Common use of DATA PROTECTION AND FREEDOM OF INFORMATION Clause in Contracts

DATA PROTECTION AND FREEDOM OF INFORMATION. 23.1 The Parties agree that with the exception of Personal Data detailed in Clause 23.2 no Personal Data will be processed under this Contract and that the Consultant will only receive anonymised personal data for the purpose of performing the Services. If the Consultant receives any Personal Data whether due to a failure to fully anonymise Personal Data or otherwise it shall promptly alert the Authorised Officer and then follow his instructions on handling or disposal of such Personal Data. 23.2 The Consultant will receive the email addresses and telephone numbers of staff engaged in contract management by the Council and contract delivery by the Consultant and names, titles and work email addresses of personnel employed by the Council’s current suppliers where these are given to the Supplier for the purposes of performing the Services. The Consultant shall process the Personal Data described in this Clause 23.2 strictly for the purpose of performing the Services and shall not retain it after completion of the Contract or share it with any other party without the Council’s express permission or to comply with any statutory obligation. 23.3 If at any time during the Contract Period the Council determines that it is necessary to provide additional instructions on the processing by the Consultant of Personal Data the Consultant shall promptly agree any such instructions and any obligations which the Council reasonably requires and imposes on the Consultant. 23.4 The Council has a number of obligations under the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations (EIR) to provide information of its functions where a person has made a request, unless the FOIA or the EIR exempts the requested information from such provision. The Consultant and his sub-contractors shall co-operate with the Council in respect of any request affecting or related to the provision of the Services by among other things providing written responses to requests as required by the Authorised Officer. The Consultant shall use all reasonable endeavours to help the Council meet its obligations under the FOIA and the EIR. 23.5 The Council is obliged by the Local Government Transparency Code issued by the Secretary of State under the Local Government (Transparency Requirements) (England) Regulations 2014 to publish contracts (worth more than £5,000) in their entirety, subject to redaction of commercially sensitive information, confidential information, intellectual property and data protection. The Consultant agrees that the Council may publish this Contract in its entirety and also publish performance data subject to the Council considering and properly applying those qualifications.

DATA PROTECTION AND FREEDOM OF INFORMATION. 23.1 Z5.1 The Parties agree Consultant complies with all of its obligations under the Data Protection Xxx 0000 and if processing personal data (as such terms are defined in section 1(1) of that with Act) on behalf of the exception of Employer (“TfL Personal Data detailed in Clause 23.2 no Personal Data will be processed under this Contract and that Data”), the Consultant will only receive anonymised personal data carries out such processing for the purpose of performing Providing the Services. If Services and in accordance with instructions from the Employer. Z5.2 When the Consultant receives any a written request from the Employer for information about, or a copy of, TfL Personal Data, the Consultant supplies such information or data to the Employer within such time and in such form as specified in the request (such time to be reasonable) or if no period of time is specified in the request, then within 14 days from the date of the request. Z5.3 The Employer remains solely responsible for determining the purposes and manner in which TfL Personal Data whether due is to a failure to fully anonymise Personal Data or otherwise it shall promptly alert the Authorised Officer and then follow his instructions on handling or disposal of such Personal Data. 23.2 The Consultant will receive the email addresses and telephone numbers of staff engaged in contract management by the Council and contract delivery by the Consultant and names, titles and work email addresses of personnel employed by the Council’s current suppliers where these are given to the Supplier for the purposes of performing the Servicesbe processed. The Consultant shall process the does not share any TfL Personal Data described in this Clause 23.2 strictly for the purpose of performing the Services and shall not retain it after completion of the Contract or share it with any other Subconsultant or third party without unless there is a written agreement in place which requires the CouncilSubconsultant or third party to:  only process TfL Personal Data in accordance with the Employer’s express permission or instructions to the Consultant; and  comply with the same data protection requirements that the Consultant is required to comply with any statutory obligationunder this contract. 23.3 If at any time during Z5.4 The Consultant acknowledges that the Contract Period the Council determines that it Employer is necessary subject to provide additional instructions on the processing by the Consultant of Personal Data the Consultant shall promptly agree any such instructions and any obligations which the Council reasonably requires and imposes on the Consultant. 23.4 The Council has a number of obligations under the Freedom of Information Act 2000 (FOIA) Xxx 0000 and all subordinate legislation made under it, together with the Environmental Information Regulations 2004 (EIRand any provisions that replace these) to provide information of its functions where a person has made a requestand any guidance issued by the Information Commissioner, unless the FOIA Department for Constitutional Affairs, or the EIR exempts the requested information from Department for Environment Food and Rural Affairs (including in each case its successors or assigns) in relation to such provision. The Consultant legislation and his sub-contractors shall agrees to assist and co-operate with the Council in respect Employer to enable the Employer to comply with its obligations under such legislation including providing to the Employer such information as the Employer may reasonably request concerning this contract within five (5) days of a request from the Employer. The Consultant further acknowledges that the Employer may be obliged under such legislation to disclose information without consulting or obtaining consent from the Consultant. Without prejudice to the generality of the foregoing the Consultant shall transfer to the Employer any request affecting or related to for information under the provision of the Services by among other things providing written responses to requests Act that it receives as required by the Authorised Officersoon as reasonably practicable. The Consultant shall use all reasonable endeavours not itself respond to help the Council meet its obligations under the FOIA and the EIR. 23.5 The Council is obliged any person making such a request save to acknowledge receipt, unless expressly authorised to do so by the Local Government Transparency Code issued by Employer. This clause shall survive the Secretary expiry or termination of State under the Local Government (Transparency Requirements) (England) Regulations 2014 to publish contracts (worth more than £5,000) in their entirety, subject to redaction of commercially sensitive information, confidential information, intellectual property and data protection. The Consultant agrees that the Council may publish this Contract in its entirety and also publish performance data subject to the Council considering and properly applying those qualificationscontract.

DATA PROTECTION AND FREEDOM OF INFORMATION. 23.1 20.1 The Company shall comply with any notification requirements under the Data Protection Legislation and both Parties agree will duly observe all their obligations under the Data Protection Legislation which arise in connection with this Agreement, as ‘Data Controller’ or ‘Data Processor’ as defined in the Data Protection Xxx 0000 (“DPA”). 20.2 Notwithstanding the general obligation in condition 20.1, where the Company is processing personal data as a data processor (as defined by the DPA) for the Council the Company shall ensure that it has in place appropriate technical and organisational measures to ensure the security of the personal data (and to guard against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, the personal data), as required under the Seventh Data Protection Principle in Schedule 1 to the DPA; and (a) provide the Council with such information as the Council may reasonably request to satisfy itself that the Company is complying with its obligations under the DPA and the Data Protection Legislation; (b) promptly notify the Council of any breach of the security measures to be put in place pursuant to this clause; (c) ensure that it does not knowingly or negligently do or omit to do anything which places the Council in breach of its obligations under the DPA or the Data Protection Legislation. (d) process the personal data only in accordance with instructions from the Council (which may be specific instructions or instructions of a general nature) as set out in this Agreement or as otherwise notified by the Council; (e) process the personal data only to the extent and in such manner as is necessary for the provision of the Company’s obligations under this Agreement, or is required by Law or any Regulatory Body; (f) ensure that all staff required to access the personal data are informed of the confidential nature of the personal data and comply with the exception obligations set out in this clause; and (g) ensure that none of Personal Data detailed the staff publish disclose or divulge any of the personal data to any third parties unless directed in Clause 23.2 no Personal Data will be processed writing to do so by the Council; and (h) not disclose personal data to any third parties in any circumstances other than with the prior written approval of the Council or in compliance with a legal obligation upon the Council or the Company. 20.3 The Company shall indemnify the Council against all claims and proceedings and all liability, loss, costs and expenses incurred in connection therewith in respect of any loss or damage caused by the disclosure of personal data by the Company 20.4 Where the Company as part of its obligations under this Contract and that the Consultant will only receive anonymised Agreement processes personal data for as a data controller, such personal data shall have been obtained fairly and lawfully. The Company shall ensure that it is able to disclose such personal data to the purpose of performing the Services. If the Consultant receives any Personal Data whether due Council in such a way as to a failure to fully anonymise Personal Data or otherwise it shall promptly alert the Authorised Officer and then follow his instructions on handling or disposal of such Personal Data. 23.2 The Consultant will receive the email addresses and telephone numbers of staff engaged in contract management ensure that use by the Council and contract delivery by of any such personal data obtained in connection herewith does not breach the Consultant and names, titles and work email addresses provisions of personnel employed by the Council’s current suppliers where these are given Data Protection Legislation. 20.5 The Company acknowledges that the Council is subject to the Supplier for requirements of the purposes Freedom of performing Information Xxx 0000 (“the Services. The Consultant shall process FOIA”) and the Personal Data described in this Clause 23.2 strictly for Environmental Information Regulations 2004 (“the purpose of performing the Services EIR”) and shall not retain it after completion of assist and cooperate with the Contract or share it with any other party without Council (at the CouncilCompany’s express permission or expense) to enable the Council to comply with any statutory obligationinformation disclosure requirements under those regulations. 23.3 If at 20.6 The Company shall itself and shall procure that its Sub-Contractors (if any) shall: (a) transfer any time during the Contract Period request for information or personal data to the Council determines as soon as practicable after receipt and in any event within two working days of receiving the request; (b) provide the Council with a copy of all information and or personal data in its possession or power in the form that it is the Council requires within five working days (or such other period as the Council may specify) of the Council requesting that information or personal data; and (c) provide all necessary to provide additional instructions on the processing assistance as reasonably requested by the Consultant of Personal Data the Consultant shall promptly agree any such instructions and any obligations which Council to enable the Council reasonably requires and imposes on to respond to a request for information or personal data within the Consultant. 23.4 The Council has a number time for compliance set out in section 10 of obligations under the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations (EIR) to provide information of its functions where a person has made a request, unless the FOIA or regulation 5 of the EIR, or the DPA. 20.7 The Council shall be responsible for determining at its absolute discretion whether information or personal data: (a) is exempt from disclosure in accordance with the provisions of the FOIA , the EIR exempts or the requested DPA; (b) is to be disclosed in response to a request for information from such provision. The Consultant or for personal data, and his sub-contractors in no event shall co-operate with the Council in respect of any Company respond directly to a request affecting for information or related personal data unless expressly authorised to the provision of the Services by among other things providing written responses to requests as required do so by the Authorised Officer. The Consultant shall use all reasonable endeavours to help the Council meet its obligations under the FOIA and the EIRCouncil. 23.5 20.8 The Council is obliged by the Local Government Transparency Code issued by the Secretary of State under the Local Government (Transparency Requirements) (England) Regulations 2014 to publish contracts (worth more than £5,000) in their entirety, subject to redaction of commercially sensitive information, confidential information, intellectual property and data protection. The Consultant agrees Company acknowledges that the Council may publish be obliged under the FOIA, EIR or DPA to disclose information or personal data: (a) without consulting with the Company, or (b) following consultation with the Company and having taken its views into account. 20.9 The Company shall ensure that all information produced in the course of this Contract in its entirety Agreement is retained for disclosure and also publish performance data subject to shall permit the Council considering to inspect such records as requested from time to time. 20.10 The Company acknowledges that any lists or schedules provided by it outlining confidential information are of indicative value only and properly applying those qualifications.that the Council may nevertheless be obliged to disclose Confidential Information in accordance with this clause 20, the FOIA, the EIR or the DPA

DATA PROTECTION AND FREEDOM OF INFORMATION. 23.1 The Parties agree that undertake to comply with the exception provisions of the Data Protection Legislation and will duly observe all their obligations under the Data Protection Act 2018 ("the Act"), which arises in connection with this Agreement. The Institution is the data controller and the Placement Provider is the processor of any personal data (as defined by the Act). 11.2 The collection, handling and use of Personal Data detailed in Clause 23.2 no relating to individuals shall be treated as confidential at all times. 11.3 Each Party shall at all times be responsible for ensuring that all Personal Data will be processed under this Contract (including data in any electronic format) is stored securely and that the Consultant will only receive anonymised personal data for the purpose guard against unauthorised access to, disclosure of, or loss or destruction of performing the Services. If the Consultant receives any Personal Data whether due to a failure to fully anonymise Personal Data or otherwise it shall promptly alert the Authorised Officer and then follow his instructions on handling or disposal of such Personal Data. 23.2 The Consultant will receive the email addresses and telephone numbers of staff engaged in contract management by the Council and contract delivery by the Consultant and names, titles and work email addresses of personnel employed by the Council’s current suppliers where these are given to the Supplier for the purposes of performing the Services. The Consultant shall process the Personal Data described whilst in this Clause 23.2 strictly its custody. Notwithstanding the general obligation in clause 11.1, where the Placement Provider is processing Personal Data as a Data Processor for the purpose of performing Authority, the Services Placement Provider shall ensure that it has in place appropriate technical and shall not retain it after completion contractual measures to ensure the security of the Contract Personal Data (and to guard against unauthorised or share unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data), as required under the Seventh Data Protection Principle in Schedule 1 to the Data Protection Act 2018; and 11.3.1 provide the Institution with such information as the Institution may reasonably require to satisfy itself that the Placement Provider is complying with its obligations under the Data Protection Legislation. 11.3.2 process only personal data in accordance with written instructions from the Institution as is necessary for the provision of the Placement. 11.3.3 obtain permission from the Institution to process personal data if required to do so by law or any regulatory body. 11.3.4 promptly assist the Institution in meeting their obligations to data subjects under the General Data Protection Regulations (GDPR), such as subject access requests and requests for the rectification, transfer or erasure of personal data. 11.3.5 promptly notify the Institution of any breach of the security measures required to be put in place pursuant to clauses 11.3. 11.3.6 ensure that employees or subcontractors of the Placement Provider have undertaken appropriate training in the handling of personal data and are aware of their obligations under the Act. 11.3.7 ensure it does not knowingly or negligently do or omit to do anything which places the Institution in breach of the Institution’s obligations under the Data Protection Legislation. 11.4 The Placement Provider shall ensure that access to personal data is limited to those employees who need access to the personal data to meet the Placement Provider's obligations under this Agreement. 11.5 The Placement Provider will promptly notify the Institution in writing if it receives: 11.5.1 a request from a data subject to have access to that person’s personal data; or 11.5.2 a complaint or request relating to the Institution’s obligations under the Act. The Placement Provider shall co-operate and assist with the Institution in relation to any other party without such request or complaint. 11.6 The Placement Provider must provide the Council’s express permission Institution with all the information that is needed to show that both Parties have met their obligations of the Act. Representatives from the Institution will be permitted to inspect and audit its data processing activities and will comply with all reasonable requests or directions by the Institution to enable the Institution to verify that the Placement Provider is in full compliance with its obligations under this Agreement. 11.7 The Placement Provider agrees to indemnify the Institution against all liabilities, costs, claims, damages or expenses incurred by the Institution for which it may become liable due to any failure by the Placement Provider or its employees or agents to comply with any statutory obligationof its data processing obligations under this Agreement. 23.3 If at 11.8 No information which would lead to the identification of an individual shall be included in any time during publications without the Contract Period prior agreement in writing of the Council determines that it is necessary individual concerned. No mention shall be made of individual officers of either Party or the Students, which might lead to provide additional instructions on their identification, without the processing by prior agreement in writing of the Consultant of Personal Data the Consultant shall promptly agree any such instructions and any obligations which the Council reasonably requires and imposes on the ConsultantParty concerned. 23.4 11.9 The Council has a number of Parties shall cooperate and assist one another to comply with their obligations under the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations (EIR) pursuant to provide information of its functions where a person has made a request, unless the FOIA or the EIR exempts the requested information from such provision. The Consultant and his sub-contractors shall co-operate with the Council in respect of any request affecting or related to the provision of the Services by among other things providing written responses to requests as required by the Authorised Officer. The Consultant shall use all reasonable endeavours to help the Council meet its obligations under the FOIA and the EIR. 23.5 The Council is obliged by the Local Government Transparency Code issued by the Secretary of State under the Local Government (Transparency Requirements) (England) Environmental Information Regulations 2014 in relation to publish contracts (worth more than £5,000) in their entiretythis Agreement, subject to redaction of commercially sensitive information, confidential information, intellectual property and data protectionif applicable. The Consultant agrees that Party receiving the Council may publish this Contract request for information shall be responsible for determining at its absolute discretion, and without consultation with the other Party, whether the information: 11.9.1 is exempt from disclosure in its entirety and also publish performance data subject accordance with the provisions of FOIA or the Environmental Information Regulations; or 11.9.2 is to the Council considering and properly applying those qualificationsbe disclosed in response to a request for information.