Common use of Technical and Organisational Measures Clause in Contracts

Technical and Organisational Measures. 8.1 The information security regime implemented by the Provider shall be compliant with all relevant legislation, and shall conform to recognised Good Industry Practice. 8.2 Appropriate technical, security and organisational measures shall be taken by the Provider to safeguard against accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to, Personal Data. 8.3 The Provider shall apply organisational and technical controls such as network and system specific security, physical security, user access privileges, user passwords, including but not limited to the following to ensure that: 8.3.1 irrespective of whether Personal Data is at rest or in transit, the controls deployed are appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage taking account of the nature and sensitivity of Personal Data; 8.3.2 physical measures provide effective protection for information, systems and services from unauthorised access, theft, interference or damage; 8.3.3 procedures are in place to identify and resolve software and system faults and failures, including the identification of malicious software; 8.3.4 access to Personal Data is role based for legitimate business purposes in accordance with the “need to know” principle and that user permissions are controlled and granted and removed in line with job responsibilities; 8.3.5 sufficiently complex password controls are implemented for all authorised personnel with role based access to Personal Data; 8.3.6 passwords, usernames and access codes are not disclosed to any other person (whether employed by the Provider or not) and that all passwords and security codes are kept securely; 8.3.7 remote access to the Providers’ secure network requires two factor authentication (something the user knows and a token they have); 8.3.8 where Personal Data is not stored solely on secure networks: (i) only portable devices owned and controlled by the Provider are used to transport Personal Data and devices with built- in hard drives, deploy recognised industry standard encryption software; (ii) only the minimum necessary Personal Data is transported on portable devices or in paper form (iii) systems are in place to account for the movement of paper documents removed from and returned to the secure environment; (iv) paper documents are kept secure and returned to the secure environment without delay and are not left in unattended vehicles; stored with portable devices or in portable device containers; 8.3.9 unencrypted email via the insecure internet is not used to communicate or transmit private, confidential or commercially sensitive Agreement Data; 8.3.10 exchanges of Personal Data shall conform with the secure methods for electronic transmission in any Information Sharing Agreements (ISAs) agreed by the Council with other parties; 8.3.11 all reasonable precautions are taken to preserve the integrity and prevent any corruption or loss, damage or destruction of Personal Data; 8.3.12 all reasonable steps are taken to maintain and audit compliance with above measures. 8.4 Within 20 Working Days after the Effective Date, the provider shall prepare and submit to the Council for approval a fully developed complete and up to date Security Management Plan providing a comprehensive written description of the technical and organisational methods employed to safeguard Personal Data supplementing any policies and procedures the Provider may have already supplied. 8.5 Except where the Provider’s IT system security has been subject to penetration testing by an accredited provider in the 18 month period immediately prior to the date of this Agreement, the Provider shall arrange for such a test within the 6 month period immediately following the date of this Agreement. Where a test has taken place within the specified period, a summary of the findings, recommended remedial measures and the actual measures implemented by the Provider shall be supplied to the Council within 4 weeks from the date of this Agreement. In the event of a future test, the summary of the findings together with a plan of any measures the Provider intends to implement shall be provided to the Council no later than 6 weeks after the Provider receives the Assessor’s report. 8.6 In the event any Personal Data related to this Agreement in the possession of the Provider becomes lost, corrupted or rendered unusable for any reason, the Provider undertakes to promptly restore such Personal Data using its back up and/or disaster recovery procedures at no cost to the Council.

Technical and Organisational Measures. 8.1 The information security regime implemented by the Provider shall be compliant with all relevant legislation, and shall conform to recognised Good Industry Practice. 8.2 Appropriate technical, security and organisational measures shall be taken by the Provider to safeguard against accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to, Personal Data. 8.3 The Provider shall apply organisational and technical controls such as network and system specific security, physical security, user access privileges, user passwords, including but not limited to the following to ensure that: 8.3.1 : irrespective of whether Personal Data is at rest or in transit, the controls deployed are appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage taking account of the nature and sensitivity of Personal Data; 8.3.2 ; physical measures provide effective protection for information, systems and services from unauthorised access, theft, interference or damage; 8.3.3 ; procedures are in place to identify and resolve software and system faults and failures, including the identification of malicious software; 8.3.4 ; access to Personal Data is role based for legitimate business purposes in accordance with the “need to know” principle and that user permissions are controlled and granted and removed in line with job responsibilities; 8.3.5 ; sufficiently complex password controls are implemented for all authorised personnel with role based access to Personal Data; 8.3.6 ; passwords, usernames and access codes are not disclosed to any other person (whether employed by the Provider or not) and that all passwords and security codes are kept securely; 8.3.7 ; remote access to the Providers’ secure network requires two factor authentication (something the user knows and a token they have); 8.3.8 ; where Personal Data is not stored solely on secure networks: (i) : only portable devices owned and controlled by the Provider are used to transport Personal Data and devices with built- built-in hard drives, deploy recognised industry standard encryption software; (ii) ; only the minimum necessary Personal Data is transported on portable devices or in paper form (iii) form systems are in place to account for the movement of paper documents removed from and returned to the secure environment; (iv) ; paper documents are kept secure and returned to the secure environment without delay and are not left in unattended vehicles; stored with portable devices or in portable device containers; 8.3.9 ; unencrypted email via the insecure internet is not used to communicate or transmit private, confidential or commercially sensitive Agreement Data; 8.3.10 ; exchanges of Personal Data shall conform with the secure methods for electronic transmission in any Information Sharing Agreements (ISAs) agreed by the Council with other parties; 8.3.11 ; all reasonable precautions are taken to preserve the integrity and prevent any corruption or loss, damage or destruction of Personal Data; 8.3.12 ; all reasonable steps are taken to maintain and audit compliance with above measures. 8.4 Within 20 Working Days after the Effective Date, the provider shall prepare and submit to the Council for approval a fully developed complete and up to date Security Management Plan providing a comprehensive written description of the technical and organisational methods employed to safeguard Personal Data supplementing any policies and procedures the Provider may have already supplied. 8.5 Except where the Provider’s IT system security has been subject to penetration testing by an accredited provider in the 18 month period immediately prior to the date of this Agreement, the Provider shall arrange for such a test within the 6 month period immediately following the date of this Agreement. Where a test has taken place within the specified period, a summary of the findings, recommended remedial measures and the actual measures implemented by the Provider shall be supplied to the Council within 4 weeks from the date of this Agreement. In the event of a future test, the summary of the findings together with a plan of any measures the Provider intends to implement shall be provided to the Council no later than 6 weeks after the Provider receives the Assessor’s report. 8.6 In the event any Personal Data related to this Agreement in the possession of the Provider becomes lost, corrupted or rendered unusable for any reason, the Provider undertakes to promptly restore such Personal Data using its back up and/or disaster recovery procedures at no cost to the Council.

Technical and Organisational Measures. 8.1 6.1 The information security regime implemented by the Provider shall be compliant with all relevant legislation, and shall conform to recognised Good Industry Practice. 8.2 6.2 Appropriate technical, security and organisational measures shall be taken by the Provider to safeguard against accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to, the Agreement Data including as appropriate: 6.2.1 the pseudonymisation and encryption of Personal Data; 6.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 6.2.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and 6.2.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures. 8.3 6.3 The Provider shall apply organisational and technical controls such as network and system specific security, physical security, user access privileges, user passwords, including but not limited to the following to ensure that: 8.3.1 6.3.1 irrespective of whether Personal the Agreement Data is at rest or in transit, the controls deployed are appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage taking account of the nature and sensitivity of Personal the Agreement Data; 8.3.2 6.3.2 physical measures provide effective protection for information, systems and services from unauthorised access, theft, interference or damage; 8.3.3 6.3.3 procedures are in place to identify and resolve software and system faults and failures, including the identification of malicious software; 8.3.4 6.3.4 access to Personal the Agreement Data is role based for legitimate business purposes in accordance with the “need to know” principle and that user permissions are controlled and granted and removed in line with job responsibilities; 8.3.5 6.3.5 sufficiently complex password controls are implemented for all authorised personnel with role based access to Personal the Agreement Data; 8.3.6 6.3.6 passwords, usernames and access codes are not disclosed to any other person (whether employed by the Provider or not) and that all passwords and security codes are kept securely; 8.3.7 6.3.7 if possible, remote access to the Providers’ secure network requires two factor authentication (something the user knows and a token they have); 8.3.8 6.3.8 where Personal the Agreement Data is not stored solely on secure networks: (i) only portable devices owned and controlled by the Provider are used to transport Personal the Agreement Data and devices with built- built-in hard drives, deploy recognised industry standard encryption software; (ii) only the minimum necessary Personal Agreement Data is transported on portable devices or in paper form; (iii) systems are in place to account for the movement of paper documents removed from and returned to the secure environment; (iv) paper documents are kept secure and returned to the secure environment without delay and are not left in unattended vehicles; stored with portable devices or in portable device containers; 8.3.9 6.3.9 unencrypted email via the insecure internet is not used to communicate or transmit private, confidential or commercially sensitive Agreement Data; 8.3.10 6.3.10 exchanges of Personal the Agreement Data shall conform with the secure methods for electronic transmission in any Information Sharing Agreements (ISAs) agreed by the Council School with other parties; 8.3.11 6.3.11 all reasonable precautions are taken to preserve the integrity and prevent any corruption or loss, damage or destruction of Personal the Agreement Data; 8.3.12 6.3.12 all reasonable steps are taken to maintain and audit compliance with above measures. 8.4 Within 20 Working Days after the Effective Date, the 6.4 The provider should undergo regular penetration testing by an accredited provider to ensure any security vulnerabilities are identified and addressed. 6.5 The Provider shall prepare and submit to the Council for approval a fully developed complete and up to date Security Management Plan providing provide a comprehensive written description of the technical and organisational methods employed to safeguard Personal Data supplementing any policies and procedures the Provider may have already supplied. 8.5 Except where the Provider’s IT system security has been subject to Agreement Data, including evidence of regular penetration testing by an accredited provider in the 18 month period immediately prior to the date of this Agreement, the Provider shall arrange for such a test within the 6 month period immediately following the date of this Agreement. Where a test has taken place within the specified period, a summary of the findings, recommended remedial measures and the actual measures implemented by the Provider shall be supplied to the Council within 4 weeks from the date of this Agreement. In the event of a future test, the summary of the findings together with a plan of any measures the Provider intends to implement shall be provided to the Council no later than 6 weeks after the Provider receives the Assessor’s reportprovider. 8.6 6.6 In the event any Personal Agreement Data related to this Agreement in the possession of the Provider becomes lost, corrupted or rendered unusable for any reason, the Provider undertakes to promptly restore such Personal Agreement Data using its back up and/or disaster recovery procedures at no cost to the CouncilSchool.

Technical and Organisational Measures. 8.1 The information security regime implemented by the Provider shall be compliant with all relevant legislation, and shall conform to recognised Good Industry Practice. 8.2 Appropriate technical, security and organisational measures shall be taken by the Provider to safeguard against accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to, Personal Data. 8.3 The Provider shall apply organisational and technical controls such as network and system specific security, physical security, user access privileges, user passwords, including but not limited to the following to ensure that: 8.3.1 irrespective of whether Personal Data is at rest or in transit, the controls deployed are appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage taking account of the nature and sensitivity of Personal Data; 8.3.2 physical measures provide effective protection for information, systems and services from unauthorised access, theft, interference or damage; 8.3.3 procedures are in place to identify and resolve software and system faults and failures, including the identification of malicious software; 8.3.4 access to Personal Data is role based for legitimate business purposes in accordance with the “need to know” principle and that user permissions are controlled and granted and removed in line with job responsibilities; 8.3.5 sufficiently complex password controls are implemented for all authorised personnel with role based access to Personal Data; 8.3.6 passwords, usernames and access codes are not disclosed to any other person (whether employed by the Provider or not) and that all passwords and security codes are kept securely; 8.3.7 remote access to the Providers’ secure network requires two factor authentication (something the user knows and a token they have); 8.3.8 where Personal Data is not stored solely on secure networks: (i) only portable devices owned and controlled by the Provider are used to transport Personal Data and devices with built- built-in hard drives, deploy recognised industry standard encryption software; (ii) only the minimum necessary Personal Data is transported on portable devices or in paper form (iii) systems are in place to account for the movement of paper documents removed from and returned to the secure environment; (iv) paper documents are kept secure and returned to the secure environment without delay and are not left in unattended vehicles; stored with portable devices or in portable device containers; 8.3.9 unencrypted email via the insecure internet is not used to communicate or transmit private, confidential or commercially sensitive Agreement Data; 8.3.10 exchanges of Personal Data shall conform with the secure methods for electronic transmission in any Information Sharing Agreements (ISAs) agreed by the Council with other parties; 8.3.11 all reasonable precautions are taken to preserve the integrity and prevent any corruption or loss, damage or destruction of Personal Data; 8.3.12 all reasonable steps are taken to maintain and audit compliance with above measures. 8.4 Within 20 Working Days after the Effective Date, the provider shall prepare and submit to the Council for approval a fully developed complete and up to date Security Management Plan providing a comprehensive written description of the technical and organisational methods employed to safeguard Personal Data supplementing any policies and procedures the Provider may have already supplied. 8.5 Except where the Provider’s IT system security has been subject to penetration testing by an accredited provider in the 18 month period immediately prior to the date of this Agreement, the Provider shall arrange for such a test within the 6 month period immediately following the date of this Agreement. Where a test has taken place within the specified period, a summary of the findings, recommended remedial measures and the actual measures implemented by the Provider shall be supplied to the Council within 4 weeks from the date of this Agreement. In the event of a future test, the summary of the findings together with a plan of any measures the Provider intends to implement shall be provided to the Council no later than 6 weeks after the Provider receives the Assessor’s report. 8.6 In the event any Personal Data related to this Agreement in the possession of the Provider becomes lost, corrupted or rendered unusable for any reason, the Provider undertakes to promptly restore such Personal Data using its back up and/or disaster recovery procedures at no cost to the Council.

Technical and Organisational Measures. 8.1 The information security regime implemented by the Provider shall be compliant with all relevant legislation, and shall conform to recognised Good Industry Practice. 8.2 Appropriate technical, security and organisational measures shall be taken by the Provider to safeguard against accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to, Personal Data. 8.3 The Provider shall apply organisational and technical controls such as network and system specific security, physical security, user access privileges, user passwords, including but not limited to the following to ensure that: 8.3.1 irrespective of whether Personal Data is at rest or in transit, the controls deployed are appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage taking account of the nature and sensitivity of Personal Data; 8.3.2 physical measures provide effective protection for information, systems and services from unauthorised access, theft, interference or damage; 8.3.3 procedures are in place to identify and resolve software and system faults and failures, including the identification of malicious software; 8.3.4 access to Personal Data is role based for legitimate business purposes in accordance with the “need to know” principle and that user permissions are controlled and granted and removed in line with job responsibilities; 8.3.5 sufficiently complex password controls are implemented for all authorised personnel with role based access to Personal Data; 8.3.6 passwords, usernames and access codes are not disclosed to any other person (whether employed by the Provider or not) and that all passwords and security codes are kept securely; 8.3.7 remote access to the Providers’ secure network requires two factor authentication (something the user knows and a token they have); 8.3.8 where Personal Data is not stored solely on secure networks: (i) only portable devices owned and controlled by the Provider are used to transport Personal Data and devices with built- built-in hard drives, deploy recognised industry standard encryption software; (ii) only the minimum necessary Personal Data is transported on portable devices or in paper form (iii) systems are in place to account for the movement of paper documents removed from and returned to the secure environment; (iv) paper documents are kept secure and returned to the secure environment without delay and are not left in unattended vehicles; stored with portable devices or in portable device containers; 8.3.9 unencrypted email via the insecure internet is not used to communicate or transmit private, confidential or commercially sensitive Agreement Data; 8.3.10 exchanges of Personal Data shall conform with the secure methods for electronic transmission in any Information Sharing Agreements (ISAs) agreed by the Council with other parties; 8.3.11 all reasonable precautions are taken to preserve the integrity and prevent any corruption or loss, damage or destruction of Personal Data; 8.3.12 all reasonable steps are taken to maintain and audit compliance with above measures. 8.4 Within 20 Working Days after the Effective Date, the provider shall prepare and submit to the Council for approval a fully developed complete and up to date Security Management Plan providing a comprehensive written description of the technical and organisational methods employed to safeguard Personal Data supplementing any policies and procedures the Provider may have already supplied. 8.5 Except where the Provider’s IT system security has been subject to penetration testing by an accredited provider in the 18 month period immediately prior to the date of this Agreement, the Provider shall arrange for such a test within the 6 month period immediately following the date of this Agreement. Where a test has taken place within the specified period, a summary of the findings, recommended remedial measures and the actual measures implemented by the Provider shall be supplied to the Council within 4 weeks from the date of this Agreement. In the event of a future test, the summary of the findings together with a plan of any measures the Provider intends to implement shall be provided to the Council no later than 6 weeks after the Provider receives the Assessor’s report. 8.6 In the event any Personal Data related to this Agreement in the possession of the Provider becomes lost, corrupted or rendered unusable for any reason, the Provider undertakes to promptly restore such Personal Data using its back up and/or disaster recovery procedures at no cost to the Council.

Technical and Organisational Measures. 8.1 6.1 The information security regime implemented by the Provider shall be compliant with all relevant legislation, and shall conform to recognised Good Industry Practice. 8.2 6.2 Appropriate technical, security and organisational measures shall be taken by the Provider to safeguard against accidental or unlawful destruction, damage, loss, alteration, unauthorised disclosure of or access to, the Agreement Data including as appropriate: 6.2.1 the pseudonymisation and encryption of Personal Data; 6.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 6.2.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and 6.2.4 a process for regularly testing, assessing and evaluating the effectiveness of security measures. 8.3 6.3 The Provider shall apply organisational and technical controls such as network and system specific security, physical security, user access privileges, user passwords, including but not limited to the following to ensure that: 8.3.1 6.3.1 irrespective of whether Personal the Agreement Data is at rest or in transit, the controls deployed are appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage taking account of the nature and sensitivity of Personal the Agreement Data; 8.3.2 ; physical measures provide effective protection for information, systems and services from unauthorised access, theft, interference or damage; 8.3.3 ; procedures are in place to identify and resolve software and system faults and failures, including the identification of malicious software; 8.3.4 ; access to Personal the Agreement Data is role based for legitimate business purposes in accordance with the “need to know” principle and that user permissions are controlled and granted and removed in line with job responsibilities; 8.3.5 ; sufficiently complex password controls are implemented for all authorised personnel with role based access to Personal the Agreement Data; 8.3.6 ; passwords, usernames and access codes are not disclosed to any other person (whether employed by the Provider or not) and that all passwords and security codes are kept securely; 8.3.7 ; remote access to the Providers’ secure network requires two factor authentication (something the user knows and a token they have); 8.3.8 ; where Personal the Agreement Data is not stored solely on secure networks: (i) : only portable devices owned and controlled by the Provider are used to transport Personal the Agreement Data and devices with built- built-in hard drives, deploy recognised industry standard encryption software; (ii) ; only the minimum necessary Personal Agreement Data is transported on portable devices or in paper form (iii) ; systems are in place to account for the movement of paper documents removed from and returned to the secure environment; (iv) ; paper documents are kept secure and returned to the secure environment without delay and are not left in unattended vehicles; stored with portable devices or in portable device containers; 8.3.9 ; unencrypted email via the insecure internet is not used to communicate or transmit private, confidential or commercially sensitive Agreement Data; 8.3.10 ; exchanges of Personal the Agreement Data shall conform with the secure methods for electronic transmission in any Information Sharing Agreements (ISAs) agreed by the Council Ageing Better with other parties; 8.3.11 ; all reasonable precautions are taken to preserve the integrity and prevent any corruption or loss, damage or destruction of Personal the Agreement Data; 8.3.12 ; all reasonable steps are taken to maintain and audit compliance with above measures. 8.4 6.4 Within 20 Working Days after the Effective Datedate of this Agreement, the provider Provider shall prepare and submit to the Council Ageing Better for approval a fully developed complete and up to date Security Management Plan providing a comprehensive written description of the technical and organisational methods employed to safeguard Personal the Agreement Data supplementing any policies and procedures the Provider may have already supplied. 8.5 6.5 Except where the Provider’s IT system security has been subject to penetration testing by an accredited provider in the 18 month period immediately prior to the date of this Agreement, the Provider shall arrange for such a test within the 6 month period immediately following the date of this Agreement. Where a test has taken place within the specified period, a summary of the findings, recommended remedial measures and the actual measures implemented by the Provider shall be supplied to the Council Ageing Better within 4 weeks 20 Working Days from the date of this Agreement. In the event of a future test, the summary of the findings together with a plan of any measures the Provider intends to implement shall be provided to the Council Ageing Better no later than 6 weeks 20 Working Days after the Provider receives the Assessorassessor’s report. 8.6 6.6 In the event any Personal Agreement Data related to this Agreement in the possession of the Provider becomes lost, corrupted or rendered unusable for any reason, the Provider undertakes to promptly restore such Personal Agreement Data using its back up and/or disaster recovery procedures at no cost to the CouncilAgeing Better.