Freedom of Information and Protection of Privacy Act Any information provided on this contract may be subject to release under the Freedom of Information and Protection of Privacy Act. The Contractor may be consulted prior to release of any information.
Applicability of Data Privacy Protections In the event that Personal Information will be Processed by Supplier in connection with the performance under this Agreement (including any SOW), then and only then shall the provisions of this Section ‘Data Protection and Privacy’ be applicable. For the avoidance of doubt, the data security requirements contained in section ‘Information Security’ shall apply regardless of whether Personal Information is Processed under this Agreement or any SOW. All Personal Information obtained from or on behalf of DXC or in connection with performance pursuant to this Agreement shall be Processed and protected pursuant to this Section ‘Data Protection and Privacy’, the Section ‘Information Security’ and any other Sections of this Agreement that address Personal Information.
Transparency and Freedom of Information 15.1 The Contractor acknowledges that the Authority is subject to the requirements of FOISA and the Environmental Information Regulations. The Contractor shall: (a) provide all necessary assistance and cooperation as the Authority may reasonably request to enable the Authority to comply with its obligations under FOISA and Environmental Information Regulations; (b) transfer to the Authority all Requests for Information relating to this Agreement that the Contractor receives as soon as practicable and in any event within 2 Working Days of receipt; (c) provide the Authority with a copy of all information held on behalf of the Authority which is requested in a Request For Information and which is in the Contractor’s possession or control. The information must be provided within 5 Working Days (or such other period as the Authority may reasonably specify) in the form that the Authority requires. (d) not respond directly to a Request For Information addressed to the Authority unless authorised in writing to do so by the Authority. 15.2 If the Request for Information appears to be directed to information held by the Authority, the Contractor must promptly inform the applicant in writing that the Request for Information can be directed to the Authority. 15.3 If the Authority receives a Request for Information concerning the Framework Agreement, the Authority is responsible for determining at its absolute discretion whether the information requested is to be disclosed to the applicant or whether the information requested is exempt from disclosure in accordance with FOISA or the Environmental Information Regulations. 15.4 The Contractor acknowledges that the Authority may, acting in accordance with the Authority’s Code of Practice on the Discharge of Functions of Public Authorities issued under section 60(5) of FOISA (as may be issued and revised from time to time), be obliged under FOISA or the Environmental Information Regulations to disclose information requested concerning the Contractor or the Framework Agreement: 15.4.1 in certain circumstances without consulting the Contractor, or 15.4.2 following consultation with the Contractor and having taken its views into account.
Data Protection Act 7.1 With respect to the parties' rights and obligations under this Contract, the parties agree that the Department is the Data Controller and that the Contractor is the Data Processor. 7.2 The Contractor shall: 7.2.1 Process the Personal Data only in accordance with instructions from the Department (which may be specific instructions or instructions of a general nature as set out in this Contract or as otherwise notified by the Department to the Contractor during the Term); 7.2.2 Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; 7.2.3 The Contractor shall employ appropriate organisational, operational and technological processes and procedures to keep the Personal Data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO/IEC 27001 as appropriate to the services being provided to the Department; 7.2.4 Take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; 7.2.5 Obtain prior written consent from the Department in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services; 7.2.6 Ensure that all Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 7; 7.2.7 Ensure that none of Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Department; 7.2.8 Notify the Department within five Working Days if it receives: a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Department's obligations under the Data Protection Legislation; 7.2.9 Provide the Department with full cooperation and assistance in relation to any complaint or request made, including by: - providing the Department with full details of the complaint or request; - complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Department's instructions; - providing the Department with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Department); and - providing the Department with any information requested by the Department; 7.2.10 Permit the Department or the Department’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Department to enable the Department to verify and/or procure that the Contractor is in full compliance with its obligations under this Contract; 7.2.11 Provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Department) to be used solely for the purposes of this contract and provided that to do so would not be in breach of the Intellectual Property Rights (including Copyright) of a third party; and 7.2.12 Not process Personal Data outside the European Economic Area without the prior written consent of the Department and, where the Department consents to a transfer, to comply with: - the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing -an adequate level of protection to any Personal Data that is transferred; and - any reasonable instructions notified to it by the Department. 7.3 The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Contract in such a way as to cause the Department to breach any of its applicable obligations under the Data Protection Legislation.
COMPLIANCE WITH NEW YORK STATE INFORMATION SECURITY BREACH AND NOTIFICATION ACT Contractor shall comply with the provisions of the New York State Information Security Breach and Notification Act (General Business Law Section 899-aa; State Technology Law Section 208).
