Common use of DATA PROTECTION AND PROTECTION OF PERSONAL DATA Clause in Contracts

DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 16.1 The Parties shall ensure that information acquired by the Parties and sub- contractors in the delivery of this Contract will at all times comply with the provisions and obligations imposed by the Data Protection Act 1998 and the Data Protection Principles together with any subsequent re-enactment or amendment thereof in storing and processing personal data, and all personal data acquired by either party from the other shall be returned to the disclosing party on request. Both Parties hereby acknowledge that performance of a duty imposed by the Act shall not constitute a breach of any obligation in respect of confidentiality which may be owed to the other party. The clause shall not affect THE SFA’s ability to make a search with a credit reference agency. 16.2 With respect to the Parties’ rights and obligations under this Contract the Parties agree that THE SFA is the Data Controller and THE CONTRACTOR is the Data Processor within the meaning of the Data Protection Act. 16.3 THE CONTRACTOR shall: 16.3.1 process Personal Data only in accordance with the instructions from THE SFA (which may be specific instructions or instructions of a general nature as set out in the Contract or otherwise notified by THE SFA to THE CONTRACTOR during the term of the Contract); 16.3.2 process the Personal Data only to the extent and in such manner as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; 16.3.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 16.3.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 16.3.5 obtain prior written consent from THE SFA in order to transfer the Personal Data to any sub-contractor or other third parties for the provision of the Services; 16.3.6 ensure that all Contractor Personnel do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by THE SFA; 16.3.7 notify THE SFA within 5 working days if it receives: 16.3.7.1 a request from a Data Subject to have access to that person’s Personal Data; or 16.3.7.2 a complaint or request relating to THE SFA obligations under the Data Protection Legislation; 16.3.8 provide THE SFA with full co-operation and assistance in relation to any complaint or request made, including by: 16.3.8.1 providing THE SFA with full details of the complaint or request; 16.3.8.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with THE SFA’s instructions; 16.3.8.3 providing THE SFA with any Personal Data it holds in relation to a Data Subject (within the timescales required by THE SFA); and 16.3.8.4 providing THE SFA with any information requested by them or their representatives. 16.3.9 permit THE SFA or THE SFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit THE CONTRACTOR’S Data Processing activities (and/or those of its agents, subsidiaries, and sub-contractors) and comply with all reasonable requests or directions by THE SFA to enable THE SFA to verify and or procure that THE CONTRACTOR is in full compliance with its obligations under this Contract;

DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 16.1 The Parties shall ensure that information acquired by the Parties and sub- contractors in the delivery of this Contract will at all times comply with the provisions and obligations imposed by the Data Protection Act 1998 Xxx 0000 and the Data Protection Principles together with any subsequent re-enactment or amendment thereof in storing and processing personal data, and all personal data acquired by either party from the other shall be returned to the disclosing party on request. Both Parties hereby acknowledge that performance of a duty imposed by the Act shall not constitute a breach of any obligation in respect of confidentiality which may be owed to the other party. The clause shall not affect THE SFAESFA’s ability to make a search with a credit reference agency. 16.2 With respect to the Parties’ rights and obligations under this Contract the Parties agree that THE SFA ESFA is the Data Controller and THE CONTRACTOR is the Data Processor within the meaning of the Data Protection Act. 16.3 THE CONTRACTOR shall: 16.3.1 process Personal Data only in accordance with the instructions from THE SFA ESFA (which may be specific instructions or instructions of a general nature as set out in the Contract or otherwise notified by THE SFA ESFA to THE CONTRACTOR during the term of the Contract); 16.3.2 process the Personal Data only to the extent and in such manner as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; 16.3.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 16.3.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 16.3.5 obtain prior written consent from THE SFA ESFA in order to transfer the Personal Data to any sub-contractor or other third parties for the provision of the Services; 16.3.6 ensure that all Contractor Personnel do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by THE SFAESFA; 16.3.7 notify THE SFA ESFA within 5 working days if it receives: 16.3.7.1 a request from a Data Subject to have access to that person’s Personal Data; or 16.3.7.2 a complaint or request relating to THE SFA ESFA obligations under the Data Protection Legislation; 16.3.8 provide THE SFA ESFA with full co-operation and assistance in relation to any complaint or request made, including by: 16.3.8.1 providing THE SFA ESFA with full details of the complaint or request; 16.3.8.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with THE SFAESFA’s instructions; 16.3.8.3 providing THE SFA ESFA with any Personal Data it holds in relation to a Data Subject (within the timescales required by THE SFAESFA); and 16.3.8.4 providing THE SFA ESFA with any information requested by them or their representatives. 16.3.9 permit THE SFA ESFA or THE SFAESFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit THE CONTRACTOR’S Data Processing activities (and/or those of its agents, subsidiaries, and sub-contractors) and comply with all reasonable requests or directions by THE SFA ESFA to enable THE SFA ESFA to verify and or procure that THE CONTRACTOR is in full compliance with its obligations under this Contract;

DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 16.1 The Parties shall ensure that information acquired by the Parties and sub- contractors in the delivery of this Contract will at all times comply with the provisions and obligations imposed by the Data Protection Act 1998 and the Data Protection Principles together with any subsequent re-enactment or amendment thereof in storing and processing personal data, and all personal data acquired by either party from the other shall be returned to the disclosing party on request. Both Parties hereby acknowledge that performance of a duty imposed by the Act shall not constitute a breach of any obligation in respect of confidentiality which may be owed to the other party. The clause shall not affect THE SFA’s ability to make a search with a credit reference agency. 16.2 With respect to the Parties’ rights and obligations under this Contract the Parties agree that THE SFA is the Data Controller and THE CONTRACTOR is the Data Processor within the meaning of the Data Protection Act. 16.3 THE CONTRACTOR shall: 16.3.1 process Personal Data only in accordance with the instructions from THE SFA (which may be specific instructions or instructions of a general nature as set out in the Contract or otherwise notified by THE SFA to THE CONTRACTOR during the term of the Contract); 16.3.2 process the Personal Data only to the extent and in such manner as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; 16.3.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected;; WITHDRAWN 16.3.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 16.3.5 obtain prior written consent from THE SFA in order to transfer the Personal Data to any sub-contractor or other third parties for the provision of the Services; 16.3.6 ensure that all Contractor Personnel do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by THE SFA; 16.3.7 notify THE SFA within 5 working days if it receives: 16.3.7.1 a request from a Data Subject to have access to that person’s Personal Data; or 16.3.7.2 a complaint or request relating to THE SFA obligations under the Data Protection Legislation; 16.3.8 provide THE SFA with full co-operation and assistance in relation to any complaint or request made, including by: 16.3.8.1 providing THE SFA with full details of the complaint or request; 16.3.8.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with THE SFA’s instructions; 16.3.8.3 providing THE SFA with any Personal Data it holds in relation to a Data Subject (within the timescales required by THE SFA); and 16.3.8.4 providing THE SFA with any information requested by them or their representatives. 16.3.9 permit THE SFA or THE SFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit THE CONTRACTOR’S Data Processing activities (and/or those of its agents, subsidiaries, and sub-contractors) and comply with all reasonable requests or directions by THE SFA to enable THE SFA to verify and or procure that THE CONTRACTOR is in full compliance with its obligations under this Contract;

DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 16.1 The Parties shall ensure that information acquired by the Parties and sub- contractors in the delivery of this Contract will at all times comply with the provisions and obligations imposed by the Data Protection Act 1998 and the Data Protection Principles together with any subsequent re-enactment or amendment thereof in storing and processing personal data, and all personal data acquired by either party from the other shall be returned to the disclosing party on request. Both Parties hereby acknowledge that performance of a duty imposed by the Act shall not constitute a breach of any obligation in respect of confidentiality which may be owed to the other party. The clause shall not affect THE SFA’s ability to make a search with a credit reference agency. 16.2 With respect to the Parties’ rights and obligations under this Contract the Parties agree that THE SFA is the Data Controller and THE CONTRACTOR is the Data Processor within the meaning of the Data Protection Act. 16.3 THE CONTRACTOR shall: 16.3.1 process Personal Data only in accordance with the instructions from THE SFA (which may be specific instructions or instructions of a general nature as set out in the Contract or otherwise notified by THE SFA to THE CONTRACTOR during the term of the Contract); 16.3.2 process the Personal Data only to the extent and in such manner as is necessary for the provision of the Services or as is required by Law or any Regulatory Body;; WITHDRAWN 16.3.3 implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 16.3.4 take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 16.3.5 obtain prior written consent from THE SFA in order to transfer the Personal Data to any sub-contractor or other third parties for the provision of the Services; 16.3.6 ensure that all Contractor Personnel do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by THE SFA; 16.3.7 notify THE SFA within 5 working days if it receives: 16.3.7.1 a request from a Data Subject to have access to that person’s Personal Data; or 16.3.7.2 a complaint or request relating to THE SFA obligations under the Data Protection Legislation; 16.3.8 provide THE SFA with full co-operation and assistance in relation to any complaint or request made, including by: 16.3.8.1 providing THE SFA with full details of the complaint or request; 16.3.8.2 complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with THE SFA’s instructions; 16.3.8.3 providing THE SFA with any Personal Data it holds in relation to a Data Subject (within the timescales required by THE SFA); and 16.3.8.4 providing THE SFA with any information requested by them or their representatives.. WITHDRAWN 16.3.9 permit THE SFA or THE SFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit THE CONTRACTOR’S Data Processing activities (and/or those of its agents, subsidiaries, and sub-contractors) and comply with all reasonable requests or directions by THE SFA to enable THE SFA to verify and or procure that THE CONTRACTOR is in full compliance with its obligations under this Contract;

DATA PROTECTION AND PROTECTION OF PERSONAL DATA. 16.1 16.1. The Parties shall ensure that information acquired by the Parties and sub- contractors Sub- Contractors in the delivery of this Contract will at all times comply with the provisions and obligations imposed by the Data Protection Act 1998 and the Data Protection Principles together with any subsequent re-enactment or amendment thereof in storing and processing personal dataLaws, and all personal data acquired by either party from the other shall be returned to the disclosing party on request. Both Parties hereby acknowledge that performance of a duty imposed by the Act Data Protection Laws shall not constitute a breach of any obligation in respect of confidentiality which may be owed to the other party. The clause shall not affect THE SFAthe ESFA’s ability to make a search with a credit reference agency. 16.2 16.2. With respect to the Parties’ rights and obligations under this Contract the Parties agree that THE SFA the ESFA is the Data Controller and THE CONTRACTOR the Contractor is the Data Processor within the meaning of the Data Protection ActLaws, as amended from time to time. 16.3 THE CONTRACTOR 16.3. The Contractor shall: 16.3.1 16.3.1. process Personal Data only in accordance with the instructions from THE SFA the ESFA (which may be specific instructions or instructions of a general nature as set out in the Contract or otherwise notified by THE SFA the ESFA to THE CONTRACTOR the Contractor during the term of the Contract); 16.3.2 16.3.2. process the Personal Data only to the extent and in such manner as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; 16.3.3 16.3.3. implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; 16.3.4 16.3.4. take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 16.3.5 16.3.5. obtain prior written consent from THE SFA the ESFA in order to transfer the Personal Data to any subSub-contractor Contractor or other third parties for the provision of the Services; 16.3.6 16.3.6. ensure that all Contractor Personnel do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by THE SFAthe ESFA; 16.3.7 16.3.7. notify THE SFA the ESFA within 5 working days if it receives: 16.3.7.1 16.3.7.1. a request from a Data Subject (meaning an individual who is the subject of Personal Data), to have access to that person’s Personal Data; or 16.3.7.2 16.3.7.2. a complaint or request relating to THE SFA the ESFA obligations under the Data Protection LegislationLaws; 16.3.8 16.3.8. provide THE SFA the ESFA with full co-operation and assistance in relation to any complaint or request made, including by: 16.3.8.1 16.3.8.1. providing THE SFA the ESFA with full details of the complaint or request; 16.3.8.2 16.3.8.2. complying with a data access request within the relevant timescales set out in the Data Protection Legislation Laws and in accordance with THE SFAthe ESFA’s instructions; 16.3.8.3 16.3.8.3. providing THE SFA the ESFA with any Personal Data it holds in relation to a Data Subject (within the timescales required by THE SFAthe ESFA); and 16.3.8.4 16.3.8.4. providing THE SFA the ESFA with any information requested by them or their representatives. 16.3.9 16.3.9. permit THE SFA the ESFA or THE SFAthe ESFA’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit THE CONTRACTOR’S the Contractor’s Data Processing (within the meaning of the Data Protection Laws) activities (and/or those of its agents, subsidiaries, and sub-contractors) and comply with all reasonable requests or directions by THE SFA the ESFA to enable THE SFA the ESFA to verify and or procure that THE CONTRACTOR the Contractor is in full compliance with its obligations under this Contract; 16.3.10. provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the ESFA); and 16.3.11. provide the ESFA with information about how the Learner Files are stored including details of the location where the Learner Files are kept and the arrangements for their security. the Contractor is required to notify the ESFA of any changes to this information 16.3.12. not Process Personal Data outside the European Economic Area without the prior written consent of the ESFA and, where the ESFA consents to a transfer, to comply with: 16.3.12.1. the obligations of a Data Controller (within the meaning of the Data Protection Laws as maybe amended from time to time), under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data is transferred; and 16.3.12.2. any reasonable instructions notified to it by the ESFA. 16.4. Where the Contractor is providing the Services to Learners claiming out of work benefits, the Secretary of State for Work and Pensions (or their successor) is the Data Controller in relation to Personal Data which the Contractor is required to provide to the Secretary of State for Work and Pensions. This Clause 16 will be enforceable by the Secretary of State for Work and Pensions in relation to any Personal Data processed by the Contractor on their behalf. 16.5. Where the Contractor is providing the Service to Learners who are subject to active management by the Offender Manager in respect of an order or licence, the Secretary of State for Justice (or their successor) is the Data Controller in relation to Personal Data which the Contractor is required to provide to the Secretary of State for Justice.