Common use of Data Protection & Information Security Clause in Contracts

Data Protection & Information Security. (where applicable) 1.9.1 The data that the Contractor will handle under this Framework Agreement will be classed as ‘Official’ or ‘Official – Sensitive’ and should be treated with care, taking into account relevant legislation, at all times. Further information on Government Security Classifications and Framework Agreements can be found at: 1.9.2 The Contractor will ensure the confidentiality of the data stored and/or communicated as part of this Framework Agreement, including both electronic and paper-based data. 1.9.3 The Contractor will ensure procedures and processes are in place to ensure security of client data, enabling them to work with Framework Public Bodies with high Information Technology (IT) security requirements to deliver services, ensuring continuity and protection against cyber- attacks. This must include commercial grade full disk encryption for all data and secure e-mail for data in transit. 1.9.4 Contractors as a minimum must have:  Processes in place ensuring security of client data including processes for assessing future risks;  Acceptable Destruction policies and processes for deleting data;  Procedures in place for Disaster Recovery Testing, including the dates, duration and frequency;  Methods for the back-up of delivering services should an incident occur including manpower and access to equipment;  Appropriate commercial licenses for software in place;  Methods in place to mitigate against cyber-attack and crime using online technologies including processes relating to Boundary Firewalls and Internet Gateways, Secure Configuration, Access Control, Malware Protection and Patch Management 1.9.5 Information on the Scottish Government Cyber Resilience Strategy can be found by following this link: A Cyber Resilience Strategy for Scotland 1.9.6 For further information please see the UK Governments Cyber Essentials Scheme and consider the information included within the scheme.

Data Protection & Information Security. (where applicable) 1.9.1 The data that the Contractor will handle under this Framework Agreement will be classed as ‘Official’ or ‘Official – Sensitive’ and should be treated with care, taking into account relevant legislation, at all times. Further information on Government Security Classifications and Framework Agreements can be found at: 1.9.2 The Contractor will ensure the confidentiality of the data stored and/or communicated as part of this Framework Agreement, including both electronic and paper-based data. 1.9.3 The Contractor will ensure procedures and processes are in place to ensure security of client data, enabling them to work with Framework Public Bodies with high Information Technology (IT) security requirements to deliver services, ensuring continuity and protection against cyber- attacks. This must include commercial grade full disk encryption for all data and secure e-mail for data in transit. 1.9.4 Contractors as a minimum must have:  • Processes in place ensuring security of client data including processes for assessing future risks;  • Acceptable Destruction policies and processes for deleting data;  • Procedures in place for Disaster Recovery Testing, including the dates, duration and frequency;  • Methods for the back-up of delivering services should an incident occur including manpower and access to equipment;  • Appropriate commercial licenses for software in place;  • Methods in place to mitigate against cyber-attack and crime using online technologies including processes relating to Boundary Firewalls and Internet Gateways, Secure Configuration, Access Control, Malware Protection and Patch Management 1.9.5 Information on the Scottish Government Cyber Resilience Strategy can be found by following this link: A Cyber Resilience Strategy for Scotland 1.9.6 For further information please see the UK Governments Cyber Essentials Scheme and consider the information included within the scheme.