Common use of Incident Reporting Clause in Contracts

Incident Reporting. 13.1 As soon as the Contractor becomes aware, it shall immediately report any incident affecting the delivery of the Service(s) to the Framework Public Body. The Contractor will undertake an immediate investigation and will provide feedback in writing on findings, including corrective actions required and trends observed, to the Framework Public Body within 24 hours of the incident being reported by telephone/e-mail. 13.2 Serious incidents can be categorised as but not limited to:  Any breach of security which may affect the security of data supplied by the Framework Public Body to the Contractor;  Failure to deliver the required Services due to any type of service disruption. 13.3 These examples are indicative only and the Framework Public Body may provide for further categories of serious incidents at the call-off level. 13.4 The Contractor shall, in the event of a serious incident, provide from within Contractor’s senior management, a single point of contact person within 1 hour of notification. 13.5 It shall be the responsibility of the contact person to pursue the investigation and mitigation of the incident to the satisfaction of the Framework Public Body and they shall be required to provide progress updates to the Framework Public Body on request. 13.6 In addition to the above notification requirements, the Contractor shall have in place an effective and efficient incident handling procedure for dealing with security breaches in the provision of Service(s) to the Framework Public Body and these should be agreed by the Framework Public Body and Contractor in advance. As a minimum it must include but not be limited to:  Early identification of any loss of data;  Early notification to Framework Public Body on any security breaches;  Set procedures in place to conduct thorough premises searches;  Ability to provide immediate feedback on investigations to Framework Public Body contacts that may be requested at any time from the notification;  Internal escalation procedures in place to notify senior Contract Managers and Security Managers;  Ability within workforce planning to provide on-site management and assistance to ascertain the causes of the security breach and implement any immediate remedial actions in mitigation;  Final reporting writing procedures in agreement with the Framework Public Body;  Full co-operation with any requests for written reports and information pertaining to security incidents that may be requested by the Information Commissioner. 13.7 The Contractor will ensure procedures and processes are in place to ensure the confidentiality of client data and enable working with bodies with high Information Technology (IT) security requirements to deliver services.

Incident Reporting. 13.1 1.11.1 As soon as the Contractor becomes aware, it shall immediately report any incident affecting the delivery of the Service(s) to the Framework Public Body. The Contractor will undertake an immediate investigation and will provide feedback in writing on findings, including corrective actions required and trends observed, to the Framework Public Body within 24 hours of the incident being reported by telephone/e-mail. 13.2 1.11.2 Serious incidents can be categorised as but not limited to:  Any breach of security which may affect the security of data supplied by the Framework Public Body to the Contractor;  Failure to deliver the required Services due to any type of service disruption. 13.3 These examples are disruption This list is indicative only and the Framework Public Body may provide for further categories of serious incidents at the callCall-off Off level. 13.4 1.11.3 The Contractor shall, in the event of a serious incident, provide from within Contractor’s senior management, a single point of contact person within 1 hour of notification. 13.5 1.11.4 It shall be the responsibility of the contact person to pursue the investigation and mitigation of the incident to the satisfaction of the Framework Public Body and they shall be required to provide progress updates to the Framework Public Body on request. 13.6 1.11.5 In addition to the above notification requirements, the Contractor shall have in place an effective and efficient incident handling procedure for dealing with security breaches in the provision of Service(s) to the Framework Public Body and these should be agreed by the Framework Public Body and Contractor in advance. As a minimum it must include but not be limited to:  Early identification of any loss of data;  Early notification to Framework Public Body on any security breaches;  Set procedures in place to conduct thorough premises searches;  Ability to provide immediate feedback on investigations to Framework Public Body contacts that may be requested at any time from the notification;  Internal escalation procedures in place to notify senior Contract Managers and Security Managers;  Ability within workforce planning to provide on-site management and assistance to ascertain the causes of the security breach and implement any immediate remedial actions in mitigation;  Final reporting writing procedures in agreement with the Framework Public Body;  Full co-operation with any requests for written reports and information pertaining to security incidents that may be requested by the Information Commissioner. 13.7 1.11.6 The Contractor will ensure procedures and processes are in place to ensure the confidentiality of client data and enable working with bodies with high Information Technology (IT) security requirements to deliver services.

Incident Reporting. 13.1 1.11.1 As soon as the Contractor becomes aware, it shall immediately report any incident affecting the delivery of the Service(s) to the Framework Public Body. The Contractor will undertake an immediate investigation and will provide feedback in writing on findings, including corrective actions required and trends observed, to the Framework Public Body within 24 hours of the incident being reported by telephone/e-mail. 13.2 1.11.2 Serious incidents can be categorised as but not limited to:  • Any breach of security which may affect the security of data supplied by the Framework Public Body to the Contractor;  • Failure to deliver the required Services due to any type of service disruption. 13.3 These examples are disruption This list is indicative only and the Framework Public Body may provide for further categories of serious incidents at the callCall-off Off level. 13.4 1.11.3 The Contractor shall, in the event of a serious incident, provide from within Contractor’s senior management, a single point of contact person within 1 hour of notification. 13.5 1.11.4 It shall be the responsibility of the contact person to pursue the investigation and mitigation of the incident to the satisfaction of the Framework Public Body and they shall be required to provide progress updates to the Framework Public Body on request. 13.6 1.11.5 In addition to the above notification requirements, the Contractor shall have in place an effective and efficient incident handling procedure for dealing with security breaches in the provision of Service(s) to the Framework Public Body and these should be agreed by the Framework Public Body and Contractor in advance. As a minimum it must include but not be limited to:  • Early identification of any loss of data;  • Early notification to Framework Public Body on any security breaches;  • Set procedures in place to conduct thorough premises searches;  • Ability to provide immediate feedback on investigations to Framework Public Body contacts that may be requested at any time from the notification;  • Internal escalation procedures in place to notify senior Contract Managers and Security Managers;  • Ability within workforce planning to provide on-site management and assistance to ascertain the causes of the security breach and implement any immediate remedial actions in mitigation;  • Final reporting writing procedures in agreement with the Framework Public Body;  • Full co-operation with any requests for written reports and information pertaining to security incidents that may be requested by the Information Commissioner. 13.7 1.11.6 The Contractor will ensure procedures and processes are in place to ensure the confidentiality of client data and enable working with bodies with high Information Technology (IT) security requirements to deliver services.

Incident Reporting. 13.1 As soon as the Contractor Supplier becomes aware, it shall immediately report any incident affecting the delivery of the Service(s) to the Framework Public Contracting Body. The Contractor Supplier will undertake an immediate investigation and will provide feedback in writing on findings, including corrective actions required and trends observed, to the Framework Public Contracting Body within 24 hours of the incident being reported by telephone/e-mail. 13.2 . Serious incidents can be categorised as but not limited to:  Mail items that cannot be traced following despatch; Any tracked item that has been delivered incorrectly; Any items that are found in public places; Any failed collections from the Contracting Body site; Any items that have been stolen whilst in the Suppliers’ possession; Any breach of security which may affect the security of data supplied by the Framework Public Contracting Body to the ContractorSupplier;  Failure to deliver the required Services due to any type of service disruption. 13.3 These examples are indicative only and the Framework Public Body may provide for further categories of serious incidents at the call-off level. 13.4 The Contractor Supplier shall, in the event of a serious incident, provide from within ContractorSupplier’s senior management, a single point of contact person within 1 hour of notification. 13.5 . It shall be the responsibility of the contact person to pursue the investigation and mitigation of the incident to the satisfaction of the Framework Public Contracting Body and they shall be required to provide progress updates to the Framework Public Contracting Body on request. 13.6 . In addition to the above notification requirements, the Contractor Supplier shall have in place an effective and efficient incident handling procedure for dealing with security breaches in the provision of Service(s) to the Framework Public Contracting Body and these should be agreed by the Framework Public Contracting Body and Contractor Supplier in advance. As a minimum it must include but not be limited to:  Early identification of any loss of data;  Early notification to Framework Public Contracting Body on any security breaches;  Set procedures in place to conduct thorough premises searches;  Ability to provide immediate feedback on investigations to Framework Public Contracting Body contacts that may be requested at any time from the notification;  Internal escalation procedures in place to notify senior Contract Managers contract managers and Security Managerssecurity managers;  Ability within workforce planning to provide on-site management and assistance to ascertain the causes of the security breach and implement any immediate remedial actions in mitigation;  Final reporting writing procedures in agreement with the Framework Public Contracting Body;  Full co-operation with any requests for written reports and information pertaining to security incidents that may be requested by the Information Commissioner. 13.7 The Contractor Commissioner IDENTIFICATION OF REQUIREMENTS It is critical that the Supplier can provide objective and professional advice to Contracting Bodies All advice provided to the Contracting Bodies shall be accurate and designed to drive value and efficiencies for the Contracting Bodies. Suppliers will be required to liaise with the Contracting Body’s IT management teams to confirm the suitability of their network requirements and operational software being proposed, where required. Suppliers will confirm with the Contracting Body’s IT management teams the implications and approach to asset tagging and asset identification where appropriate to the solution. Suppliers will confirm with the Contracting Body’s IT management teams that sufficient server space is available to accommodate the proposed solution, where appropriate. All survey and connectivity reports are to be agreed and signed by both parties to the Call Off Agreement. Suppliers shall ensure procedures and processes are in place to ensure full visibility of the confidentiality supply chain as a minimum these should be: Use of client data and enable working with bodies with high Information Technology (IT) security requirements to deliver services.subcontractors Attribution of cost

Incident Reporting. 13.1 As soon as the Contractor becomes aware, it shall immediately report any incident affecting the delivery of the Service(s) to the Framework Public Body. The Contractor will undertake an immediate investigation and will provide feedback in writing on findings, including corrective actions required and trends observed, to the Framework Public Body within 24 hours of the incident being reported by telephone/e-mail. 13.2 Serious incidents can be categorised as but not limited to:  • Any breach of security which may affect the security of data supplied by the Framework Public Body to the Contractor;  • Failure to deliver the required Services due to any type of service disruption. 13.3 These examples are indicative only and the Framework Public Body may provide for further categories of serious incidents at the call-off level. 13.4 The Contractor shall, in the event of a serious incident, provide from within Contractor’s senior management, a single point of contact person within 1 hour of notification. 13.5 It shall be the responsibility of the contact person to pursue the investigation and mitigation of the incident to the satisfaction of the Framework Public Body and they shall be required to provide progress updates to the Framework Public Body on request. 13.6 In addition to the above notification requirements, the Contractor shall have in place an effective and efficient incident handling procedure for dealing with security breaches in the provision of Service(s) to the Framework Public Body and these should be agreed by the Framework Public Body and Contractor in advance. As a minimum it must include but not be limited to:  • Early identification of any loss of data;  • Early notification to Framework Public Body on any security breaches;  • Set procedures in place to conduct thorough premises searches;  • Ability to provide immediate feedback on investigations to Framework Public Body contacts that may be requested at any time from the notification;  • Internal escalation procedures in place to notify senior Contract Managers and Security Managers;  • Ability within workforce planning to provide on-site management and assistance to ascertain the causes of the security breach and implement any immediate remedial actions in mitigation;  • Final reporting writing procedures in agreement with the Framework Public Body;  • Full co-operation with any requests for written reports and information pertaining to security incidents that may be requested by the Information Commissioner. 13.7 The Contractor will ensure procedures and processes are in place to ensure the confidentiality of client data and enable working with bodies with high Information Technology (IT) security requirements to deliver services.