Common use of Data Breach Response Plan Clause in Contracts

Data Breach Response Plan. 6.2.1. If the Licensee becomes aware of an actual, or potential, eligible data breach, the Licensee shall immediately notify Compsys and provide Compsys with the following details: (a) The nature of the data breach; (b) The type and sensitivity of the information involved in the data breach; (c) Remedial action that has been taken in response to the data breach; (d) Any security measures in place to protect the data; (e) The nature of the harm that may arise as a result of the data breach; and (f) Any other relevant matters. Where possible, Compsys will endeavour to work with the Licensee to take remedial action to prevent serious harm from eventuating to the individual/s the subject of the data. 6.2.2. Alternatively, if Compsys becomes aware of an eligible data breach in respect of the Licensee’s data, Compsys may notify the Licensee and, where possible, work with the Licensee to take remedial action to prevent serious harm from eventuating to the individual/s the subject of the data. 6.2.3. Where an eligible data breach has occurred, Compsys shall determine which party is responsible for the data breach and allocate responsibility for notification of the data breach to the individual/s the subject of the data and/or OAIC. 6.2.4. As a general rule, a party will be deemed responsible for the data breach where that party’s employee/s or premises have: 6.2.4.1. lost, or have been the subject of a theft of, laptops, removable storage devices, or paper records containing personal information; 6.2.4.2. disposed of hard disk drives and other digital storage media without the contents first being erased; 6.2.4.3. accessed or disclosed personal information outside the requirements of authorisation of their employment; 6.2.4.4. had paper records stolen from insecure recycling or garbage bins; 6.2.4.5. mistakenly provided personal information to the wrong person, for example, an email was sent to the wrong address; 6.2.4.6. has been deceived into improperly releasing the personal information of another person; and 6.2.4.7. any other scenario that Compsys deems the responsibility of the Licensee. 6.2.5. Compsys will also be deemed responsible for a data breach where its database/s containing personal information are hacked into or otherwise illegally accessed by individuals outside of the Compsys organisation. 6.2.6. The party Compsys deems responsible for the data breach has the responsibility of reporting the breach to: 6.2.6.1. the individual the subject of the information; 6.2.6.2. the OAIC; and 6.2.6.3. any other relevant third party. 6.2.7. As a general rule, Licensee will be responsible for contacting the individual/s the subject of the data breach because they have an existing relationship with the individual/s.

Data Breach Response Plan. 6.2.1. If the Licensee becomes aware of an actual, or potential, eligible data breach, the Licensee shall immediately notify Compsys Redbourne and provide Compsys Redbourne with the following details: (a) The nature of the data breach; (b) The type and sensitivity of the information involved in the data breach; (c) Remedial action that has been taken in response to the data breach; (d) Any security measures in place to protect the data; (e) The nature of the harm that may arise as a result of the data breach; and (f) Any other relevant matters. Where possible, Compsys Redbourne will endeavour to work with the Licensee to take remedial action to prevent serious harm from eventuating to the individual/s the subject of the data. 6.2.2. Alternatively, if Compsys Redbourne becomes aware of an eligible data breach in respect of the Licensee’s data, Compsys Redbourne may notify the Licensee and, where possible, work with the Licensee to take remedial action to prevent serious harm from eventuating to the individual/s the subject of the data. 6.2.3. Where an eligible data breach has occurred, Compsys Redbourne shall determine which party is responsible for the data breach and allocate responsibility for notification of the data breach to the individual/s the subject of the data and/or OAIC. 6.2.4. As a general rule, a party will be deemed responsible for the data breach where that party’s employee/s or premises have: 6.2.4.1. lost, or have been the subject of a theft of, laptops, removable storage devices, or paper records containing personal information; 6.2.4.2. disposed of hard disk drives and other digital storage media without the contents first being erased; 6.2.4.3. accessed or disclosed personal information outside the requirements of authorisation of their employment; 6.2.4.4. had paper records stolen from insecure recycling or garbage bins; 6.2.4.5. mistakenly provided personal information to the wrong person, for example, an email was sent to the wrong address; 6.2.4.6. has been deceived into improperly releasing the personal information of another person; and 6.2.4.7. any other scenario that Compsys Redbourne deems the responsibility of the Licensee. 6.2.5. Compsys Redbourne will also be deemed responsible for a data breach where its database/s containing personal information are hacked into or otherwise illegally accessed by individuals outside of the Compsys Redbourne organisation. 6.2.6. The party Compsys Redbourne deems responsible for the data breach has the responsibility of reporting the breach to: 6.2.6.1. the individual the subject of the information; 6.2.6.2. the OAIC; and 6.2.6.3. any other relevant third party. 6.2.7. As a general rule, Licensee will be responsible for contacting the individual/s the subject of the data breach because they have an existing relationship with the individual/s.

Data Breach Response Plan. 6.2.1. If the Licensee becomes aware of an actual, or potential, eligible data breach, the Licensee shall immediately notify Compsys Redbourne and provide Compsys Redbourne with the following details: (a) The nature of the data breach; (b) The type and sensitivity of the information involved in the data breach; (c) Remedial action that has been taken in response to the data breach; (d) Any security measures in place to protect the data; (e) The nature of the harm that may arise as a result of the data breach; and (f) Any other relevant matters. Where possible, Compsys ▇▇▇▇▇▇▇▇▇ will endeavour to work with the Licensee to take remedial action to prevent serious harm from eventuating to the individual/s the subject of the data. 6.2.2. Alternatively, if Compsys ▇▇▇▇▇▇▇▇▇ becomes aware of an eligible data breach in respect of the Licensee’s data, Compsys Redbourne may notify the Licensee and, where possible, work with the Licensee to take remedial action to prevent serious harm from eventuating to the individual/s the subject of the data. 6.2.3. Where an eligible data breach has occurred, Compsys Redbourne shall determine which party is responsible for the data breach and allocate responsibility for notification of the data breach to the individual/s the subject of the data and/or OAIC. 6.2.4. As a general rule, a party will be deemed responsible for the data breach where that party’s employee/s or premises have: 6.2.4.1. lost, or have been the subject of a theft of, laptops, removable storage devices, or paper records containing personal information; 6.2.4.2. disposed of hard disk drives and other digital storage media without the contents first being erased; 6.2.4.3. accessed or disclosed personal information outside the requirements of authorisation of their employment; 6.2.4.4. had paper records stolen from insecure recycling or garbage bins; 6.2.4.5. mistakenly provided personal information to the wrong person, for example, an email was sent to the wrong address; 6.2.4.6. has been deceived into improperly releasing the personal information of another person; and 6.2.4.7. any other scenario that Compsys ▇▇▇▇▇▇▇▇▇ deems the responsibility of the Licensee. 6.2.5. Compsys Redbourne will also be deemed responsible for a data breach where its database/s containing personal information are hacked into or otherwise illegally accessed by individuals outside of the Compsys Redbourne organisation. 6.2.6. The party Compsys Redbourne deems responsible for the data breach has the responsibility of reporting the breach to: 6.2.6.1. the individual the subject of the information; 6.2.6.2. the OAIC; and 6.2.6.3. any other relevant third party. 6.2.7. As a general rule, Licensee will be responsible for contacting the individual/s the subject of the data breach because they have an existing relationship with the individual/s.