Common use of Data Protection & Information Security Clause in Contracts

Data Protection & Information Security. 11.1 The data that the Contractor will handle under this Framework Agreement will be classed as Official or Official-Sensitive and should be treated with care, taking into account relevant legislation, at all times. Further information on Government Security Classifications and Framework Agreements can be found at: 11.2 The Contractor will ensure the confidentiality of the data stored and/or communicated as part of this Framework Agreement, including both electronic and paper-based data. 11.3 The Contractor will employ effective administration and record control processes in order to underpin service delivery whilst also ensuring data is protected in compliance with the requirements of Data Protection Laws. 11.4 The Contractor will ensure procedures and processes are in place to ensure security of client data, enabling them to work with Framework Public Bodies with high Information Technology (IT) security requirements to deliver services, ensuring continuity and protection against cyber-attacks. This must include commercial grade full disk encryption for all data and secure email for data in transit. 11.5 Contractors as a minimum must have: • Processes in place ensuring security of client data including processes for assessing future risks; • Acceptable Destruction policies and processes for deleting data; • Procedures in place for Disaster Recovery Testing, including the dates, duration and frequency; • Methods for the back-up of delivering services should an incident occur including manpower and access to equipment; Appropriate commercial licenses for software in place; • Methods in place to mitigate against cyber-attack and crime using online technologies including processes relating to Boundary Firewalls and Internet Gateways, Secure Configuration, Access Control, Malware Protection and Patch Management Information on the Scottish Government Cyber Resilience Strategy can be found by following this link: A Cyber Resilience Strategy for Scotland

Data Protection & Information Security. 11.1 The data that the Contractor will handle under this Framework Agreement will be classed as Official or Official-Sensitive and should be treated with care, taking into account relevant legislation, at all times. Further information on Government Security Classifications and Framework Agreements can be found at: 11.2 The Contractor will ensure the confidentiality of the data stored and/or communicated as part of this Framework Agreement, including both electronic and paper-based data. 11.3 The Contractor will employ effective administration and record control processes in order to underpin service delivery whilst also ensuring data is protected in compliance with the requirements of Data Protection Laws. 11.4 The Contractor will ensure procedures and processes are in place to ensure security of client data, enabling them to work with Framework Public Bodies with high Information Technology (IT) security requirements to deliver services, ensuring continuity and protection against cyber-attacks. This must include commercial grade full disk encryption for all data and secure email for data in transit. 11.5 Contractors as a minimum must have: • Processes in place ensuring security of client data including processes for assessing future risks; • Acceptable Destruction policies and processes for deleting data; • Procedures in place for Disaster Recovery Testing, including the dates, duration and frequency; • Methods for the back-up of delivering services should an incident occur including manpower and access to equipment; Appropriate commercial licenses for software in place; • Methods in place to mitigate against cyber-attack and crime using online technologies including processes relating to Boundary Firewalls and Internet Gateways, Secure Configuration, Access Control, Malware Protection and Patch Management Information on the Scottish Government Cyber Resilience Strategy can be found by following this link: A Cyber Resilience Strategy for ScotlandScotland For further information please see the UK Governments Cyber Essentials Scheme and consider the information included within the scheme. Cyber Essentials Scheme 11.6 The Contractor will employ effective administration and record control processes in order to underpin service delivery whilst also ensuring data is protected in compliance with the requirements of the Data Protection Laws. 11.7 The Contractor will ensure information held under the Government Security Classifications are correctly managed and safeguarded.