Common use of Protection of Information Clause in Contracts

Protection of Information. E1 Authority Data E1.1 The Contractor shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the Contractor, the Contractor shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Contractor shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the Contractor’s Business Continuity Plan. The Contractor shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 Monthly intervals. E1.6 The Contractor shall ensure that any system or media on which the Contractor holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to Schedule 6. E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Contractor’s default so as to be unusable, the Authority may; a) require the Contractor (at the Contractor’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor shall do so as soon as practicable but not later than one (1) year; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor shall notify the Authority immediately and inform the Authority of the remedial action the Contractor proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the Contractor, or any of its Sub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question.

Protection of Information. E1 Authority Data E1.1 The Contractor shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the Contractor, the Contractor shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Contractor shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the Contractor’s Business Continuity Plan. The Contractor shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 Monthly intervals.Not Used E1.6 The Contractor shall ensure that any system or media on which the Contractor holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to Schedule 6. E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Contractor’s default so as to be unusable, the Authority may; a) require the Contractor (at the Contractor’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor shall do so as soon as practicable but not later than one (1) year; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor shall notify the Authority immediately and inform the Authority of the remedial action the Contractor proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the Contractor, or any of its Subsub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question. E1.10 Any breach by the Contractor of this Clause E1 shall be a material breach for the purposes of Clause H2 (Termination on Default) and shall entitle the Authority (at it’s absolute discretion) to exercise its rights under the corresponding provisions of Clause H2 (Termination on Default). E2 Protection of Personal Data E2.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. E2.2 The Contractor shall: a) process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract as otherwise notified by the Authority to the Contractor during the Contract Period); b) process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; d) take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; e) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or agents for the provision of the Services; f) ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause; g) ensure that none of the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; h) notify the Authority (within five Working Days) if it receives; i) a request from a Data Subject to have access to that Person's Personal Data; or ii) a complaint or request relating to the Authority's obligations under the DPA; i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by; i) providing the Authority with full details of the complaint or request; ii) complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Authority's instructions; iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and iv) providing the Authority with any information requested by the Authority; j) permit the Authority or the Authority’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's Data Processing activities (and/or those of its agents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; k) provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and l) not process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. E2.3 The Contractor shall indemnify and keep indemnified the Authority in full from and against all claims, proceedings, actions, damages, losses, penalties, fines, levies, costs and expenses and all loss of profits, business revenue or goodwill (whether direct or indirect) and all consequential or indirect loss howsoever arising out of, in respect of or in connection with, any breach by the Contractor (or any Sub-contractor) of this Clause E2. E2.4 The Contractor shall comply at all times with the DPA and shall not perform its obligations under this Contract in such a way as to cause the Authority to breach any of its applicable obligations under the DPA. E3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 E3.1 The Contractor shall comply with, and shall ensure that it’s Staff comply with, the provisions of; a) the Official Secrets Acts 1911 to 1989; and b) Section 182 of the Finance Act 1989.

Protection of Information. E1 Authority Data E1.1 The Contractor Provider shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor Provider shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor Provider of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the ContractorProvider, the Contractor Provider shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor Provider shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Contractor Provider shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the ContractorProvider’s Business Continuity Plan. The Contractor Provider shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 Monthly intervalsrequest. E1.6 The Contractor Provider shall ensure that any system or media on which the Contractor Provider holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to of Schedule 66 (Security Requirements and Plan). E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the ContractorProvider’s default so as to be unusable, the Authority may; a) require the Contractor Provider (at the ContractorProvider’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor Provider shall do so as soon as practicable but not later than one (1) year24 hours; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor Provider any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor Provider suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor Provider shall notify the Authority immediately and inform the Authority of the remedial action the Contractor Provider proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the ContractorProvider, or any of its Sub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor Provider shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question. E1.10 Any breach by the Provider of this clause E1 shall be a material breach for the purposes of clause H2 (Termination on Default) and shall entitle the Authority (at its absolute discretion) to exercise its rights under the corresponding provisions of clause H2 (Termination on Default). E2 Protection of Personal Data E2.1 With respect to the Parties' rights and obligations under this Contract, the Parties agree that the Authority is the Data Controller and that the Provider is the Data Processor. E2.2 The Provider shall: a) process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract as otherwise notified by the Authority to the Provider during the Contract Period); b) process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; d) take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; e) obtain prior written consent from the Authority in order to transfer the Personal Data to any Sub-contractors or agents for the provision of the Services; f) ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause; g) ensure that none of the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; h) notify the Authority (within five (5) Working Days) if it receives; i) a request from a Data Subject to have access to that Person's Personal Data; or ii) a complaint or request relating to the Authority's obligations under the DPA; i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by; i) providing the Authority with full details of the complaint or request; ii) complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Authority's instructions; iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and iv) providing the Authority with any information requested by the Authority; j) permit the Authority or the Authority’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Provider's Data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Provider is in full compliance with its obligations under this Contract; k) provide a written description of the technical and organisational methods employed by the Provider for processing Personal Data (within the timescales required by the Authority); and l) not process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. E2.3 The Provider shall indemnify and keep indemnified the Authority in full from and against all claims, proceedings, actions, damages, losses, penalties, fines, levies, costs and expenses and all loss of profits, business revenue or goodwill (whether direct or indirect) and all consequential or indirect loss howsoever arising out of, in respect of or in connection with, any breach by the Provider (or any Sub-contractor) of this clause E2. E2.4 The Provider shall comply at all times with the DPA and shall not perform its obligations under this Contract in such a way as to cause the Authority to breach any of its applicable obligations under the DPA. E3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Xxx 0000 E3.1 The Provider shall comply with, and shall ensure that its Staff comply with, the provisions of; a) the Official Secrets Acts 1911 to 1989; and b) Section 182 of the Finance Xxx 0000.

Protection of Information. E1 Authority Data E1.1 The Contractor shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the Contractor, the Contractor shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Contractor shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the Contractor’s Business Continuity Plan. The Contractor shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 Monthly intervals.Not Used E1.6 The Contractor shall ensure that any system or media on which the Contractor holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to Schedule 6. E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Contractor’s default so as to be unusable, the Authority may; a) require the Contractor (at the Contractor’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor shall do so as soon as practicable but not later than one (1) year; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor shall notify the Authority immediately and inform the Authority of the remedial action the Contractor proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the Contractor, or any of its Subsub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question. E1.10 Any breach by the Contractor of this Clause E1 shall be a material breach for the purposes of Clause H2 (Termination on Default) and shall entitle the Authority (at it’s absolute discretion) to exercise its rights under the corresponding provisions of Clause H2 (Termination on Default). E2 Protection of Personal Data E2.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. E2.2 The Contractor shall: a) process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract as otherwise notified by the Authority to the Contractor during the Contract Period); b) process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; d) take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; e) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or agents for the provision of the Services; f) ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause; g) ensure that none of the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; h) notify the Authority (within five Working Days) if it receives; i) a request from a Data Subject to have access to that Person's Personal Data; or ii) a complaint or request relating to the Authority's obligations under the DPA; i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by; i) providing the Authority with full details of the complaint or request; ii) complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Authority's instructions; iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and iv) providing the Authority with any information requested by the Authority; j) permit the Authority or the Authority’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's Data Processing activities (and/or those of its agents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; k) provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and l) not process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. E2.3 The Contractor shall indemnify and keep indemnified the Authority in full from and against all claims, proceedings, actions, damages, losses, penalties, fines, levies, costs and expenses and all loss of profits, business revenue or goodwill (whether direct or indirect) and all consequential or indirect loss howsoever arising out of, in respect of or in connection with, any breach by the Contractor (or any Sub-contractor) of this Clause E2. E2.4 The Contractor shall comply at all times with the DPA and shall not perform its obligations under this Contract in such a way as to cause the Authority to breach any of its applicable obligations under the DPA. E3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Xxx 0000 E3.1 The Contractor shall comply with, and shall ensure that it’s Staff comply with, the provisions of; a) the Official Secrets Acts 1911 to 1989; and b) Section 182 of the Finance Xxx 0000.

Protection of Information. E1 Authority Data E1.1 The Contractor shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the Contractor, the Contractor shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Contractor shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the Contractor’s Business Continuity Plan. The Contractor shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 insert period] Monthly intervals. E1.6 The Contractor shall ensure that any system or media on which the Contractor holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to Schedule 6. E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Contractor’s default so as to be unusable, the Authority may; a) require the Contractor (at the Contractor’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor shall do so as soon as practicable but not later than one (1) year7 days following the loss; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor shall notify the Authority immediately and inform the Authority of the remedial action the Contractor proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the Contractor, or any of its Sub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question.

Protection of Information. E1 Authority Data E1.1 The Contractor shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the Contractor, the Contractor shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Contractor shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the Contractor’s Business Continuity Plan. The Contractor shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 six (6) Monthly intervals. E1.6 The Contractor shall ensure that any system or media on which the Contractor holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to Schedule 6. E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Contractor’s default so as to be unusable, the Authority may; a) require the Contractor (at the Contractor’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor shall do so as soon as practicable but not later than one six (1) year6); weeks and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor shall notify the Authority immediately and inform the Authority of the remedial action the Contractor proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the Contractor, or Contractor and any of its Sub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question.

Protection of Information. E1 Authority Data E1.1 The Contractor Provider shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor Provider shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor Provider of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the ContractorProvider, the Contractor Provider shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor Provider shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Contractor Provider shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the ContractorProvider’s Business Continuity Plan. The Contractor Provider shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 Monthly intervalsrequest. E1.6 The Contractor Provider shall ensure that any system or media on which the Contractor Provider holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to of Schedule 66 (Security Requirements and Plan). E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the ContractorProvider’s default so as to be unusable, the Authority may; a) require the Contractor Provider (at the ContractorProvider’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor Provider shall do so as soon as practicable but not later than one (1) year24 hours; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor Provider any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor Provider suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor Provider shall notify the Authority immediately and inform the Authority of the remedial action the Contractor Provider proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the ContractorProvider, or any of its Sub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor Provider shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question. E1.10 Any breach by the Provider of this clause E1 shall be a material breach for the purposes of clause H2 (Termination on Default) and shall entitle the Authority (at its absolute discretion) to exercise its rights under the corresponding provisions of clause H2 (Termination on Default). E2 Protection of Personal Data E2.1 With respect to the Parties' rights and obligations under this Contract, the Parties agree that the Authority is the Data Controller and that the Provider is the Data Processor. E2.2 The Provider shall: a) process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract as otherwise notified by the Authority to the Provider during the Contract Period); b) process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; d) take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; e) obtain prior written consent from the Authority in order to transfer the Personal Data to any Sub-contractors or agents for the provision of the Services; f) ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause; g) ensure that none of the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; h) notify the Authority (within five (5) Working Days) if it receives; i) a request from a Data Subject to have access to that Person's Personal Data; or ii) a complaint or request relating to the Authority's obligations under the DPA; i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by; i) providing the Authority with full details of the complaint or request; ii) complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Authority's instructions; iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and iv) providing the Authority with any information requested by the Authority; j) permit the Authority or the Authority’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Provider's Data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Provider is in full compliance with its obligations under this Contract; k) provide a written description of the technical and organisational methods employed by the Provider for processing Personal Data (within the timescales required by the Authority); and l) not process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. E2.3 The Provider shall indemnify and keep indemnified the Authority in full from and against all claims, proceedings, actions, damages, losses, penalties, fines, levies, costs and expenses and all loss of profits, business revenue or goodwill (whether direct or indirect) and all consequential or indirect loss howsoever arising out of, in respect of or in connection with, any breach by the Provider (or any Sub-contractor) of this clause E2. E2.4 The Provider shall comply at all times with the DPA and shall not perform its obligations under this Contract in such a way as to cause the Authority to breach any of its applicable obligations under the DPA. E3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 E3.1 The Provider shall comply with, and shall ensure that its Staff comply with, the provisions of; a) the Official Secrets Acts 1911 to 1989; and b) Section 182 of the Finance Act 1989.

Protection of Information. E1 Authority Data E1.1 The Contractor shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the Contractor, the Contractor shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Contractor shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the Contractor’s Business Continuity Plan. The Contractor shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 Monthly monthly intervals. E1.6 The Contractor shall ensure that any system or media on which the Contractor holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to Schedule 6. E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Contractor’s default so as to be unusable, the Authority may; a) require the Contractor (at the Contractor’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor shall do so as soon as practicable but not later than one (1) year; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor shall notify the Authority immediately and inform the Authority of the remedial action the Contractor proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the Contractor, or any of its Subsub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question. E1.10 Any breach by the Contractor of this Clause E1 shall be a material breach for the purposes of Clause H2 (Termination on Default) and shall entitle the Authority (at its absolute discretion) to exercise its rights under the corresponding provisions of Clause H2 (Termination on Default). E2 Protection of Personal Data E2.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. E2.2 The Contractor shall: a) process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Contract as otherwise notified by the Authority to the Contractor during the Contract Period); b) process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; d) take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; e) obtain prior written consent from the Authority in order to transfer the Personal Data to any sub-contractors or agents for the provision of the Services; f) ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause; g) ensure that none of the Staff publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; h) notify the Authority (within five Working Days) if it receives; i) a request from a Data Subject to have access to that Person's Personal Data; or ii) a complaint or request relating to the Authority's obligations under the DPA; i) provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by; i) providing the Authority with full details of the complaint or request; ii) complying with a data access request within the relevant timescales set out in the DPA and in accordance with the Authority's instructions; iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and iv) providing the Authority with any information requested by the Authority; j) permit the Authority or the Authority’s representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's Data Processing activities (and/or those of its agents, subsidiaries and sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; k) provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and l) not process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. E2.3 The Contractor shall indemnify and keep indemnified the Authority in full from and against all claims, proceedings, actions, damages, losses, penalties, fines, levies, costs and expenses and all loss of profits, business revenue or goodwill (whether direct or indirect) and all consequential or indirect loss howsoever arising out of, in respect of or in connection with, any breach by the Contractor (or any Sub-contractor) of this Clause E2]. E2.4 The Contractor shall comply at all times with the DPA and shall not perform its obligations under this Contract in such a way as to cause the Authority to breach any of its applicable obligations under the DPA. E3 Official Secrets Acts 1911 to 1989, Section 182 of the Finance Xxx 0000 E3.1 The Contractor shall comply with, and shall ensure that it’s Staff comply with, the provisions of; a) the Official Secrets Acts 1911 to 1989; and b) Section 182 of the Finance Xxx 0000.

Protection of Information. E1 Authority Data E1.1 The Prime Contractor shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Prime Contractor shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Prime Contractor of its obligations under this the Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the Prime Contractor, the Prime Contractor shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Prime Contractor shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data. E1.5 The Prime Contractor shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the Prime Contractor’s Business Continuity PlanPlans and Disaster Recovery Arrangements. The Prime Contractor shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 Monthly intervalsrequest. E1.6 The Prime Contractor shall ensure that any system or media on which the Prime Contractor holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A 1 to Schedule 68: Security Requirements and Plan. E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Prime Contractor’s default so as to be unusable, the Authority may;: a) require the Prime Contractor (at the Prime Contractor’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Prime Contractor shall do so as soon as practicable but not later than one (1) yearpracticable; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Prime Contractor any reasonable expenses incurred in doing so. E1.8 If at any time the Prime Contractor suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Prime Contractor shall notify the Authority immediately and inform the Authority of the remedial action the Prime Contractor proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the Contractor, or any of its Sub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question.

Protection of Information. E1 Authority Data E1.1 The Contractor shall not delete or remove any proprietary notices contained within or relating to the Authority Data. E1.2 The Contractor shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Contractor of its obligations under this Contract or as otherwise expressly authorised in writing by the Authority. E1.3 To the extent that Authority Data is held and/or processed by the Contractor, the Contractor shall supply that Authority Data to the Authority as requested by the Authority. E1.4 The Contractor shall take responsibility for preserving the integrity of Authority Data and preventing the corruption or loss of Authority Data.. [ConsReq E1.5 The Contractor shall perform secure back-ups of all Authority Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the Contractor’s Business Continuity Plan. The Contractor shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 12 [TextReq insert period] Monthly intervals.] E1.6 The Contractor shall ensure that any system or media on which the Contractor holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy detailed in Appendix A to Schedule 6. E1.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Contractor’s default so as to be unusable, the Authority may; a) require the Contractor (at the Contractor’s expense) to restore or procure the restoration of the Authority Data or Personal Data and the Contractor shall do so as soon as practicable but not later than one (1) year[TextReq]; and/or; b) itself restore or procure the restoration of the Authority Data or Personal Data, and shall be repaid by the Contractor any reasonable expenses incurred in doing so. E1.8 If at any time the Contractor suspects or has reason to believe that the Authority Data or Personal Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Contractor shall notify the Authority immediately and inform the Authority of the remedial action the Contractor proposes to take. E1.9 In accordance with the DWP Offshoring Policy and while not in any way limiting any other provision of this Contract, the Contractor, or any of its Sub-contractors, shall not process, host at or access Authority Data from premises outside the United Kingdom without the prior written consent of the Authority, and where the Authority gives consent, the Contractor shall comply with any reasonable instructions notified to it by the Authority in relation to the Authority Data in question.