Common use of Information Governance Clause in Contracts

Information Governance. The Parties acknowledge their respective obligations arising under FOIA, DPA and HRA, and under the common law duty of confidentiality, and must assist each other as necessary to enable each other to comply with these obligations. The Provider must complete and publish an annual information governance assessment using the NHS Information Governance Toolkit. The Provider must: nominate an Information Governance Lead, to be responsible for information governance and for providing the Provider’s Governing Body with regular reports on information governance matters, including details of all incidents of data loss and breach of confidence; nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body; ensure that the Commissioner is kept informed at all times of the identities of the Information Governance Lead, Caldicott Guardian and the Senior Information Risk Owner. The Provider must adopt and implement the recommendations of the Caldicott Information Governance Review and the Response to Caldicott. The Provider must, at least once in each Contract Year, audit its practices against quality statements regarding data sharing set out in NICE Clinical Guideline 138. The Provider must achieve a minimum level 2 performance against all requirements in the relevant NHS Information Governance Toolkit. The Provider must report and publish any Data Breach and any Information Governance Breach in accordance with IG Guidance for Serious Incidents. The Provider acknowledges that the Commissioners are subject to the requirements of the FOIA. The Provider must assist and co-operate with each Commissioner to enable it to comply with its disclosure obligations under the FOIA. The Provider agrees: that this Contract and any other recorded information held by the Provider on a Commissioner’s behalf for the purposes of this Contract are subject to the obligations and commitments of the Commissioner under FOIA; that the decision on whether any exemption to the general obligations of public access to information applies to any request for information received under FOIA is a decision solely for the Commissioner to whom the request is addressed; that where the Provider receives a request for information under FOIA and the Provider itself is subject to FOIA, it will liaise with the relevant Commissioner as to the contents of any response before a response to a request is issued and will promptly (and in any event within 2 Operational Days) provide a copy of the request and any response to the relevant Commissioner; that where the Provider receives a request for information under FOIA and the Provider is not itself subject to FOIA, it will not respond to that request (unless directed to do so by the relevant Commissioner to whom the request relates) and will promptly (and in any event within 2 Operational Days) transfer the request to the relevant Commissioner; that any Commissioner, acting in accordance with the codes of practice issued and revised from time to time under both section 45 of FOIA, and regulation 16 of the Environmental Information Regulations 2004, may disclose information concerning the Provider and this Contract either without consulting with the Provider, or following consultation with the Provider and having taken its views into account; and to assist the Commissioners in responding to a request for information, by processing information or environmental information (as the same are defined in FOIA) in accordance with a records management system that complies with all applicable records management recommendations and codes of conduct issued under section 46 of FOIA, and providing copies of all information requested by that Commissioner within 5 Operational Days of that request and without charge. The Parties acknowledge that, except for any information which is exempt from disclosure in accordance with the provisions of FOIA, the content of this Contract is not Confidential Information. Notwithstanding any other term of this Contract, the Provider consents to the publication of this Contract in its entirety (including variations), subject only to the redaction of information that is exempt from disclosure in accordance with the provisions of FOIA.

Information Governance. 2.1 The Parties acknowledge their respective obligations arising under FOIAmust comply with Data Protection Legislation, DPA Data Guidance, the FOIA and HRA, and under the common law duty of confidentialityEIR, and must assist each other as necessary to enable each other to comply with these obligations. The Provider must complete and publish an annual information governance assessment using the NHS Information Governance Toolkit. . 2.2 The Provider must: : 2.2.1 nominate an Information Governance Lead, to be responsible for information governance and for providing the Provider’s Governing Body with regular reports on information governance matters, including details of all incidents of data loss and breach of confidence; ; 2.2.2 nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body; ; 2.2.3 where required by Data Protection Legislation, nominate a Data Protection Officer; 2.2.4 ensure that the Commissioner Authority is kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner. ; and 2.2.5 ensure that the Authority and NHS Digital are kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner. 2.3 The Provider must adopt and implement the recommendations National Data Guardian's Data Security Standards and must comply with further Guidance issued by the Department of Health and Social Care, the Caldicott Information Governance Review Authority, any National Data Guardian for Health and Care and/or NHS Digital pursuant to or in connection with those standards. The Provider must be able to demonstrate its compliance with those standards in accordance with the Response requirements and timescales set out in such guidance, including its adherence to Caldicott. data security standards and requirements for enabling patient choice. 2.4 The Provider must, at least once in each Contract Yearannually, audit its practices against quality statements regarding data sharing set out in NICE Clinical Guideline 138. The Provider must achieve a minimum level 2 performance against all requirements in the relevant NHS Information Governance Toolkit. . 2.5 The Provider must report and publish any Data Breach and any Information Governance Breach in accordance with IG Guidance for Serious Incidents. The If the Provider acknowledges that is required under Data Protection Legislation to notify the Commissioners are subject to Information Commissioner or a Data Subject of a Personal Data Breach then as soon as reasonably practical and in any event on or before the requirements first such notification is made the Provider must inform the Authority of the FOIAPersonal Data Breach. This paragraph does not require the Provider to provide the Authority with information which identifies any individual affected by the Personal Data Breach where doing so would breach Data Protection Legislation. 2.6 The Provider must assist have in place a communications strategy and coimplementation plan to ensure that Service Users are provided with, or have made readily available to them, Privacy Notices, and to disseminate nationally-operate with each Commissioner to enable it to comply with its disclosure obligations under the FOIAproduced patient information materials. The Provider agrees: that this Contract and any other recorded information held Any failure by the Provider to inform Service Users as required by Data Protection Legislation or Data Guidance about the uses of Personal Data that may take place under this Agreement cannot be relied on by the Provider as evidence that such use is unlawful and therefore not contractually required. 2.7 Whether or not a Party or Sub-Contractor is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and the Information Commissioner’s behalf 's guidance on Data Controllers and Data Processors and any further Data Guidance. The Parties acknowledge that a Party or Sub-Contractor may act as both a Data Controller and a Data Processor. The Parties consider that: 2.7.1 in relation to Personal Data processed by the Provider for the purpose of delivering the Services the Provider will be sole Data Controller; and 2.7.2 in relation to Personal Data the processing of which is required by the Authority for the purposes of this Contract are subject to quality assurance, performance management and contract management, the obligations and commitments of the Commissioner under FOIA; that the decision on whether any exemption to the general obligations of public access to information applies to any request for information received under FOIA is a decision solely for the Commissioner to whom the request is addressed; that where the Provider receives a request for information under FOIA Authority and the Provider itself is subject to FOIA, it will liaise with the relevant Commissioner as to the contents of any response before a response to a request is issued and will promptly (and in any event within 2 Operational Days) provide a copy be joint Data Controllers. 2.8 The Provider must ensure that all Personal Data processed by or behalf of the request and any response to Provider in the relevant Commissioner; that where course of delivering the Provider receives a request for information under FOIA and the Provider Services is not itself subject to FOIA, it will not respond to that request (unless directed to do so by the relevant Commissioner to whom the request relates) and will promptly (and in any event within 2 Operational Days) transfer the request to the relevant Commissioner; that any Commissioner, acting processed in accordance with the codes of practice issued relevant Parties’ obligations under Data Protection Legislation and revised from time to time under both section 45 of FOIA, Data Guidance and regulation 16 of the Environmental Information Regulations 2004, may disclose information concerning the Provider and this Contract either without consulting with the Provider, or following consultation with the Provider and having taken its views into account; and to assist the Commissioners in responding to a request for information, by processing information or environmental information (as the same are defined in FOIA) in accordance with a records management system that complies with all applicable records management recommendations and codes of conduct issued under section 46 of FOIA, and providing copies of all information requested by that Commissioner within 5 Operational Days of that request and without charge. The Parties acknowledge that, except for any information which is exempt from disclosure in accordance with the provisions of FOIA, any relevant Contract. 2.9 In relation to Personal Data processed by the content Provider in the course of this Contract is not Confidential Information. Notwithstanding any other term of this Contractdelivering the Services, the Provider consents must publish, maintain and operate: 2.9.1 policies relating to confidentiality, data protection and information disclosures that comply with the Law, the Caldicott Principles and Good Practice; 2.9.2 policies that describe the personal responsibilities of Staff for handling Personal Data; 2.9.3 a policy that supports the Provider’s obligations under the NHS Care Records Guarantee; 2.9.4 agreed protocols to govern the sharing of Personal Data with partner organisations; and 2.9.5 where appropriate, a system and a policy in relation to the publication recording of any telephone calls or other telehealth consultations in relation to the Services, including the retention and disposal of those recordings, and apply those policies and protocols conscientiously. 2.10 Where the Authority requires information for the purposes of quality management of care processes, the Provider must consider whether the Authority's request can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the Authority, the Provider must: 2.10.1 provide such information in pseudonymised from where possible; and 2.10.2 in any event ensure that there is a legal basis for the sharing of Personal Data. 2.11 Notwithstanding paragraph 2.10 of this Contract Schedule 2, the Provider must (unless it can lawfully justify non-disclosure) disclose defined or specified confidential patient information to or at the request of the Authority where support has been provided under the Section 251 Regulations, respecting any individual Service User’s objections and complying with other conditions of the relevant approval. 2.12 Where the Provider, in the course of delivering the Services, acts as a Data Processor on behalf of a Participating Authority, the provisions of Schedule 6F (Provider Data Processing Agreement) of the Call-off Terms and Conditions will apply. 2.13 Subject always to Clause 32, if the Provider is to engage any Sub-Contractor to deliver any part of the Services (other than as a Data Processor) and the Sub-Contractor is to access personal or confidential information or interact with Service Users, the Provider must impose on its entirety Sub-Contractor obligations that are no less onerous than the obligations imposed on the Provider by this Schedule 2. 2.14 Subject always to Clause 32, if the Provider is to require any Sub-Contractor to act as a Data Processor on its behalf, the Provider must: 2.14.1 require that Sub-Contractor to provide sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out, and take reasonable steps to ensure compliance with those measures; 2.14.2 carry out and record appropriate due diligence before the Sub-Contractor processes any Personal Data in order to demonstrate compliance with Data Protection Legislation; and 2.14.3 as far as practicable include in the terms of the sub-contract terms equivalent to those set out in Schedule 6F (including variations), subject Provider Data Processor Agreement) of the Call-off Terms and Conditions and in any event ensure that the Sub- Contractor is engaged under the terms of a binding written agreement requiring the Sub-Contractor to: 2.14.3.1 process Personal Data only to the redaction of information that is exempt from disclosure in accordance with the Provider's instructions as set out in the written agreement, including instructions regarding transfers of Personal Data outside the EU or to an international organisation unless such transfer is required by Law, in which case the Data Processor shall inform the Provider of that requirement before processing takes place, unless this is prohibited by law on the grounds of public interest; 2.14.3.2 ensure that persons authorised to process the Personal Data on behalf of the Sub-Contractor have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality; 2.14.3.3 comply at all times with obligations equivalent to those imposed on the Provider by Article 32 of the UK GDPR and equivalent provisions in the DPA 2018; 2.14.3.4 impose obligations as set out in this paragraph 2.14.3 on any Sub-processor appointed by the Sub-Contractor; 2.14.3.5 taking into account the nature of FOIAthe processing, assist the Provider by taking appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Provider’s obligation to respond to requests for exercising rights granted to individuals by Data Protection Legislation; 2.14.3.6 assist the Provider in ensuring compliance with the obligations set out at Article 32 to 36 of the UK GDPR and equivalent provisions implemented into Law, taking into account the nature of processing and the information available to the Sub-Contractor; 2.14.3.7 at the choice of the Provider, delete or return all Personal Data to the Provider after the end of the provision of services relating to processing, and delete existing copies unless the Law requires storage of the Personal Data; 2.14.3.8 create and maintain a record of all categories of data processing activities carried out under the Sub-Contract, containing: 2.14.3.8.1 the name and contact details of the Data Protection Officer (where required by Data Protection Legislation to have one); 2.14.3.8.2 the categories of processing carried out on behalf of the Provider; 2.14.3.8.3 where applicable, transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, where relevant, the documentation of suitable safeguards; and 2.14.3.8.4 a general description of the technical and organisation security measures taken to ensure the security and integrity of the Personal Data processed under this Agreement; 2.14.3.9 guarantee that it has technical and organisational measures in place that are sufficient to ensure that the processing complies with Data Protection Legislation and ensures that the rights of Data Subject are protected; 2.14.3.10 allow rights of audit and inspection in respect of relevant data handling systems to the Provider or to the Authority or to any person authorised by the Provider or by the Authority to act on its behalf; and 2.14.3.11 impose on its own Sub-Contractors (in the event the Sub- Contractor further sub-contracts any of its obligations under the Sub-Contract) obligations that are substantially equivalent to the obligations imposed on the Sub-Contractor by this paragraph 2.14. 2.15 The agreement required by paragraph 2.14 must also set out: 2.15.1 the subject matter of the processing; 2.15.2 the duration of the processing; 2.15.3 the nature and purposes of the processing; 2.15.4 the type of personal data processed; 2.15.5 the categories of data subjects; and 2.15.6 the plan for return and destruction of the data once processing is complete unless the Law requires that the data is preserved.

Information Governance. 2.1 The Parties acknowledge their respective obligations arising under FOIAmust comply with Data Protection Legislation, DPA Data Guidance, the FOIA and HRA, and under the common law duty of confidentialityEIR, and must assist each other as necessary to enable each other to comply with these obligations. The Provider must complete and publish an annual information governance assessment using the NHS Information Governance Toolkit. . 2.2 The Provider must: : 2.2.1 nominate an Information Governance Lead, to be responsible for information governance and for providing the Provider’s Governing Body with regular reports on information governance matters, including details of all incidents of data loss and breach of confidence; ; 2.2.2 nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body; ; 2.2.3 where required by Data Protection Legislation, nominate a Data Protection Officer; 2.2.4 ensure that the Commissioner Authority is kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner. ; and 2.2.5 ensure that the Authority and NHS Digital are kept informed at all times of the identities and contact details of the Information Governance Lead, Data Protection Officer, Caldicott Guardian and the Senior Information Risk Owner. 2.3 The Provider must adopt and implement the recommendations National Data Guardian's Data Security Standards and must comply with further Guidance issued by the Department of Health and Social Care, the Caldicott Information Governance Review Authority, any National Data Guardian for Health and Care and/or NHS Digital pursuant to or in connection with those standards. The Provider must be able to demonstrate its compliance with those standards in accordance with the Response requirements and timescales set out in such guidance, including its adherence to Caldicott. data security standards and requirements for enabling patient choice. 2.4 The Provider must, at least once in each Contract Yearannually, audit its practices against quality statements regarding data sharing set out in NICE Clinical Guideline 138. The Provider must achieve a minimum level 2 performance against all requirements in the relevant NHS Information Governance Toolkit. . 2.5 The Provider must report and publish any Data Breach and any Information Governance Breach in accordance with IG Guidance for Serious Incidents. The If the Provider acknowledges that is required under Data Protection Legislation to notify the Commissioners are subject to Information Commissioner or a Data Subject of a Personal Data Breach then as soon as reasonably practical and in any event on or before the requirements first such notification is made the Provider must inform the Authority of the FOIAPersonal Data Breach. This paragraph does not require the Provider to provide the Authority with information which identifies any individual affected by the Personal Data Breach where doing so would breach Data Protection Legislation. 2.6 The Provider must assist have in place a communications strategy and coimplementation plan to ensure that Service Users are provided with, or have made readily available to them, Privacy Notices, and to disseminate nationally-operate with each Commissioner to enable it to comply with its disclosure obligations under the FOIAproduced patient information materials. The Provider agrees: that this Contract and any other recorded information held Any failure by the Provider to inform Service Users as required by Data Protection Legislation or Data Guidance about the uses of Personal Data that may take place under this Framework Agreement cannot be relied on by the Provider as evidence that such use is unlawful and therefore not contractually required. 2.7 Whether or not a Party or Sub-Contractor is a Data Controller or Data Processor will be determined in accordance with Data Protection Legislation and the Information Commissioner’s behalf 's guidance on Data Controllers and Data Processors and any further Data Guidance. The Parties acknowledge that a Party or Sub-Contractor may act as both a Data Controller and a Data Processor. The Parties consider that: 2.7.1 in relation to Personal Data processed by the Provider for the purpose of delivering the Services the Provider will be sole Data Controller; and 2.7.2 in relation to Personal Data the processing of which is required by the Authority for the purposes of this Contract are subject to quality assurance, performance management and contract management, the obligations and commitments of the Commissioner under FOIA; that the decision on whether any exemption to the general obligations of public access to information applies to any request for information received under FOIA is a decision solely for the Commissioner to whom the request is addressed; that where the Provider receives a request for information under FOIA Authority and the Provider itself is subject to FOIA, it will liaise with the relevant Commissioner as to the contents of any response before a response to a request is issued and will promptly (and in any event within 2 Operational Days) provide a copy be joint Data Controllers. 2.8 The Provider must ensure that all Personal Data processed by or behalf of the request and any response to Provider in the relevant Commissioner; that where course of delivering the Provider receives a request for information under FOIA and the Provider Services is not itself subject to FOIA, it will not respond to that request (unless directed to do so by the relevant Commissioner to whom the request relates) and will promptly (and in any event within 2 Operational Days) transfer the request to the relevant Commissioner; that any Commissioner, acting processed in accordance with the codes of practice issued relevant Parties’ obligations under Data Protection Legislation and revised from time to time under both section 45 of FOIA, Data Guidance and regulation 16 of the Environmental Information Regulations 2004, may disclose information concerning the Provider and this Contract either without consulting with the Provider, or following consultation with the Provider and having taken its views into account; and to assist the Commissioners in responding to a request for information, by processing information or environmental information (as the same are defined in FOIA) in accordance with a records management system that complies with all applicable records management recommendations and codes of conduct issued under section 46 of FOIA, and providing copies of all information requested by that Commissioner within 5 Operational Days of that request and without charge. The Parties acknowledge that, except for any information which is exempt from disclosure in accordance with the provisions of FOIA, any relevant Contract. 2.9 In relation to Personal Data processed by the content Provider in the course of this Contract is not Confidential Information. Notwithstanding any other term of this Contractdelivering the Services, the Provider consents must publish, maintain and operate: 2.9.1 policies relating to confidentiality, data protection and information disclosures that comply with the Law, the Caldicott Principles and Good Practice; 2.9.2 policies that describe the personal responsibilities of Staff for handling Personal Data; 2.9.3 a policy that supports the Provider’s obligations under the NHS Care Records Guarantee; 2.9.4 agreed protocols to govern the sharing of Personal Data with partner organisations; and 2.9.5 where appropriate, a system and a policy in relation to the publication recording of any telephone calls or other telehealth consultations in relation to the Services, including the retention and disposal of those recordings. and apply those policies and protocols conscientiously. 2.10 Where the Authority requires information for the purposes of quality management of care processes, the Provider must consider whether the Authority's request can be met by providing anonymised or aggregated data which does not contain Personal Data. Where Personal Data must be shared in order to meet the requirements of the Authority, the Provider must: 2.10.1 provide such information in pseudonymised from where possible; and in any event 2.10.2 ensure that there is a legal basis for the sharing of Personal Data. 2.11 Notwithstanding paragraph 2.10 of this Contract Schedule 2, the Provider must (unless it can lawfully justify non-disclosure) disclose defined or specified confidential patient information to or at the request of the Authority where support has been provided under the Section 251 Regulations, respecting any individual Service User’s objections and complying with other conditions of the relevant approval. 2.12 Where the Provider, in the course of delivering the Services, acts as a Data Processor on behalf of a Participating Authority, the provisions of Schedule 6F (Provider Data Processing Agreement) of the Call-off Terms and Conditions will apply. 2.13 Subject always to Clause 32, if the Provider is to engage any Sub-Contractor to deliver any part of the Services (other than as a Data Processor) and the Sub- Contractor is to access personal or confidential information or interact with Service Users, the Provider must impose on its entirety Sub-Contractor obligations that are no less onerous than the obligations imposed on the Provider by this Schedule 2. 2.14 Subject always to Clause 32, if the Provider is to require any Sub-Contractor to act as a Data Processor on its behalf, the Provider must: 2.14.1 require that Sub-Contractor to provide sufficient guarantees in respect of its technical and organisational security measures governing the data processing to be carried out, and take reasonable steps to ensure compliance with those measures; 2.14.2 carry out and record appropriate due diligence before the Sub-Contractor processes any Personal Data in order to demonstrate compliance with Data Protection Legislation; and 2.14.3 as far as practicable include in the terms of the sub-contract terms equivalent to those set out in Schedule 6F (including variations), subject Provider Data Processor Agreement) of the Call-off Terms and Conditions and in any event ensure that the Sub-Contractor is engaged under the terms of a binding written agreement requiring the Sub-Contractor to: 2.14.3.1 process Personal Data only to the redaction of information that is exempt from disclosure in accordance with the provisions Provider's instructions as set out in the written agreement, including instructions regarding transfers of FOIA.Personal Data outside the EU or to an international organisation unless such transfer is required by Law, in which case the Data Processor shall inform the Provider of that requirement before processing takes place, unless this is prohibited by law on the grounds of public interest; 2.14.3.2 ensure that persons authorised to process the Personal Data on behalf of the Sub-Contractor have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality;

Information Governance. The Parties acknowledge their respective obligations arising under FOIA, DPA 2018, UKGDPR and HRA, and under the common law duty of confidentiality, and must assist each other as necessary to enable each other to comply with these obligations. The Provider must complete and publish an annual information governance assessment using the NHS Information Governance Data Security & Protection Toolkit. The Provider must: nominate an Information Governance Lead, to be responsible for information governance and for providing the Provider’s Governing Body with regular reports on information governance matters, including details of all incidents of data loss and breach of confidence; nominate a Caldicott Guardian and Senior Information Risk Owner, each of whom must be a member of the Provider’s Governing Body; ensure that the Commissioner is kept informed at all times of the identities of the Information Governance Lead, Caldicott Guardian and the Senior Information Risk Owner. The Provider must adopt and implement the recommendations of the National Data Guardian Review of Data Security, Consent and Op-outs (Caldicott Information Governance Review and the Response to Caldicott. 3).. The Provider must, at least once in each Contract Year, audit its practices against quality statements regarding data sharing set out in NICE Clinical Guideline 138. The Provider must achieve a minimum level 2 performance against all compliance with the mandatory requirements in the relevant NHS Information Governance Data Security & Protection Toolkit. The Provider must report and publish any Data Breach and any Information Governance Breach in accordance with IG Guidance for Serious Incidents. The Provider acknowledges that the Commissioners are subject to the requirements of the FOIA. The Provider must assist and co-operate with each Commissioner to enable it to comply with its disclosure obligations under the FOIA. The Provider agrees: that this Contract and any other recorded information held by the Provider on a Commissioner’s behalf for the purposes of this Contract are subject to the obligations and commitments of the Commissioner under FOIA; that the decision on whether any exemption to the general obligations of public access to information applies to any request for information received under FOIA is a decision solely for the Commissioner to whom the request is addressed; that where the Provider receives a request for information under FOIA and the Provider itself is subject to FOIA, it will liaise with the relevant Commissioner as to the contents of any response before a response to a request is issued and will promptly (and in any event within 2 Operational Days) provide a copy of the request and any response to the relevant Commissioner; that where the Provider receives a request for information under FOIA and the Provider is not itself subject to FOIA, it will not respond to that request (unless directed to do so by the relevant Commissioner to whom the request relates) and will promptly (and in any event within 2 Operational Days) transfer the request to the relevant Commissioner; that any Commissioner, acting in accordance with the codes of practice issued and revised from time to time under both section 45 of FOIA, and regulation 16 of the Environmental Information Regulations 2004, may disclose information concerning the Provider and this Contract either without consulting with the Provider, or following consultation with the Provider and having taken its views into account; and to assist the Commissioners in responding to a request for information, by processing information or environmental information (as the same are defined in FOIA) in accordance with a records management system that complies with all applicable records management recommendations and codes of conduct issued under section 46 of FOIA, and providing copies of all information requested by that Commissioner within 5 Operational Days of that request and without charge. The Parties acknowledge that, except for any information which is exempt from disclosure in accordance with the provisions of FOIA, the content of this Contract is not Confidential Information. Notwithstanding any other term of this Contract, the Provider consents to the publication of this Contract in its entirety (including variations), subject only to the redaction of information that is exempt from disclosure in accordance with the provisions of FOIA. The Provider shall not discriminate between or against Service Users or Carers on the grounds of gender, age, ethnicity or race, disability, religion or belief, sexual orientation or any other protected characteristics under the Equality Act 2010. The Provider shall provide appropriate assistance and make reasonable adjustments for Service Users and Carers who do not speak, read or write English or who have communication difficulties (including without limitation hearing, oral or learning impairments). The Provider shall have due regard in its performance of this Agreement to the need contemplated by the Equality Act 2010 to: eliminate unlawful discrimination and harassment; promote equality of opportunity; make reasonable adjustments for disabled persons to assist them overcome any substantial difficulties which they face even where that involves treating disabled persons more favourably than other persons; promote positive attitudes towards persons who have a protected characteristic under the Equality Act 2010.