Common use of DATA PROTECTION, FREEDOM OF INFORMATION AND TRANSPARENCY Clause in Contracts

DATA PROTECTION, FREEDOM OF INFORMATION AND TRANSPARENCY. 17.1 The Parties must ensure that all Personal Data processed by or on behalf of them in the course of carrying out the Delegated Functions and Reserved Functions is processed in accordance with the relevant Party’s obligations under Data Protection Legislation and Data Guidance and the Parties must assist each other as necessary to enable each other to comply with these obligations. 17.2 The ICB must respond to any information governance breach in accordance with IG Guidance for Serious Incidents. If the ICB is required under Data Protection Legislation to notify the Information Commissioner’s Office or a Data Subject of an information governance breach then as soon as reasonably practical and in any event on or before the first such notification is made the ICB must fully inform NHS England of the information governance breach. This clause does not require the ICB to provide NHS England with information which identifies any individual affected by the information governance breach where doing so would breach Data Protection Legislation. 17.3 Whether or not a Party is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and any Data Guidance from a Regulatory or Supervisory Body. The Parties acknowledge that a Party may act as both a Data Controller and a Data Processor. 17.4 Each Party acknowledges that the other is a public authority for the purposes of the Freedom of Information Xxx 0000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIR”). 17.5 Each Party may be statutorily required to disclose further information about the Agreement and the Relevant Information in response to a specific request under FOIA or EIR, in which case: 17.5.1 each Party shall provide the other with all reasonable assistance and co- operation to enable them to comply with their obligations under FOIA or EIR; 17.5.2 each Party shall consult the other regarding the possible application of exemptions in relation to the information requested; and 17.5.3 subject only to clause 16 (Claims and Litigation), each Party acknowledges that the final decision as to the form or content of the response to any request is a matter for the Party to whom the request is addressed. 17.6 NHS England may, from time to time, issue a FOIA or EIR protocol or update a protocol previously issued relating to the dealing with and responding to of FOIA or EIR requests in relation to the Delegated Functions. The ICB shall comply with such FOIA or EIR protocols. 17.7 SCHEDULE 4 makes further provision about information sharing and information governance.

DATA PROTECTION, FREEDOM OF INFORMATION AND TRANSPARENCY. 17.1 The Parties must ensure that all Personal Data processed by or on behalf of them in the course of carrying out the Delegated Functions and Reserved Functions is processed in accordance with the relevant Party’s obligations under Data Protection Legislation and Data Guidance and the Parties must assist each other as necessary to enable each other to comply with these obligations. 17.2 The ICB must respond to any information governance breach in accordance with IG Guidance for Serious Incidents. If the ICB is required under Data Protection Legislation to notify the Information Commissioner’s Office or a Data Subject of an information governance breach then as soon as reasonably practical and in any event on or before the first such notification is made the ICB must fully inform NHS England of the information governance breach. This clause does not require the ICB to provide NHS England with information which identifies any individual affected by the information governance breach where doing so would breach Data Protection Legislation. 17.3 Whether or not a Party is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and any Data Guidance from a Regulatory or Supervisory Body. The Parties acknowledge that a Party may act as both a Data Controller and a Data Processor. 17.4 Each Party acknowledges that the other is a public authority for the purposes of the Freedom of Information Xxx 0000 Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIR”). 17.5 Each Party may be statutorily required to disclose further information about the Agreement and the Relevant Information in response to a specific request under FOIA or EIR, in which case: 17.5.1 each Party shall provide the other with all reasonable assistance and co- operation to enable them to comply with their obligations under FOIA or EIR; 17.5.2 each Party shall consult the other regarding the possible application of exemptions in relation to the information requested; and 17.5.3 subject only to clause 16 (Claims and Litigation), each Party acknowledges that the final decision as to the form or content of the response to any request is a matter for the Party to whom the request is addressed. 17.6 NHS England may, from time to time, issue a FOIA or EIR protocol or update a protocol previously issued relating to the dealing with and responding to of FOIA or EIR requests in relation to the Delegated Functions. The ICB shall comply with such FOIA or EIR protocols. 17.7 SCHEDULE 4 makes further provision about information sharing and information governance.

DATA PROTECTION, FREEDOM OF INFORMATION AND TRANSPARENCY. 17.1 The Parties must ensure that all Personal Data processed by or on behalf of them in the course of carrying out the Delegated Functions and Reserved Functions is processed in accordance with the relevant Party’s obligations under Data Protection Legislation and Data Guidance and the Parties must assist each other as necessary to enable each other to comply with these obligations. 17.2 The ICB must respond to any information governance breach in accordance with IG Guidance for Serious Incidents. If the ICB is required under Data Protection Legislation to notify the Information Commissioner’s Office or a Data Subject of an information governance breach then as soon as reasonably practical and in any event on or before the first such notification is made the ICB must fully inform NHS England of the information governance breach. This clause does not require the ICB to provide NHS England with information which identifies any individual affected by the information governance breach where doing so would breach Data Protection Legislation. 17.3 Whether or not a Party is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and any Data Guidance from a Regulatory or Supervisory Body. The Parties acknowledge that a Party may act as both a Data Controller and a Data Processor. 17.4 Each Party acknowledges that the other is a public authority for the purposes of the Freedom of Information Xxx 0000 Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIR”). 17.5 Each Party may be statutorily required to disclose further information about the Agreement and the Relevant Information in response to a specific request under FOIA or EIR, in which case: 17.5.1 each Party shall provide the other with all reasonable assistance and co- operation to enable them to comply with their obligations under FOIA or EIR; 17.5.2 each Party shall consult the other regarding the possible application of exemptions in relation to the information requested; and 17.5.3 subject only to clause 16 (Claims and Litigation), each Party acknowledges that the final decision as to the form or content of the response to any request is a matter for the Party to whom the request is addressed. 17.6 NHS England may, from time to time, issue a FOIA or EIR protocol or update a protocol previously issued relating to the dealing with and responding to of FOIA or EIR requests in relation to the Delegated Functions. The ICB shall comply with such FOIA or EIR protocols. 17.7 17.8 SCHEDULE 4 makes further provision about information sharing and information governance.3

DATA PROTECTION, FREEDOM OF INFORMATION AND TRANSPARENCY. 17.1 The Parties must ensure that all Personal Data processed by or on behalf of them in the course of carrying out the Delegated Functions and Reserved Functions is processed in accordance with the relevant Party’s obligations under Data Protection Legislation and Data Guidance and the Parties must assist each other as necessary to enable each other to comply with these obligations. 17.2 The ICB must respond to any information governance breach in accordance with IG Guidance for Serious Incidents. If the ICB is required under Data Protection Legislation to notify the Information Commissioner’s Office or a Data Subject of an information governance breach then as soon as reasonably practical and in any event on or before the first such notification is made the ICB must fully inform NHS England of the information governance breach. This clause does not require the ICB to provide NHS England with information which identifies any individual affected by the information governance breach where doing so would breach Data Protection Legislation. 17.3 Whether or not a Party is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and any Data Guidance from a Regulatory or Supervisory Body. The Parties acknowledge that a Party may act as both a Data Controller and a Data Processor. 17.4 Each Party acknowledges that the other is a public authority for the purposes of the Freedom of Information Xxx 0000 Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIR”). 17.5 Each Party may be statutorily required to disclose further information about the Agreement and the Relevant Information in response to a specific request under FOIA or EIR, in which case: 17.5.1 each Party shall provide the other with all reasonable assistance and co- operation to enable them to comply with their obligations under FOIA or EIR; 17.5.2 each Party shall consult the other regarding the possible application of exemptions in relation to the information requested; and 17.5.3 subject only to clause 16 (Claims and Litigation), each Party acknowledges that the final decision as to the form or content of the response to any request is a matter for the Party to whom the request is addressed. 17.6 NHS England may, from time to time, issue a FOIA or EIR protocol or update a protocol previously issued relating to the dealing with and responding to of FOIA or EIR requests in relation to the Delegated Functions. The ICB shall comply with such FOIA or EIR protocols. 17.7 SCHEDULE Schedule 4 (Further Information Governance and Sharing Provisions) makes further provision about information sharing and information governance.

DATA PROTECTION, FREEDOM OF INFORMATION AND TRANSPARENCY. ‌ 17.1 The Parties must ensure that all Personal Data processed by or on behalf of them in the course of carrying out the Delegated Functions and Reserved Functions is processed in accordance with the relevant Party’s obligations under Data Protection Legislation and Data Guidance and the Parties must assist each other as necessary to enable each other to comply with these obligations. 17.2 The ICB must respond to any information governance breach in accordance with IG Guidance for Serious Incidents. If the ICB is required under Data Protection Legislation to notify the Information Commissioner’s Office or a Data Subject of an information governance breach then as soon as reasonably practical and in any event on or before the first such notification is made the ICB must fully inform NHS England of the information governance breach. This clause does not require the ICB to provide NHS England with information which identifies any individual affected by the information governance breach where doing so would breach Data Protection Legislation. 17.3 Whether or not a Party is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and any Data Guidance from a Regulatory or Supervisory Body. The Parties acknowledge that a Party may act as both a Data Controller and a Data Processor. 17.4 Each Party acknowledges that the other is a public authority for the purposes of the Freedom of Information Xxx 0000 Act 2000 (“FOIA”) and the Environmental Information Regulations 2004 (“EIR”). 17.5 Each Party may be statutorily required to disclose further information about the Agreement and the Relevant Information in response to a specific request under FOIA or EIR, in which case: 17.5.1 each Party shall provide the other with all reasonable assistance and co- operation to enable them to comply with their obligations under FOIA or EIR; 17.5.2 each Party shall consult the other regarding the possible application of exemptions in relation to the information requested; and 17.5.3 subject only to clause 16 (Claims and Litigation), each Party acknowledges that the final decision as to the form or content of the response to any request is a matter for the Party to whom the request is addressed. 17.6 NHS England may, from time to time, issue a FOIA or EIR protocol or update a protocol previously issued relating to the dealing with and responding to of FOIA or EIR requests in relation to the Delegated Functions. The ICB shall comply with such FOIA or EIR protocols. 17.7 SCHEDULE 4 makes further provision about information sharing and information governance.