Privacy of Customer Information Company Customer Information in the possession of the Agent, other than information independently obtained by the Agent and not derived in any manner from or using information obtained under or in connection with this Agreement, is and shall remain confidential and proprietary information of the Companies. Except in accordance with this Section 10.10, the Agent shall not use any Company Customer Information for any purpose, including the marketing of products or services to, or the solicitation of business from, Customers, or disclose any Company Customer Information to any Person, including any of the Agent’s employees, agents or contractors or any third party not affiliated with the Agent. The Agent may use or disclose Company Customer Information only to the extent necessary (i) for examination and audit of the Agent’s activities, books and records by the Agent’s regulatory authorities, (ii) to protect or exercise the Agent’s, the Custodian’s and the Lenders’ rights and privileges or (iii) to carry out the Agent’s, the Custodian’s and the Lenders’ express obligations under this Agreement and the other Facilities Papers (including providing Company Customer Information to Approved Investors), and for no other purpose; provided that the Agent may also use and disclose the Company Customer Information as expressly permitted by the relevant Company in writing, to the extent that such express permission is in accordance with the Privacy Requirements. The Agent shall take commercially reasonable steps to ensure that each Person to which the Agent intends to disclose Company Customer Information, before any such disclosure of information, agrees to keep confidential any such Company Customer Information and to use or disclose such Company Customer Information only to the extent necessary to protect or exercise the Agent’s, the Custodian’s and the Lenders’ rights and privileges, or to carry out the Agent’s, the Custodian’s and the Lenders’ express obligations, under this Agreement and the other Facilities Papers (including providing Company Customer Information to Approved Investors). The Agent agrees to maintain an Information Security Program and to assess, manage and control risks relating to the security and confidentiality of Company Customer Information pursuant to such program in the same manner as the Agent does so in respect of their own customers’ information, and shall implement the standards relating to such risks in the manner set forth in the Interagency Guidelines Establishing Standards for Safeguarding Company Customer Information set forth in 12 CFR Parts 30, 208, 211, 225, 263, 308, 364, 568 and 570. Without limiting the scope of the foregoing sentence, the Agent shall use at least the same physical and other security measures to protect all Company Customer Information in the Agent’s possession or control as the Agent uses for their own customers’ confidential and proprietary information.
PERSONAL INFORMATION PRIVACY AND SECURITY CONTRACT 11 Any reference to statutory, regulatory, or contractual language herein shall be to such language as in 12 effect or as amended.
13 A. DEFINITIONS
Safeguarding Customer Information The Servicer has implemented and will maintain security measures designed to meet the objectives of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information published in final form on February 1, 2001, 66 Fed. Reg. 8616 and the rules promulgated thereunder, as amended from time to time (the “Guidelines”). The Servicer shall promptly provide the Master Servicer, the Trustee and the NIMS Insurer information reasonably available to it regarding such security measures upon the reasonable request of the Master Servicer, the Trustee and the NIMS Insurer which information shall include, but not be limited to, any Statement on Auditing Standards (SAS) No. 70 report covering the Servicer’s operations, and any other audit reports, summaries of test results or equivalent measures taken by the Servicer with respect to its security measures to the extent reasonably necessary in order for the Seller to satisfy its obligations under the Guidelines.
Customer Information CPNI of a Customer and any other non-public, individually identifiable information about a Customer or the purchase by a Customer of the services or products of a Party.
User Information Any user or usage data or information collected via Station’s digital properties or related to Station’s digital properties, or any information collected from websites operated by Station’s affiliates under this Agreement, shall be the property of Station and/or such affiliates. Advertiser shall have no rights in such information by virtue of this Agreement.
Privacy and Personal Information (a) This clause 14 applies where this agreement amounts to a “service arrangement” under the Information Privacy Act 2009 (Qld).
(b) For the purpose of this clause 14, Personal Information has the meaning given in the Information Privacy Act 2009 (Qld).
(c) If the Recipient collects or has access to Personal Information in order to undertake the Activity, the Recipient must:
(i) comply with Parts 1 and 3 of Chapter 2 of the Information Privacy Act 2009 (Qld) in relation to the discharge of its obligations under this agreement (including its obligations regarding Reports), as if the Recipient was the Department;
(ii) ensure that Personal Information is protected against loss and against unauthorised access, use, modification, disclosure or other misuse;
(iii) not use Personal Information other than for the purposes of undertaking the Activity, unless required or authorised by law;
(iv) not disclose Personal Information without the consent of the Department, unless required or authorised by law;
(v) not transfer Personal Information outside of Australia without the consent of the Department;
(vi) ensure that access to Personal Information is restricted to those of the Recipient's employees and officers who require access in order to perform their duties;
(vii) ensure that the Recipient's officers and employees do not access, use or disclose Personal Information other than in the performance of their duties;
(viii) ensure that the Recipient's subcontractors who have access to Personal Information comply with obligations the same as those imposed on the the Recipient under this clause 14;
(ix) fully co-operate with the Department to enable the Department to respond to applications for access to, or amendment of a document containing an individual’s Personal Information and to privacy complaints; and
(x) comply with such other privacy and security measures as the Department reasonably advises the Recipient in writing from time to time.
(d) The Recipient must immediately notify the Department on becoming aware of any breach, suspected breach or complaint alleging something that would, if proved, be a breach of clause 14(c) and provide full details of the breach, suspected breach or complaint.
(e) On request by the Department, the Recipient must obtain from its Representatives engaged for the purposes of this agreement, an executed deed of privacy in a form acceptable to the Department.
Client Information Protected Health Information in any form including without limitation, Electronic Protected Health Information or Unsecured Protected Health Information (herein “PHI”);
Data Privacy and Security Laws The Company is, and at all prior times was, in material compliance with all applicable state and federal data privacy and security laws and regulations in the United States, including, without limitation, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act, and all applicable provincial and federal data privacy and security laws and regulations in Canada, including without limitation the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”); and the Company has taken commercially reasonable actions to prepare to comply with, and have been and currently are in compliance with, the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”). To ensure compliance with the Privacy Laws, the Company has in place, comply with, and take appropriate steps reasonably designed to ensure compliance in all material respects with their policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal information”, “personal health information”. and “business contact information” as defined by PIPEDA; (v) “personal data” as defined by GDPR; and (vi) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company has at all times made all disclosures to users or customers required by applicable laws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have, to the knowledge of the Company, been inaccurate or in violation of any applicable laws and regulatory rules or requirements in any material respect. The Company further certifies: (i) it has not received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.
Patient Information Each Party agrees to abide by all laws, rules, regulations, and orders of all applicable supranational, national, federal, state, provincial, and local governmental entities concerning the confidentiality or protection of patient identifiable information and/or patients’ protected health information, as defined by any other applicable legislation in the course of their performance under this Agreement.
Student Information In the course of providing services during the term of the contract, certain personnel of Consultant may have access to student education records that are subject to the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g, et seq. and the regulations promulgated there under. Such information confidential and is therefore protected. To the extent that Consultant’s personnel require access to “education records” to perform Services pursuant to this Agreement, such personnel are deemed a “school official,” as each of these terms are defined under FERPA. Consultant agrees that it shall not use education records for any purpose other than in the performance of this contract. Except as required by law, Consultant shall not disclose or share education records with any third party unless permitted by the terms of the contract or to subcontractors who have agreed to maintain the confidentiality of the education records to the same extent required of Consultant under this contract. For the avoidance of doubt, District will be responsible for obtaining any necessary consents from students or parents pursuant to FERPA to provide the information to Consultant. In the event any person(s) seek to access protected education records, whether in accordance with FERPA or other Federal or relevant State law or regulations, the Consultant will immediately inform the District of such request in writing if allowed by law or judicial and/or administrative order. Consultant shall not provide direct access to such data or information or respond to individual requests. Consultant shall only retrieve such data or information upon receipt of, and in accordance with, written directions by the District and shall only provide such data and information to the District. It shall be District’s sole responsibility to respond to requests for data or information received by Vendor regarding District data or information. Should Consultant receive a court order or lawfully issued subpoena seeking the release of such data or information, Consultant shall provide immediate notification to the District of its receipt of such court order or lawfully issued subpoena and shall immediately provide the District with a copy of such court order or lawfully issued subpoena prior to releasing the requested data or information, if allowed by law or judicial and/or administrative order. If Consultant experiences a security breach concerning any education record covered by this contract, then Consultant will immediately notify the District and take immediate steps to limit and mitigate such security breach to the extent possible. The parties agree that any breach of the confidentiality obligation set forth in the contract may, at District’s discretion, result in cancellation of further consideration for contract award and the eligibility for Consultant to receive any information from District for a period of not less than five (5) years. In addition, Consultant agrees to indemnify and hold the District harmless for any loss, cost, damage or expense suffered by the District, including but not limited to the cost of notification of affected persons, as a direct result of the unauthorized disclosure of education records. Upon termination of Agreement, Consultant shall return and/or destroy all data or information received from the District upon, and in accordance with, direction from the District. Consultant shall not retain copies of any data or information received from the District once the District has directed Consultant as to how such information shall be returned to the District and/or destroyed. Furthermore, Consultant shall ensure that they dispose of any and all data or information received from the District in a District-approved manner that maintains the confidentiality of the contents of such records (e.g. shredding paper records, erasing and reformatting hard drives, erasing and/or physically destroying any portable electronic devices).
