Traceability 11.1 Under the terms of this Agreement, Supplier shall have and operate a process to ensure that all Products, sub-assemblies and the components contained therein supplied to the Buyer are completely Traceable back to manufacturer by batch or lot or date code.
11.2 Further Supplier hereby agrees, unless directed otherwise by the Buyer, to procure components through franchised distributors or direct component Suppliers. Supplier agrees to indemnify and hold the Buyer harmless from and against all costs and expenses for the removal, repair or replacement and reinstallation of counterfeit components incorporated into a Product sold by Supplier to the Buyer where the counterfeit component was procured by Supplier from a person or entity other than a franchised distributor or direct component Supplier or other person or entity pre-approved by the Buyer in writing.
Data Retention The Company will hold and use the Data only as long as is necessary to implement, administer and manage the Grantee’s participation in the Plan, or as required to comply with legal or regulatory obligations, including under tax and security laws.
Review of legality and data minimisation (a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
Data Security and Unauthorized Data Release The Requester and Approved Users, including the Requester’s IT Director, acknowledge NIH’s expectation that they have reviewed and agree to manage the requested controlled-access dataset(s) and any Data Derivatives of controlled-access datasets according to NIH’s expectations set forth in the current NIH Security Best Practices for Controlled-Access Data Subject to the GDS Policy and the Requester’s IT security requirements and policies. The Requester, including the Requester’s IT Director, agree that the Requester’s IT security requirements and policies are sufficient to protect the confidentiality and integrity of the NIH controlled-access data entrusted to the Requester. If approved by NIH to use cloud computing for the proposed research project, as outlined in the Research and Cloud Computing Use Statements of the Data Access Request, the Requester acknowledges that the IT Director has reviewed and understands the cloud computing guidelines in the NIH Security Best Practices for Controlled-Access Data Subject to the NIH GDS Policy. The Requester and PI agree to notify the appropriate DAC(s) of any unauthorized data sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the DAC notification, the Requester agrees to submit to the DAC(s) a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Requester agrees to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures affecting the Requester. NIH, or another entity designated by NIH may, as permitted by law, also investigate any data security incident or policy violation. Approved Users and their associates agree to support such investigations and provide information, within the limits of applicable local, state, tribal, and federal laws and regulations. In addition, Requester and Approved Users agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.
Data Requirements • The data referred to in this document are encounter data – a record of health care services, health conditions and products delivered for Massachusetts Medicaid managed care beneficiaries. An encounter is defined as a visit with a unique set of services/procedures performed for an eligible recipient. Each service should be documented on a separate encounter claim detail line completed with all the data elements including date of service, revenue and/or procedure code and/or NDC number, units, and MCE payments/cost of care for a service or product. • All encounter claim information must be for the member identified on the claim by Medicaid ID. Claims must not be submitted with another member’s identification (e.g., xxxxxxx claims must not be submitted under the Mom’s ID). • All claims should reflect the final status of the claim on the date it is pulled from the MCE’s Data Warehouse. • For MassHealth, only the latest version of the claim line submitted to MassHealth is “active”. Previously submitted versions of claim lines get offset (no longer “active” with MassHealth) and payments are not netted. • An encounter is a fully adjudicated service (with all associated claim lines) where the MCE incurred the cost either through direct payment or sub-contracted payment. Generally, at least one line would be adjudicated as “paid”. All adjudicated claims must have a complete set of billing codes. There may also be fully adjudicated claims where the MCE did not incur a cost but would otherwise like to inform MassHealth of covered services provided to Enrollees/Members, such as for quality measure reporting (e.g., CPT category 2 codes for A1c lab tests and care/patient management). • All claim lines should be submitted for each Paid claim, including zero paid claim lines (e.g., bundled services paid at an encounter level and patient copays that exceeded the fee schedule). Denied lines should not be included in the Paid submission. Submit one encounter record/claim line for each service performed (i.e., if a claim consisted of five services or products, each service should have a separate encounter record). Pursuant to contract, an encounter record must be submitted for all covered services provided to all enrollees. Payment amounts must be greater than or equal to zero. There should not be negative payments, including on voided claim lines. • Records/services of the same encounter claim must be submitted with same claim number. There should not be more than one active claim number for the same encounter. All paid claim lines within an encounter must share the same active claim number. If there is a replacement claim with a new version of the claim number, all former claim lines must be replaced by the new claim number or be voided. The claim number, which creates the encounter, and all replacement encounters must retain the same billing provider ID or be completely voided. • Plans are expected to use current MassHealth MCE enrollment assignments to attribute Members to the MassHealth assigned MCE. The integrity of the family of claims should be maintained when submitting claims for multiple MCEs (ACOs/MCO). Entity PIDSL, New Member ID, and the claim number should be consistent across all lines of the same claim. • Data should conform to the Record Layout specified in Section 3.0 of this document. Any deviations from this format will result in claim line or file rejections. Each row in a submitted file should have a unique Claim Number + Suffix combination. • A feed should consist of new (Original) claims, Amendments, Replacements (a.k.a. Adjustments) and/or Voids. The replacements and voids should have a former claim number and former suffix to associate them with the claim + suffix they are voiding or replacing. See Section 2.0, Data Element Clarifications, for more information. • While processing a submission, MassHealth scans the files for the errors. Rejected records are sent back to the MCEs in error reports in a format of the input files with two additional columns to indicate an error code and the field with the error. • Unless otherwise directed or allowed by XxxxXxxxxx, all routine monthly encounter submissions must be successfully loaded to the MH DW on or before the last day of each month with corrected rejections successfully loaded within 5 business days of the subsequent month for that routine monthly encounter submission to be considered timely and included in downstream MassHealth processes. Routine monthly encounter submissions should contain claims with paid/transaction dates through the end of the previous month.
Data Encryption Contractor must encrypt all State data at rest and in transit, in compliance with FIPS Publication 140-2 or applicable law, regulation or rule, whichever is a higher standard. All encryption keys must be unique to State data. Contractor will secure and protect all encryption keys to State data. Encryption keys to State data will only be accessed by Contractor as necessary for performance of this Contract.
Data Return and Destruction of Data (a) Protecting PII from unauthorized access and disclosure is of the utmost importance to the EA, and Contractor agrees that it is prohibited from retaining PII or continued access to PII or any copy, summary or extract of PII, on any storage medium (including, without limitation, in secure data centers and/or cloud-based facilities) whatsoever beyond the period of providing Services to the EA, unless such retention is either expressly authorized for a prescribed period by the Service Agreement or other written agreement between the Parties, or expressly requested by the EA for purposes of facilitating the transfer of PII to the EA or expressly required by law. As applicable, upon expiration or termination of the Service Agreement, Contractor shall transfer PII, in a format agreed to by the Parties to the EA.
(b) If applicable, once the transfer of PII has been accomplished in accordance with the EA’s written election to do so, Contractor agrees to return or destroy all PII when the purpose that necessitated its receipt by Contractor has been completed. Thereafter, with regard to all PII (including without limitation, all hard copies, archived copies, electronic versions, electronic imaging of hard copies) as well as any and all PII maintained on behalf of Contractor in a secure data center and/or cloud-based facilities that remain in the possession of Contractor or its Subcontractors, Contractor shall ensure that PII is securely deleted and/or destroyed in a manner that does not allow it to be retrieved or retrievable, read or reconstructed. Hard copy media must be shredded or destroyed such that PII cannot be read or otherwise reconstructed, and electronic media must be cleared, purged, or destroyed such that the PII cannot be retrieved. Only the destruction of paper PII, and not redaction, will satisfy the requirements for data destruction. Redaction is specifically excluded as a means of data destruction.
(c) Contractor shall provide the EA with a written certification of the secure deletion and/or destruction of PII held by the Contractor or Subcontractors.
(d) To the extent that Contractor and/or its subcontractors continue to be in possession of any de-identified data (i.e., data that has had all direct and indirect identifiers removed), they agree not to attempt to re-identify de-identified data and not to transfer de-identified data to any party.
DATA RETENTION AND DELETION 7.1. No party shall retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes. parties shall continue, however, to retain Shared Personal Data in accordance with any statutory retention periods applicable in their respective countries and/or states.
Meteorological Data Reporting Requirement (Applicable to wind generation facilities only)
Data Deletion Google will delete Customer Data in accordance with Section 6 (Data Deletion) of the Data Processing Amendment.
