue delay in exchange of information anonymise or aggregate such information to the event of a Data Loss Eventdegree that it does not identify any individual. The Parties may agree additional terms or conditions upon which such data is to be shared. 7.4 17.5 The Parties shall collaborate and shall procure that any of their staff and agents involved in the provision of this agreement and any sub-contractor shall comply with their obligations under Data Protection Legislation and shall enter into appropriate arrangements with third parties. 17.6 Upon the termination or expiry of this agreement each Party shall ensure that all Personal Data held by it shall be up-to-date and accurate. Where it is necessary in order for the efficient transition of services to the other Party or to a third party to be achieved then the transferring Party shall, having first satisfied itself that such transfer is compliant with all laws, transfer current and required Personal Data to the other party or to the third party in a secure manner and shall take all reasonable steps, at its own cost, to provide the Personal Data in a usable and compatible format. 17.7 Historical personal data shall be retained by the Parties in accordance with legal retention requirements. Personal Data which cannot be lawfully retained shall be securely deleted in accordance with Data Protection Legislation and Good Industry Practice. 17.8 For the avoidance of doubt, it is stated here that neither Party is a Data Processor on behalf of the other Party in furtherance of their obligations under this agreement. In the event it is established at any time during this agreement that Personal Data is to be processed by the one party on behalf of the other, the parties shall: 17.8.1 immediately enter into a data processing agreement on reasonable terms to be determined by the Training Provider to ensure full compliance with their statutory Data Protection Legislation; and 17.8.2 indemnify and keep the other party indemnified in full for any and all consequences (including a Personal Data breach) arising as a result of that party’s failure to comply with any of its obligations under this clause 17. 17.9 Failure by the DPLSubcontractor to enter into a data processing agreement in accordance with clause 17.8.1 shall be deemed a material/serious breach which shall entitle the Training Provider to immediately terminate the agreement without consequence or any liability under this agreement; 17.10 Any clause in this Contract limiting a party’s liability in respect of any obligations, in particularclaims, by providing five working days’ notice to the others if any Party receives a request from a Data Subject to have access to that person's Personal Data; losses, damages or a complaint or request relating to another Party’s obligations otherwise under the Data Protection LegislationLegislation shall not apply 17.11 Each Party (the indemnifying Party) agrees to fully indemnify and keep indemnified and defend at its own expense the other Party against all costs, claims, damages or expenses incurred by the other Party or for which the other Party may become liable due to any failure by the indemnifying Party or its employees or agents or sub-contractors to comply with their obligations under this Clause 17. 7.5 Each Party will provide full co-operation and assistance in relation to any complaint or 17.12 Where the Subcontractor receives a request made, including by providing the other Parties with full details of the complaint or request; providing any Personal Data it holds in relation to a Data Subject (within the timescales required); and providing any for information requested. 7.6 Each Party acknowledges that they are subject to the requirements of under the Freedom of Information Act 2000 (“FOIA”) and or the Environmental Information Regulations 2004 (“EIR”) andrelating to the operation of this agreement, should the Subcontractor shall promptly pass the request relate to the Service, Training Provider and shall assist and co-operate with each other not respond directly to enable any such request without the Party, by whom the request has been received, to comply with disclosure requirements under the FOIATraining Provider’s prior written consent.

DATA PROTECTION AND FREEDOM OF INFORMATION. For 17.1 Each party acknowledges that the purposes other is subject to the requirements of this clause 7 the following definitions apply: Data Protection Legislation : (i) Legislation. 17.2 The Training Provider and the UKGDPR, the LED and any applicable national implementing Laws as amended from time to time (ii) the DPA 2018 to the extent Employer acknowledge that it relates to processing each party is individually a Data Controller in respect of personal data and privacy; (iii) all applicable Law about the processing of personal data and privacy; Data Loss Event : any event that results, or may result, in unauthorised access to Personal Data held by a Party under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach (as defined in the GDPR). DPA 2018 : Data Protection Act 2018 UKGDPR : the General Data Protection Regulation LED : Law Enforcement Directive (Directive (EU) 2016/680) Personal Data : takes the meaning given in the UKGDPR Data Protection 7.1 The Parties shall comply with the notification requirements under the Data Protection Legislation (DPL). 7.2 All Parties shall duly observe their obligations under the DPL which arise in connection with this Agreement processed by it and each Party will ensure that Personal Data is processed only in accordance with its own policies on data protection, information security and retention of Personal Data agrees to comply with its obligations under the Data Protection Legislation. 7.3 No Party 17.3 In the event that one party wishes to exchange Personal Data with the other party then that party (the Requesting Party) shall perform its obligations under this Agreement in make a written request to the other party setting out why it considers such a way as transfer to cause be compliant with the Data Protection Legislation. It shall be for the other Parties party to breach any of their applicable determine whether it is willing to exchange such data in accordance with its obligations under the Data Protection Legislation. Each Party The parties will where possible in order to facilitate the exchange of information anonymise or aggregate such information to the degree that it does not identify any individual. The parties may agree to additional terms or conditions upon which such data is to be shared. 17.4 The parties shall, and shall notify the others without undue delay procure that any of their staff and agents involved in the event provision of this Agreement and any subcontractor shall, comply with their obligations under Data Protection Legislation and shall enter into appropriate arrangements with third parties. 17.5 Upon the termination or expiry of this Agreement each party shall ensure that all Personal Data held by it shall be up-to-date and accurate. Where it is necessary in order for the efficient transition of services to the other party or to a third party to be achieved then the transferring party shall, having first satisfied itself that such transfer is compliant with all laws, transfer current and required Personal Data to the other party or to the third party in a secure manner and shall take all reasonable steps, at its own cost, to provide the Personal Data in a usable and compatible format. 17.6 Historical personal data shall be retained by the parties in accordance with legal retention requirements. Personal Data which cannot be lawfully retained shall be securely deleted in accordance with Data Protection Legislation and Good Industry Practice. 17.7 For the avoidance of doubt, it is stated here that neither party is a Data Loss EventProcessor on behalf of the other party in furtherance of their obligations under this agreement. In the event it is established at any time during this agreement that Personal Data is to be processed by the one party on behalf of the other, the parties shall: 17.7.1 immediately enter into a data processing agreement on reasonable terms to be determined by the University to ensure full compliance with Data Protection Legislation; and 17.7.2 indemnify and keep the other party indemnified in full for any and all consequences (including a Personal Data breach) arising as a result of that party’s failure to comply with any of its obligations under this clause 17. 7.4 The Parties 17.8 Failure by the Employer to enter into a data processing agreement in accordance with clause 17.7.1 shall collaborate be deemed a material/serious breach which shall entitle the Training Provider to ensure compliance with their statutory obligations immediately terminate the Agreement without consequence or any liability under the DPLthis Agreement. 17.9 Any clause in this Agreement limiting a party’s liability in respect of any obligations, in particularclaims, by providing five working days’ notice to the others if any Party receives a request from a Data Subject to have access to that person's Personal Data; losses, damages or a complaint or request relating to another Party’s obligations otherwise under the Data Protection LegislationLegislation shall not apply. 7.5 17.10 Each Party will provide full co-operation party (the indemnifying party) agrees to fully indemnify and assistance in relation keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses incurred by the other party or for which the other party may become liable due to any complaint failure by the indemnifying party or request made, including by providing the other Parties with full details of the complaint its employees or request; providing any Personal Data it holds in relation to a Data Subject (within the timescales required); and providing any information requested. 7.6 Each Party acknowledges that they are subject to the requirements of the Freedom of Information Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIR”) and, should the request relate to the Service, shall assist and co-operate with each other to enable the Party, by whom the request has been received, agents or subcontractors to comply with disclosure requirements their obligations under the FOIAthis clause 17.

DATA PROTECTION AND FREEDOM OF INFORMATION. For 37.1 The parties agree that the purposes provisions of this clause 7 the following definitions apply: Data Protection Legislation : (i) the UKGDPR, the LED shall apply if and any applicable national implementing Laws as amended from time to time (ii) the DPA 2018 to the extent that it relates the Authority, any Authority Party or any Authority Service Recipient provides Authority Personal Data directly or indirectly (including via BT) for the Contractor to processing process in connection with the provision of personal data the Services. For the purpose of the following subclauses, the terms process, Personal Data, Sensitive Personal Data, Data Processor, Data Subject and privacy; (iii) all applicable Law about Data Controller shall have the processing of personal data meanings given to them in the Data Protection Xxx 0000. 37.2 The Authority shall act as Data Controller, and privacy; the Contractor shall act as Data Loss Event : any event that results, or may resultProcessor, in unauthorised access relation to Authority Personal Data held by a Data. The Contractor shall (and the Contractor shall procure that each Contractor Party under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach (as defined in the GDPR). DPA 2018 : Data Protection Act 2018 UKGDPR : the General Data Protection Regulation LED : Law Enforcement Directive (Directive (EUshall) 2016/680) Personal Data : takes the meaning given in the UKGDPR Data Protection 7.1 The Parties shall comply with the notification requirements under provisions of the Data Protection Legislation (DPL). 7.2 All Parties shall duly observe their obligations under the DPL which arise as appropriate in connection with this Agreement (and where applicable any Sub-Contract) including where appropriate maintaining a valid and up to date data protection notification. The Contractor shall procure that each Contractor Party that processes Authority Personal Data shall enter into a confidentiality undertaking in the same form as set out in Part 1 of Schedule 8.2 (Confidentiality Undertaking) and the Contractor acknowledges that any Sub-Contractor that processes Authority Personal Data shall be a Material Sub-Contractor. 37.3 To the extent that the Contractor or any Contractor Party acts as a Data Processor of the Authority Personal Data, the Contractor for itself and each such Contractor Party (in respect of whom the Contractor will be liable under the terms of this Clause 37): 37.3.1 confirms that it is not and at all times will not be in breach of any laws of the country in which the Authority Personal Data will be processed which would prevent the Contractor or the relevant Contractor Party from processing the Authority Personal Data or would give rise to a liability for BT, the Authority or any Authority Service Recipient or Authority Party; and 37.3.2 warrants and undertakes that it shall not, by any act or omission (other than as expressly required by the Authority pursuant to this Agreement) cause any breach by the Authority, having regard to the nature of the Services and the Authority’s obligations as Data Controller, of any of the Data Protection Legislation; 37.3.3 warrants that it has and undertakes that it will at all times have in place and that it shall procure that any Contractor Party has and will at all times have in place appropriate technical and organisational measures against accidental or unlawful destruction of the Authority Personal Data or accidental loss, alteration, unauthorised or unlawful disclosure of or access to the same and adequate security programmes and procedures in place to ensure that unauthorised persons will not have access to any Authority Personal Data or to the data processing equipment used to process any Authority Personal Data and that any persons it authorises to have access to any Authority Personal Data will respect and maintain the confidentiality and security of the Authority Personal Data; and 37.3.4 shall provide BT and the Authority at reasonable intervals within twenty (20) days of request a written description of the technical and organisational measures referred to in subclause 37.3.3 in sufficient detail to enable BT and the Authority to determine whether such measures are sufficient to ensure that each of them is in compliance with the Data Protection Legislation; and 37.3.5 shall ensure that the Contractor and each Contractor Party’s technical and organisational measures and their programmes and procedures described in subclause 37.3.3: 37.3.5.1 reflect the level of damage that might reasonably be expected to be suffered by a Data Subject as a result of any unauthorised access or disclosure; and 37.3.5.2 at all times specifically address the nature of Sensitive Personal Data within such programs and procedures; and 37.3.5.3 comply as a minimum with the security requirements set out in Schedule 1.1 (Authority’s Requirements) and Schedule 1.3 (Security Policy Requirements); and 37.3.6 undertakes that it and each Contractor Party shall only use Authority Personal Data for a purpose which is authorised by BT and the Authority (which for the avoidance of doubt includes the provision of the Services) and which is compliant with the Law, the security requirements applicable to the processing of Authority Personal Data as set out in Schedule 1.3 (Security Policy Requirements) and Schedule 1.7 (Information Governance Requirements), NHS Requirements, any other relevant published rules or guidance of any relevant regulatory or professional body which have effect in England and any published rules or guidance of any relevant regulatory or professional body outside England which have effect (or compliance with which constitutes good industry practice) within England as applicable from time to time; and 37.3.7 undertakes that it and each Contractor Party will obtain, hold, process, use, store and disclose Authority Personal Data only to the extent necessary to carry out the Services and/or as specifically instructed by BT or the Authority and that such data will be held, processed, used, stored and disclosed only in accordance with the Data Protection Legislation and any other applicable Law. 37.4 The Contractor undertakes that it and each Contractor Party shall: 37.4.1 do all such actions as are necessary to ensure that it has fulfilled, and will continue to fulfil, the obligations in subclause 37.3; 37.4.2 co-operate with BT and the Authority to ensure BT’s and the Authority’s compliance with the Data Protection Legislation; and 37.4.3 not process any Authority Personal Data in any manner not permitted by this Agreement, including disclosing or transferring any Authority Personal Data or any data derived from Authority Personal Data (whether or not the same still constitutes Authority Personal Data) to any third party without the prior written consent of BT and the Authority save that without prejudice to any other provisions of this Clause 37 including subclause 37.3.2 the Contractor shall be entitled to disclose Authority Personal Data to employees and Contractor Parties to whom such disclosure is reasonably necessary in order for the Contractor to carry out the Services and/or BT’s or the Authority’s instructions, or to the extent required under a court order, provided that such disclosure is made subject to written terms substantially the same as, and no less stringent than, the terms contained in this Clause 37 (and including the requirement to comply with any security requirements applicable to the processing of Authority Personal Data as set out in Schedule 1.7 (Information Governance Requirements)) and the Contractor shall give notice in writing to the Authority of any disclosure it or a Contractor Party is required to make under any court order immediately upon its becoming aware of such requirement; and 37.4.4 not transfer any Authority Personal Data to any place outside of England without the express prior written consent of BT or the Authority as appropriate; and 37.4.5 appoint and identify to BT and the Authority an individual within its organisation authorised to respond to enquiries from BT, the Authority, any Authority Service Recipient or any Authority Party concerning its processing of Authority Personal Data and will deal with all enquiries from BT, the Authority, any Authority Service Recipient or any Authority Party relating to such Authority Personal Data promptly, including those from the Information Commissioner and in any event within any time frame stipulated by applicable Law and will to the extent reasonably necessary co-operate with and assist BT, the Authority, any Authority Service Recipient or any Authority Party in ensuring compliance with any Data Subject rights of data access, correction, blocking, suppression or deletion relating to the Authority Personal Data and in the defence or management of any enforcement action or assessment by the Information Commissioner or any other competent body in relation thereto; and 37.4.6 provide access upon reasonable notice to its and any Contractor Parties’ data processing facilities, data files and documentation needed for processing of Authority Personal Data and to permit auditing and/or certification by BT or the Authority (or any other duly qualified auditors or inspection authorities) in order to ascertain compliance with the undertakings given in this Clause 37; and 37.4.7 where consent has been granted under subclause 37.4.4 notify BT and the Authority in writing of any provisions in any local law or of any changes in the laws of the country in which Authority Personal Data is processed only in accordance with which does or could affect the Contractor’s ability to perform its own policies on data protectionobligations under these Clauses or which does or may give rise to a liability for BT, information security and retention the Authority, any Authority Service Recipient or any Authority Party. 37.5 If the Data Subject of any Authority Personal Data makes a written request of either party for access to any relevant Authority Personal Data not held by that party (the First Party), the First Party shall promptly notify the other party (the Second Party) and the Second Party shall provide (or, in the case of BT, procure that the Authority procures any relevant Authority Service Recipient or Authority Party provides, or, in the case of the Contractor, procure that any relevant Contractor Party provides) within the timescales specified in the Data Protection Legislation details of the Authority Personal Data held by the Second Party to the relevant Data Subject of such Authority Personal Data. In any case in which the Contractor or any Contractor Party receives any request from a Data Subject for access to Authority Personal Data held by the Contractor, the Contractor shall promptly notify BT and shall provide, or procure that the relevant Contractor Party provides, within the timescales specified in the Data Protection Legislation details of the Authority Personal Data held by the Contractor or the Contractor Party as the case may be to the relevant Data Subject of such Authority Personal Data. 37.6 If at any time the Contractor makes a non material and unintentional disclosure of any Sensitive Personal Data that constitutes a breach of the Contractor’s obligations under either this Clause 37 or Clause 38 (Confidentiality) the Contractor shall promptly review the technical and organisational measures referred to in subclause 37.3.3 and any other internal procedures and policies that it has in place to prevent such disclosures and, following such review, shall promptly implement any necessary changes to such measures, procedures and policies in order to prevent any further breaches of this Clause 37 or Clause 38 in respect of Sensitive Personal Data, unless a change is required to the Authority’s Requirements or Security Policy Requirements, in which case the Contractor shall advise the Authority of this Change under the Change Control Procedure. Any failure by the Contractor to comply with the provisions of this subclause 37.6 or any subsequent related non material and unintentional disclosure of Sensitive Personal Data shall constitute a material breach of this Agreement. 37.7 The Contractor shall, and shall procure that each Contractor Party shall: 37.7.1 comply with all requests by the Authority (whether made directly to the Contractor or via BT); and 37.7.2 provide all such assistance as may be required by the Authority, to enable the Authority to comply with its obligations under the Data Protection Legislation. 7.3 No Party shall perform its obligations under this Agreement in such a way as to cause the other Parties to breach any of their applicable obligations under the Data Protection Legislation. Each Party shall notify the others without undue delay in the event of a Data Loss Event. 7.4 The Parties shall collaborate to ensure compliance with their statutory obligations under the DPL, in particular, by providing five working days’ notice to the others if any Party receives a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to another Party’s obligations under the Data Protection Legislation. 7.5 Each Party will provide full co-operation and assistance in relation to any complaint or request made, including by providing the other Parties with full details of the complaint or request; providing any Personal Data it holds in relation to a Data Subject (within the timescales required); and providing any information requested. 7.6 Each Party acknowledges that they are subject to the requirements of the Freedom of Information Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIR”) and, should the request relate to the Service, shall assist and co-operate with each other to enable the Party, by whom the request has been received, to comply with disclosure requirements under the FOIAXxx 0000.