Common use of SECURITY OF SHARED INFORMATION Clause in Contracts

SECURITY OF SHARED INFORMATION. 6.1 The information passed between the Board and the Local Authorities under this Protocol can include extremely sensitive data. The Parties have evaluated the appropriate level of security and have concluded that the highest available levels of both organisational and technical security measures will be applied to this information. 6.2 Both the Board and the Local Authorities have information security policies which are designed to protect the information (particularly, but not exclusively, personal information) which they hold. These policies are binding on all staff of the employing Party and disciplinary action could be taken against staff who violate them. The policies apply to information held by that Party, whether it has originated with that Party or been passed to it by the other. Where there is a joint or integrated team, each member of staff continues to be bound by their own organisation’s security policy. The governance arrangements for such joint working will address any particular security issues which require to be addressed beyond the scope of the general information security policies. Where the Board and a Local Authority establish any joint databases, the agreements regulating the creation and use of such databases will explicitly assign responsibility for information security to one or the other Party to ensure that this is not overlooked. 6.3 The Parties will review their respective information security policies and associated procedures in the light of this Protocol to ensure that they are compatible with each other. Any identified areas where they are not will be the subject of local guidance designed as a minimum to bring the less secure Party or Parties up to the level of the most secure one, and ultimately to bring all Parties up to the highest available levels of both organisational and technical security measures as indicated in Section 6.1. In addition, the professional staff of both organisations have shared professional values and obligations of confidentiality to service users and may be subject to professional disciplinary action (as well as, or instead of, disciplinary action by their employer) if they breach those obligations. This is emphasised in staff training. In extreme cases of knowingly and recklessly disclosing personal information without the consent of the data controller, a criminal offence may have been committed and in appropriate circumstances any Party may refer a member of staff (or other individual) to the Police in connection with such an event. Staff disclosing personal data in line with this Protocol and any relevant local procedural guidance will be deemed to be acting with the permission of the data controller and so not be liable to criminal prosecution. 6.4 The Parties will each ensure that the other Parties are promptly notified of any security breaches, or significant security risks, affecting shared information. In addition, should the breach be considered significant, the ICO will also be notified. The Parties will, where appropriate, work together to rectify any such breach or mitigate any such risk to information security. If personal data is lost as a result of a security breach, the Parties will consider on a case by case basis whether to notify the affected individuals of the breach.

SECURITY OF SHARED INFORMATION. 6.1 4.1 The information passed between the Board and the Local Authorities under this Protocol can include extremely sensitive data. The Parties have evaluated the appropriate level of security and have concluded that the highest available levels of both organisational and technical security measures will be applied to this information. 6.2 4.2 Both the Board and the Local Authorities have information security policies which are designed to protect the information (particularly, but not exclusively, personal information) which they hold. These policies are binding on all staff of the employing Party and disciplinary action could be taken against staff who violate them. The policies apply to information held by that Party, whether it has originated with that Party or been passed to it by the other. Where there is a joint or integrated team, each member of staff continues to be bound by their own organisation’s security policy. The governance arrangements for such joint working will address any particular security issues which require to be addressed beyond the scope of the general information security policies. Where the Board and a Local Authority establish any joint databases, the agreements regulating the creation and use of such databases will explicitly assign responsibility for information security to one or the other Party to ensure that this is not overlooked. 6.3 4.3 The Parties will review their respective information security policies and associated procedures in the light of this Protocol to ensure that they are compatible with each other. Any identified areas where they are not will be the subject of local guidance designed as a minimum to bring the less secure Party or Parties up to the level of the most secure one, and ultimately to bring all Parties up to the highest available levels of both organisational and technical security measures as indicated in Section 6.1Section 4.1. In addition, the professional staff of both organisations all the Parties have shared professional values and obligations of confidentiality to service users and may be subject to professional disciplinary action (as well as, or instead of, disciplinary action by their employer) if they breach those obligations. This is emphasised in staff training. In extreme cases of knowingly and recklessly disclosing personal information without the consent of the data controller, a criminal offence may have been committed and in appropriate circumstances any Party may refer a member of staff (or other individual) to the Police in connection with such an event. Staff disclosing personal data in line with this Protocol and any relevant local procedural guidance will be deemed to be acting with the permission of the data controller and so not be liable to criminal prosecution. 6.4 4.4 The Parties will each ensure that the other Parties are promptly notified of any personal data breaches or security breaches, or risks (considered significant security risks, in line with current Information Commissioner’s Office Guidance) affecting shared information. In addition, should the breach be considered significant, the ICO will also be notifiednotified unless the Party which was data controller of the compromised data concludes that the personal data security breach is unlikely to prejudice the rights and freedoms of the affected data subjects (for example, because the compromised data was encrypted). The Parties will, where appropriate, work together to rectify any such breach or mitigate any such risk to information security. If personal data is lost as a result of a security breach, the Parties will consider on a case by case basis whether to notify the affected individuals of the breachbreach in line with the requirements of the GDPR.

SECURITY OF SHARED INFORMATION. 6.1 ‌ 4.1 The information passed between the Board and the Local Authorities under this Protocol can include extremely sensitive data. The Parties have evaluated the appropriate level of security and have concluded that the highest available levels of both organisational and technical security measures will be applied to this information. 6.2 4.2 Both the Board and the Local Authorities have information security policies which are designed to protect the information (particularly, but not exclusively, personal information) which they hold. These policies are binding on all staff of the employing Party and disciplinary action could be taken against staff who violate them. The policies apply to information held by that Party, whether it has originated with that Party or been passed to it by the other. Where there is a joint or integrated team, each member of staff continues to be bound by their own organisation’s security policy. The governance arrangements for such joint working will address any particular security issues which require to be addressed beyond the scope of the general information security policies. Where the Board and a Local Authority establish any joint databases, the agreements regulating the creation and use of such databases will explicitly assign responsibility for information security to one or the other Party to ensure that this is not overlooked. 6.3 4.3 The Parties will review their respective information security policies and associated procedures in the light of this Protocol to ensure that they are compatible with each other. Any identified areas where they are not will be the subject of local guidance designed as a minimum to bring the less secure Party or Parties up to the level of the most secure one, and ultimately to bring all Parties up to the highest available levels of both organisational and technical security measures as indicated in Section 6.1. In addition, the professional staff of both organisations have shared professional values and obligations of confidentiality to service users and may be subject to professional disciplinary action (as well as, or instead of, disciplinary action by their employer) if they breach those obligations. This is emphasised in staff training. In extreme cases of knowingly and recklessly disclosing personal information without the consent of the data controller, a criminal offence may have been committed and in appropriate circumstances any Party may refer a member of staff (or other individual) to the Police in connection with such an event. Staff disclosing personal data in line with this Protocol and any relevant local procedural guidance will be deemed to be acting with the permission of the data controller and so not be liable to criminal prosecution. 6.4 4.4 The Parties will each ensure that the other Parties are promptly notified of any security breaches, breaches or security risks (considered significant security risks, in line with current Information Commissioner’s Office Guidance) affecting shared information. In addition, should the breach be considered significant, the ICO will also be notified. The Parties will, where appropriate, work together to rectify any such breach or mitigate any such risk to information security. If personal data is lost as a result of a security breach, the Parties will consider on a case by case basis whether to notify the affected individuals of the breach.

SECURITY OF SHARED INFORMATION. 6.1 4.1 The information passed between the Board and the Local Authorities under this Protocol can include extremely sensitive data. The Parties have evaluated the appropriate level of security and have concluded that the highest available levels of both organisational and technical security measures will be applied to this information. 6.2 4.2 Both the Board and the Local Authorities have information security policies which are designed to protect the information (particularly, but not exclusively, personal information) which they hold. These policies are binding on all staff of the employing Party and disciplinary action could be taken against staff who violate them. The policies apply to information held by that Party, whether it has originated with that Party or been passed to it by the other. Where there is a joint or integrated team, each member of staff continues to be bound by their own organisation’s security policy. The governance arrangements for such joint working will address any particular security issues which require to be addressed beyond the scope of the general information security policies. Where the Board and a Local Authority establish any joint databases, the agreements regulating the creation and use of such databases will explicitly assign responsibility for information security to one or the other Party to ensure that this is not overlooked. 6.3 4.3 The Parties will review their respective information security policies and associated procedures in the light of this Protocol to ensure that they are compatible with each other. Any identified areas where they are not will be the subject of local guidance designed as a minimum to bring the less secure Party or Parties up to the level of the most secure one, and ultimately to bring all Parties up to the highest available levels of both organisational and technical security measures as indicated in Section 6.1. In addition, the professional staff of both organisations have shared professional values and obligations of confidentiality to service users and may be subject to professional disciplinary action (as well as, or instead of, disciplinary action by their employer) if they breach those obligations. This is emphasised in staff training. In extreme cases of knowingly and recklessly disclosing personal information without the consent of the data controller, a criminal offence may have been committed and in appropriate circumstances any Party may refer a member of staff (or other individual) to the Police in connection with such an event. Staff disclosing personal data in line with this Protocol and any relevant local procedural guidance will be deemed to be acting with the permission of the data controller and so not be liable to criminal prosecution. 6.4 4.4 The Parties will each ensure that the other Parties are promptly notified of any security breaches, breaches or security risks (considered significant security risks, in line with current Information Commissioner’s Office Guidance) affecting shared information. In addition, should the breach be considered significant, the ICO will also be notified. The Parties will, where appropriate, work together to rectify any such breach or mitigate any such risk to information security. If personal data is lost as a result of a security breach, the Parties will consider on a case by case basis whether to notify the affected individuals of the breach.