Common use of Protection of Personal Data Clause in Contracts

Protection of Personal Data. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Client is the Data Controller and that the Solicitor is the Data Processor in relation to the Client’s Personal Data. The Solicitor shall: Process the Client’s Personal Data only in accordance with instructions from the Client (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client to the Solicitor during the term of the Contract); Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protected; take reasonable steps to ensure the reliability of all members of the Solicitor’s Staff who have access to the Client’s Personal Data; obtain the Client’s prior written approval in order to transfer all or any of the Client’s Personal Data to any Sub-Contractors for the provision of the Contract Services; ensure that all members of the Solicitor’s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1; ensure that none of the Solicitor’s Staff publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the Client; notify the Client within five (5) Working Days if the Solicitor receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person; or a complaint or request relating to the Client's obligations under the Data Protection Legislation; provide the Client with full cooperation and assistance in relation to any complaint or request made relating to the Client’s Personal Data, including by: providing the Client with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Client's instructions; providing the Client with any Client’s Personal Data it holds in relation to a Data Subject (within the timescales required by the Client); and providing the Client with any information requested by the Client; permit or procure permission for the Client or the Client’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the Solicitor's data Processing activities (and/or those of its agents and Sub-Contractors) and comply with all reasonable requests or directions by the Client to enable the Client to verify and/or procure that the Solicitor is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor for Processing the Client’s Personal Data (within the timescales required by the Client); and not Process or otherwise transfer any Client’s Personal Data outside the European Economic Area without the prior written consent of the Client which may be given on such terms as the Client in its discretion thinks fit. The Solicitor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client to breach any of its applicable obligations under the Data Protection Legislation. The Solicitor acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to the Client’s Personal Data that the Client may be irreparably harmed (including harm to its reputation). In such circumstances, the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor to comply with its obligations under the Contract, Client’s Personal Data is transmitted or Processed in connection with the Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor shall be liable for the cost of reconstitution of that data and shall reimburse the Client in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the Solicitor.

Protection of Personal Data. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Client Authority is the Data Controller and that the Solicitor Contractor is the Data Processor in relation to the Client’s Personal DataProcessor. The Solicitor Contractor shall: Process the Client’s Personal Data only in accordance with instructions from the Client Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client Authority to the Solicitor Contractor during the term Contract Period) and the Contractor shall at the very least comply with the provisions of the Contract)Information Security Schedule; Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protectedprotected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); take reasonable steps to ensure the reliability of all members of the Solicitorany Contractor’s Staff Personnel who have access to the Client’s Personal Data; obtain the Client’s prior written approval consent from the Authority in order to transfer all or any of the Client’s Personal Data to any Subsub-Contractors contractors or affiliates for the provision of the Contract Services; ensure that all members of the SolicitorContractor’s Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1clause 18; ensure that none of the SolicitorContractor’s Staff Personnel publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the ClientAuthority; notify the Client Authority (within five (5Working Days) Working Days if the Solicitor it receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person's Personal Data; or a complaint or request relating to the ClientAuthority's obligations under the Data Protection Legislation; provide the Client Authority with full cooperation co-operation and assistance in relation to any complaint or request made relating to the Client’s Personal Datamade, including by: providing the Client Authority with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the ClientAuthority's instructions; providing the Client Authority with any Client’s Personal Data it holds in relation to a Data Subject (Subject, within the timescales required by the Client)Authority; and providing the Client Authority with any information requested by the ClientAuthority; permit or procure permission for ‫permit the Client or the Client’s Representative Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the SolicitorContractor's data Processing activities (and/or those of its agents and Sub-ContractorsPersonnel) and comply with all reasonable requests or directions by the Client Authority to enable the Client Authority to verify and/or procure that the Solicitor Contractor is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor Contractor for Processing the Client’s processing Personal Data (within the timescales required by the ClientAuthority); and not ‫not Process or otherwise transfer any Client’s Personal Data outside the European Economic Area without the prior written consent of the Client which may be given on such terms as Authority and, where the Client Authority consents to a transfer, to comply with: ‫the obligations of a Data Controller under the Eighth Data Protection Principle set out in its discretion thinks fitSchedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. The Solicitor ‫The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client Authority to breach any of its applicable obligations under the Data Protection Legislation. Freedom of Information The Solicitor Contractor acknowledges that, in that the event that it breaches (or attempts or threatens to breach) its obligations relating Authority is subject to the Client’s Personal Data that requirements of the Client may be irreparably harmed (including harm Code of Practice on Government Information, FOIA and the Environmental Information Regulations and shall assist and co-operate with the Authority to its reputation). In such circumstances, enable the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor Authority to comply with its Information disclosure obligations. The Contractor shall and shall procure that its sub-contractors shall: transfer to the Authority all Requests for Information that it receives as soon as practicable and in any event within two Working Days of receiving a Request for Information; provide the Authority with a copy of all Information in its possession, or power in the form that the Authority requires within five Working Days (or such other period as the Authority may specify) of the Authority's request; and provide all necessary assistance as reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the Environmental Information Regulations. ‫The Authority shall be responsible for determining in its absolute discretion and notwithstanding any other provision in the Contract or any other agreement whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of the Code of Practice on Government Information, FOIA or the Environmental Information Regulations. In no event shall the Contractor respond directly to a Request for Information unless expressly authorised to do so by the Authority. The Contractor acknowledges that (notwithstanding the provisions of this clause 19) the Authority may be obliged under the FOIA, or the Environmental Information Regulations to disclose information concerning the Contractor or the Services: ‫in certain circumstances without consulting the Contractor; or following consultation with the Contractor and having taken their views into account; ‫provided always that where clause 19.5.1 applies the Authority shall take reasonable steps, where appropriate, to give the Contractor advanced notice, or failing that, to draw the disclosure to the Contractor’s attention after any such disclosure. ‫The Contractor shall ensure that all Information is retained for disclosure and shall permit the Authority to inspect such records as requested from time to time. ‫Confidentiality ‫ The Parties acknowledge that, except for any information which is exempt from disclosure in accordance with the provisions of the FOIA , the content of this Contract is not Confidential Information. The Authority shall be responsible for determining in its absolute discretion whether any of the content of the Contract is exempt from disclosure in accordance with the provisions of the FOIA. Notwithstanding any other term of this Contract, the Contractor hereby gives consent for the Authority to publish the Contract in its entirety (but with any information which is exempt from disclosure in accordance with the provisions of the FOIA redacted), including from time to time agreed changes to the Contract, to the general public. The Contractor shall assist and cooperate with the Authority to enable the Authority to publish this Contract. Prior to publication the Authority may, at its sole discretion, in whole or in part, redact information for one or more of the following grounds: national security; personal data; information protected by intellectual property law; information which it is not in the public interest to disclose (under a Freedom of Information Act analysis) third party confidential information; IT security; or prevention of fraud ‫Except to the extent set out in this clause or where disclosure is expressly permitted elsewhere in the Contract, each Party shall: ‫treat the other Party's Confidential Information as confidential and safeguard it accordingly; and not disclose the other Party's Confidential Information to any other person without the owner's prior written consent. Clause 20.2 shall not apply to the extent that: such disclosure is a requirement of Law placed upon the Party making the disclosure, including any requirements for disclosure under the FOIA, Code of Practice on Access to Government Information or the Environmental Information Regulations pursuant to clause 19; such information was in the possession of the Party making the disclosure without obligation of confidentiality prior to its disclosure by the information owner; such information was obtained from a third party without obligation of confidentiality; such information was already in the public domain at the time of disclosure otherwise than by a breach of the Contract; or it is independently developed without access to the other Party's Confidential Information. ‫The Contractor may only disclose the Authority's Confidential Information to the Contractor’s Personnel who are directly involved in the provision of the Goods or Services any of the Authority’s Confidential Information and need to know, and shall ensure that the Contractor’s Personnel are aware of and shall comply with this clause 20. The Contractor shall not, and shall procure that the Contractor’s Personnel do not, use any of the Authority's Confidential Information received otherwise than for the purposes of the Contract. At the written request of the Authority, the Contractor shall procure that those members of the Contractor’s Personnel identified in the Authority's notice sign a confidentiality undertaking on similar terms to the Contract prior to commencing any work in accordance with the Contract. Nothing in the Contract shall prevent the Authority from disclosing the Contractor's Confidential Information (including the Management Information obtained under clause 24): ‫to any Crown Body or any other Contracting Authority on the understanding that they shall be entitled to further disclose the Confidential Information to other Crown Bodies or other Contracting Authorities on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority; to any consultant, contractor or other person engaged by the Authority or any person conducting an Office of Government Commerce gateway review; for the purpose of the examination and certification of the Authority's accounts; or for any examination pursuant to Section 6(1) of the National Audit Act 1983 of the economy, efficiency and effectiveness with which the Authority has used its resources. ‫The Authority shall use all reasonable endeavours to ensure that any government department, Contracting Authority, employee, third party or sub-contractor to whom the Contractor's Confidential Information is disclosed pursuant to clause 20.7 is made aware of the Authority's obligations of confidentiality. Nothing in this clause 20 shall prevent either Party from using any techniques, ideas or know-how gained during the performance of the Contract in the course of its normal business to the extent that this use does not result in a disclosure of the other Party's Confidential Information or an infringement of IPR. Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 The Contractor undertakes to abide by, and ensure that its Personnel abide by, the provisions of:- ‫ ‫the Official Secrets Acts 1911 to 1989; and Section 182 of the Finance Act 1989. ‫In the event that the Contractor and its Personnel fail to comply with this clause, the Authority reserves the right to terminate the Contract by giving notice in writing to the Contractor. Publicity, Media and Official Enquiries Without prejudice to the Authority’s obligations under the ContractFOIA, Client’s Personal Data is transmitted neither Party shall make any press announcements or Processed publicise the Contract or any part thereof in connection any way, except with the Contract is either lost written consent of the other Party. Both Parties shall take reasonable steps to ensure that their Personnel comply with clause 22.1. Intellectual Property Rights Intellectual Property Rights in any guidance, specifications, instructions, toolkits, plans, data, drawings, databases, patents, patterns, models, designs or sufficiently degraded so as other material (the "IP Materials"): ‫furnished or made available to be unusable, the Solicitor Contractor by or on behalf of the Authority shall be liable remain the property of the Authority; and prepared by or for the cost Contractor on behalf of reconstitution the Authority for use, or intended use, in relation to the performance by the Contractor of that data its obligations under the Contract shall belong to the Authority; ‫and the Contractor shall not, and shall reimburse procure that the Client Contractor’s Personnel shall not, (except when necessary for the performance of the Contract) without prior Approval, use or disclose any such Intellectual Property Rights in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the SolicitorIP Materials.

Protection of Personal Data. With respect to To the Parties' rights and obligations under the Contract, the Parties agree extent that the Client Contractor acts as a Data Processor in respect of any Personal Data for which the Authority or a Related Organisation is the Data Controller and that Controller, the Solicitor is the Data Processor in relation to the Client’s Personal Data. The Solicitor Contractor shall: Process the Client’s Personal Data only in accordance with instructions from the Client Authority or Related Organisation (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client Authority or Related Organisation to the Solicitor Contractor during the term Term) and the Contractor shall at the very least comply with the provisions of the Contract)HM Government Security Framework as updated from time to time; Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law Legislation or any Regulatory BodyRelevant Authority; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protected; take reasonable steps to ensure the reliability of all members of the Solicitor’s any Contractor's Staff who have access to the Client’s Personal Data; obtain the Client’s prior written approval consent from the Authority or relevant Related Organisation in order to transfer all or any of the Client’s Personal Data to any Subsub-Contractors contractors or affiliates for the provision of the Contract Services; ensure that all members of the Solicitor’s Contractor's Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1clause 52.2 (Protection of Personal Data); ensure that none of the Solicitor’s Contractor's Staff publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the ClientAuthority; notify the Client Authority or relevant Related Organisation (within five (5) Working Days Business Days) if the Solicitor it receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person's Personal Data; or a complaint or request relating to the ClientAuthority's or Related Organisation obligations under the Data Protection Legislation; provide the Client Authority and the Related Organisations with full cooperation co-operation and assistance in relation to any complaint or request made relating to the Client’s Personal Datamade, including by: providing the Client Authority with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the ClientAuthority's instructions; providing the Client Authority and the Related Organisations with any Client’s Personal Data it holds in relation to a Data Subject (Subject, within the timescales required by the Client)Authority or relevant Related Organisation; and providing the Client Authority and the Related Organisations with any information requested by the ClientAuthority or relevant Related Organisation; permit or procure permission for the Client or Authority and the Client’s Representative Related Organisations (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, audit the SolicitorContractor's data Processing activities (and/or those of its agents and Sub-Contractorsthe Contractor's Staff) and comply with all reasonable requests or directions by the Client Authority and the Related Organisations to enable the Client Authority or relevant Related Organisation to verify and/or procure that the Solicitor Contractor is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor Contractor for Processing the Client’s processing Personal Data (within the timescales reasonably required by the ClientAuthority or relevant Related Organisation); and not Process or otherwise transfer any Client’s Personal Data outside the European Economic Area without the prior written consent of the Client which may be given on such terms as Authority or relevant Related Organisation and, where the Client Authority or relevant Related Organisation consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in its discretion thinks fit. The Solicitor shall Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; any reasonable instructions notified to it by the Authority or relevant Related Organisation; comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client Authority or relevant Related Organisation to breach any of its applicable obligations under the Data Protection Legislation. The Solicitor acknowledges that; and indemnify and keep indemnified in full the Authority and Related Organisations and any of its or their employees, in the event that agents and contractors against all Direct Losses incurred by it breaches (or attempts or threatens to breach) its obligations relating to the Client’s Personal Data that the Client may be irreparably harmed (including harm to its reputation). In such circumstances, the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor to comply with its obligations under the Contract, Client’s Personal Data is transmitted or Processed in connection with the Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor shall be liable for the cost of reconstitution of that data and shall reimburse the Client them in respect of any charge levied for its transmission and any other costs charged in connection with such failure breach of this clause 52.2 (Protection of Personal Data) by the SolicitorContractor and/or any act or omission of any sub-contractor which causes the Contractor to be in breach of this clause 52.2 (Protection of Personal Data). 53EUROPEAN SOCIAL FUND Where the Authority identifies duties to be undertaken by the Contractor under this Contract that are supported directly or indirectly by the European Social Fund, the Contractor shall comply with the provisions of Schedule 16 (European Social Fund).

Protection of Personal Data. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Client Authority is the Data Controller and that the Solicitor Contractor is the Data Processor in relation to the Client’s Personal DataProcessor. The Solicitor Contractor shall: Process the Client’s Personal Data only in accordance with instructions from the Client Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client Authority to the Solicitor Contractor during the term Contract Period) and the Contractor shall at the very least comply with the provisions of the Contract)Information Security Schedule; Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protectedprotected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); take reasonable steps to ensure the reliability of all members of the Solicitorany Contractor’s Staff Personnel who have access to the Client’s Personal Data; obtain the Client’s prior written approval consent from the Authority in order to transfer all or any of the Client’s Personal Data to any Subsub-Contractors contractors or affiliates for the provision of the Contract Services; ensure that all members of the SolicitorContractor’s Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1clause 18; ensure that none of the SolicitorContractor’s Staff Personnel publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the ClientAuthority; notify the Client Authority (within five (5Working Days) Working Days if the Solicitor it receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person's Personal Data; or a complaint or request relating to the ClientAuthority's obligations under the Data Protection Legislation; provide the Client Authority with full cooperation co-operation and assistance in relation to any complaint or request made relating to the Client’s Personal Datamade, including by: providing the Client Authority with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the ClientAuthority's instructions; providing the Client Authority with any Client’s Personal Data it holds in relation to a Data Subject (Subject, within the timescales required by the Client)Authority; and providing the Client Authority with any information requested by the ClientAuthority; permit or procure permission for ‫permit the Client or the Client’s Representative Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the SolicitorContractor's data Processing activities (and/or those of its agents and Sub-ContractorsPersonnel) and comply with all reasonable requests or directions by the Client Authority to enable the Client Authority to verify and/or procure that the Solicitor Contractor is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor Contractor for Processing the Client’s processing Personal Data (within the timescales required by the ClientAuthority); and not ‫not Process or otherwise transfer any Client’s Personal Data outside the European Economic Area without the prior written consent of the Client which may be given on such terms as Authority and, where the Client Authority consents to a transfer, to comply with: ‫the obligations of a Data Controller under the Eighth Data Protection Principle set out in its discretion thinks fitSchedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. The Solicitor ‫The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client Authority to breach any of its applicable obligations under the Data Protection Legislation. Freedom of Information The Solicitor Contractor acknowledges that, in that the event that it breaches (or attempts or threatens to breach) its obligations relating Authority is subject to the Client’s Personal Data that requirements of the Client may be irreparably harmed (including harm Code of Practice on Government Information, FOIA and the Environmental Information Regulations and shall assist and co-operate with the Authority to its reputation). In such circumstances, enable the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor Authority to comply with its obligations Information disclosure obligations. The Contractor shall and shall procure that its sub-contractors shall: transfer to the Authority all Requests for Information that it receives as soon as practicable and in any event within two Working Days of receiving a Request for Information; provide the Authority with a copy of all Information in its possession, or power in the form that the Authority requires within five Working Days (or such other period as the Authority may specify) of the Authority's request; and provide all necessary assistance as reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the Environmental Information Regulations. ‫The Authority shall be responsible for determining in its absolute discretion and notwithstanding any other provision in the Contract or any other agreement whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of the Code of Practice on Government Information, FOIA or the Environmental Information Regulations. In no event shall the Contractor respond directly to a Request for Information unless expressly authorised to do so by the Authority. The Contractor acknowledges that (notwithstanding the provisions of this clause 19) the Authority may be obliged under the ContractFOIA, Client’s Personal Data is transmitted or Processed in connection the Environmental Information Regulations to disclose information concerning the Contractor or the Services: ‫in certain circumstances without consulting the Contractor; or following consultation with the Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor shall be liable for the cost of reconstitution of that data Contractor and shall reimburse the Client in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the Solicitor.having taken their views into account;

Protection of Personal Data. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Client Authority is the Data Controller and that the Solicitor Contractor is the Data Processor in relation to the Client’s Personal DataProcessor. The Solicitor Contractor shall: Process the Client’s Personal Data only in accordance with instructions from the Client Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client Authority to the Solicitor Contractor during the term Contract Period) and the Contractor shall at the very least comply with the provisions of the Contract)Information Security Schedule; Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protectedprotected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); take reasonable steps to ensure the reliability of all members of the Solicitorany Contractor’s Staff Personnel who have access to the Client’s Personal Data; obtain the Client’s prior written approval consent from the Authority in order to transfer all or any of the Client’s Personal Data to any Subsub-Contractors contractors or affiliates for the provision of the Contract Services; ensure that all members of the SolicitorContractor’s Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1clause 18; ensure that none of the SolicitorContractor’s Staff Personnel publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the ClientAuthority; notify the Client Authority (within five (5Working Days) Working Days if the Solicitor it receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person; or a complaint or request relating to the Client's obligations under the Data Protection Legislation; provide the Client with full cooperation and assistance in relation to any complaint or request made relating to the Client’s Personal Data, including by: providing the Client with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Client's instructions; providing the Client with any Client’s Personal Data it holds in relation to a Data Subject (within the timescales required by the Client); and providing the Client with any information requested by the Client; permit or procure permission for the Client or the Client’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the Solicitor's data Processing activities (and/or those of its agents and Sub-Contractors) and comply with all reasonable requests or directions by the Client to enable the Client to verify and/or procure that the Solicitor is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor for Processing the Client’s Personal Data (within the timescales required by the Client); and not Process or otherwise transfer any Client’s Personal Data outside the European Economic Area without the prior written consent of the Client which may be given on such terms as the Client in its discretion thinks fit. The Solicitor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client to breach any of its applicable obligations under the Data Protection Legislation. The Solicitor acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to the Client’s Personal Data that the Client may be irreparably harmed (including harm to its reputation). In such circumstances, the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor to comply with its obligations under the Contract, Client’s Personal Data is transmitted or Processed in connection with the Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor shall be liable for the cost of reconstitution of that data and shall reimburse the Client in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the Solicitor.:

Protection of Personal Data. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Client Customer is the Data Controller and that the Solicitor Supplier is the Data Processor in relation to the ClientCustomer’s Personal Data. The Solicitor Supplier shall: Process the ClientCustomer’s Personal Data only in accordance with instructions from the Client Customer (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client Customer to the Solicitor Supplier during the term of the Contract); Process the ClientCustomer’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Contract Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the ClientCustomer’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the ClientCustomer’s Personal Data and having regard to the nature of the ClientCustomer’s Personal Data which is to be protected; take reasonable steps to ensure the reliability of all members of the SolicitorSupplier’s Staff who have access to the ClientCustomer’s Personal Data; obtain the ClientCustomer’s prior written approval in order to transfer all or any of the ClientCustomer’s Personal Data to any Sub-Contractors for the provision of the Contract Services; ensure that all members of the SolicitorSupplier’s Staff required to access the Customer’s Personal Data are informed of the confidential nature of the Customer’s Personal Data and comply with the obligations set out in this Clause 6.1; ensure that none of the SolicitorSupplier’s Staff publish, disclose or divulge any of the ClientCustomer’s Personal Data to any third party unless directed in writing to do so by the ClientCustomer; notify the Client Customer within five (5) Working Days if the Solicitor Supplier receives: a request from a Data Subject to have access to the ClientCustomer’s Personal Data relating to that person; or a complaint or request relating to the ClientCustomer's obligations under the Data Protection Legislation; provide the Client Customer with full cooperation and assistance in relation to any complaint or request made relating to the ClientCustomer’s Personal Data, including by: providing the Client Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the ClientCustomer's instructions; providing the Client Customer with any ClientCustomer’s Personal Data it holds in relation to a Data Subject (within the timescales required by the ClientCustomer); and providing the Client Customer with any information requested by the ClientCustomer; permit or procure permission for the Client or Customer and/or the ClientCustomer’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the SolicitorSupplier's data Processing activities (and/or and / or those of its agents and Sub-Contractors) and comply with all reasonable requests or directions by the Client Customer to enable the Client Customer to verify and/or and / or procure that the Solicitor Supplier is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor Supplier for Processing the ClientCustomer’s Personal Data (within the timescales required by the ClientCustomer); and not Process or otherwise transfer any ClientCustomer’s Personal Data outside the European Economic Area without the prior written consent of the Client Customer which may be given on such terms as the Client Customer in its discretion thinks fit. The Solicitor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client Customer to breach any of its applicable obligations under the Data Protection Legislation. The Solicitor Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to the ClientCustomer’s Personal Data that the Client Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Client Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor Supplier to comply with its obligations under the Contract, ClientCustomer’s Personal Data is transmitted or Processed in connection with the Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor Supplier shall be liable for the cost of reconstitution of that data and shall reimburse the Client Customer in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the SolicitorSupplier.

Protection of Personal Data. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Client Authority is the Data Controller and that the Solicitor Contractor is the Data Processor in relation to the Client’s Personal DataProcessor. The Solicitor Contractor shall: Process the Client’s Personal Data only in accordance with instructions from the Client Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client Authority to the Solicitor Contractor during the term Contract Period) and the Contractor shall at the very least comply with the provisions of the Contract)Information Security Schedule; Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protectedprotected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); take reasonable steps to ensure the reliability of all members of the Solicitorany Contractor’s Staff Personnel who have access to the Client’s Personal Data; obtain the Client’s prior written approval consent from the Authority in order to transfer all or any of the Client’s Personal Data to any Subsub-Contractors contractors or affiliates for the provision of the Contract Services; ensure that all members of the SolicitorContractor’s Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1clause 18; ensure that none of the SolicitorContractor’s Staff Personnel publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the ClientAuthority; notify the Client Authority (within five (5Working Days) Working Days if the Solicitor it receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person's Personal Data; or a complaint or request relating to the ClientAuthority's obligations under the Data Protection Legislation; provide the Client Authority with full cooperation co-operation and assistance in relation to any complaint or request made relating to the Client’s Personal Datamade, including by: providing the Client Authority with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the ClientAuthority's instructions; providing the Client Authority with any Client’s Personal Data it holds in relation to a Data Subject (Subject, within the timescales required by the Client)Authority; and providing the Client Authority with any information requested by the ClientAuthority; permit or procure permission for ‫permit the Client or the Client’s Representative Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the SolicitorContractor's data Processing activities (and/or those of its agents and Sub-ContractorsPersonnel) and comply with all reasonable requests or directions by the Client Authority to enable the Client Authority to verify and/or procure that the Solicitor Contractor is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor Contractor for Processing the Client’s processing Personal Data (within the timescales required by the ClientAuthority); and not ‫not Process or otherwise transfer any Client’s Personal Data outside the European Economic Area without the prior written consent of the Client which may be given on such terms as Authority and, where the Client Authority consents to a transfer, to comply with: ‫the obligations of a Data Controller under the Eighth Data Protection Principle set out in its discretion thinks fitSchedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. The Solicitor ‫The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client Authority to breach any of its applicable obligations under the Data Protection Legislation. Freedom of Information The Solicitor Contractor acknowledges that, in that the event that it breaches (or attempts or threatens to breach) its obligations relating Authority is subject to the Client’s Personal Data that requirements of the Client may be irreparably harmed (including harm Code of Practice on Government Information, FOIA and the Environmental Information Regulations and shall assist and co-operate with the Authority to its reputation). In such circumstances, enable the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor Authority to comply with its Information disclosure obligations. The Contractor shall and shall procure that its sub-contractors shall: transfer to the Authority all Requests for Information that it receives as soon as practicable and in any event within two Working Days of receiving a Request for Information; provide the Authority with a copy of all Information in its possession, or power in the form that the Authority requires within five Working Days (or such other period as the Authority may specify) of the Authority's request; and provide all necessary assistance as reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the Environmental Information Regulations. ‫The Authority shall be responsible for determining in its absolute discretion and notwithstanding any other provision in the Contract or any other agreement whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of the Code of Practice on Government Information, FOIA or the Environmental Information Regulations. In no event shall the Contractor respond directly to a Request for Information unless expressly authorised to do so by the Authority. The Contractor acknowledges that (notwithstanding the provisions of this clause 19) the Authority may be obliged under the FOIA, or the Environmental Information Regulations to disclose information concerning the Contractor or the Services: ‫in certain circumstances without consulting the Contractor; or following consultation with the Contractor and having taken their views into account; ‫provided always that where clause 19.5.1 applies the Authority shall take reasonable steps, where appropriate, to give the Contractor advanced notice, or failing that, to draw the disclosure to the Contractor’s attention after any such disclosure. ‫The Contractor shall ensure that all Information is retained for disclosure and shall permit the Authority to inspect such records as requested from time to time. ‫Confidentiality ‫ The Parties acknowledge that, except for any information which is exempt from disclosure in accordance with the provisions of the FOIA , the content of this Contract is not Confidential Information. The Authority shall be responsible for determining in its absolute discretion whether any of the content of the Contract is exempt from disclosure in accordance with the provisions of the FOIA. Notwithstanding any other term of this Contract, the Contractor hereby gives consent for the Authority to publish the Contract in its entirety (but with any information which is exempt from disclosure in accordance with the provisions of the FOIA redacted), including from time to time agreed changes to the Contract, to the general public. The Contractor shall assist and cooperate with the Authority to enable the Authority to publish this Contract. Prior to publication the Authority may, at its sole discretion, in whole or in part, redact information for one or more of the following grounds: national security; personal data; information protected by intellectual property law; information which it is not in the public interest to disclose (under a Freedom of Information Act analysis) third party confidential information; IT security; or prevention of fraud ‫Except to the extent set out in this clause or where disclosure is expressly permitted elsewhere in the Contract, each Party shall: ‫treat the other Party's Confidential Information as confidential and safeguard it accordingly; and not disclose the other Party's Confidential Information to any other person without the owner's prior written consent. Clause 20.2 shall not apply to the extent that: such disclosure is a requirement of Law placed upon the Party making the disclosure, including any requirements for disclosure under the FOIA, Code of Practice on Access to Government Information or the Environmental Information Regulations pursuant to clause 19; such information was in the possession of the Party making the disclosure without obligation of confidentiality prior to its disclosure by the information owner; such information was obtained from a third party without obligation of confidentiality; such information was already in the public domain at the time of disclosure otherwise than by a breach of the Contract; or it is independently developed without access to the other Party's Confidential Information. ‫The Contractor may only disclose the Authority's Confidential Information to the Contractor’s Personnel who are directly involved in the provision of the Goods or Services any of the Authority’s Confidential Information and need to know, and shall ensure that the Contractor’s Personnel are aware of and shall comply with this clause 20. The Contractor shall not, and shall procure that the Contractor’s Personnel do not, use any of the Authority's Confidential Information received otherwise than for the purposes of the Contract. At the written request of the Authority, the Contractor shall procure that those members of the Contractor’s Personnel identified in the Authority's notice sign a confidentiality undertaking on similar terms to the Contract prior to commencing any work in accordance with the Contract. Nothing in the Contract shall prevent the Authority from disclosing the Contractor's Confidential Information (including the Management Information obtained under clause 24): ‫to any Crown Body or any other Contracting Authority on the understanding that they shall be entitled to further disclose the Confidential Information to other Crown Bodies or other Contracting Authorities on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority; to any consultant, contractor or other person engaged by the Authority or any person conducting an Office of Government Commerce gateway review; for the purpose of the examination and certification of the Authority's accounts; or for any examination pursuant to Section 6(1) of the National Audit Xxx 0000 of the economy, efficiency and effectiveness with which the Authority has used its resources. ‫The Authority shall use all reasonable endeavours to ensure that any government department, Contracting Authority, employee, third party or sub-contractor to whom the Contractor's Confidential Information is disclosed pursuant to clause 20.7 is made aware of the Authority's obligations of confidentiality. Nothing in this clause 20 shall prevent either Party from using any techniques, ideas or know-how gained during the performance of the Contract in the course of its normal business to the extent that this use does not result in a disclosure of the other Party's Confidential Information or an infringement of IPR. Official Secrets Acts 1911 to 1989, Section 182 of the Finance Xxx 0000 The Contractor undertakes to abide by, and ensure that its Personnel abide by, the provisions of:- ‫ ‫the Official Secrets Acts 1911 to 1989; and Section 182 of the Finance Xxx 0000. ‫In the event that the Contractor and its Personnel fail to comply with this clause, the Authority reserves the right to terminate the Contract by giving notice in writing to the Contractor. Publicity, Media and Official Enquiries Without prejudice to the Authority’s obligations under the ContractFOIA, Client’s Personal Data is transmitted neither Party shall make any press announcements or Processed publicise the Contract or any part thereof in connection any way, except with the Contract is either lost written consent of the other Party. Both Parties shall take reasonable steps to ensure that their Personnel comply with clause 22.1. Intellectual Property Rights Intellectual Property Rights in any guidance, specifications, instructions, toolkits, plans, data, drawings, databases, patents, patterns, models, designs or sufficiently degraded so as other material (the "IP Materials"): ‫furnished or made available to be unusable, the Solicitor Contractor by or on behalf of the Authority shall be liable remain the property of the Authority; and prepared by or for the cost Contractor on behalf of reconstitution the Authority for use, or intended use, in relation to the performance by the Contractor of that data its obligations under the Contract shall belong to the Authority; ‫and the Contractor shall not, and shall reimburse procure that the Client Contractor’s Personnel shall not, (except when necessary for the performance of the Contract) without prior Approval, use or disclose any such Intellectual Property Rights in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the SolicitorIP Materials.

Protection of Personal Data. With respect to the Partiesparties' rights and obligations under the this Contract, the Parties parties agree that the Client Customer is the Data Controller and that the Solicitor Supplier is the Data Processor in relation to the Client’s Personal DataProcessor. The Solicitor Supplier shall: Process the Client’s Personal Data only in accordance with instructions from the Client Customer (which may be specific instructions or instructions of a general nature as set out in the this Contract or as otherwise notified by the Client Customer to the Solicitor Supplier during the term of the ContractContract Period); Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protected; take reasonable steps to ensure the reliability of all members of the Solicitor’s any Staff who have access to the Client’s Personal Data; obtain the Client’s prior written approval Approval in order to transfer all or any of the Client’s Personal Data to any Sub-Contractors Sub‑contractors or Affiliates for the provision of the Contract Services; ensure that all members of the Solicitor’s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1clause 19.5; ensure that none of the Solicitor’s Staff publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the ClientCustomer; notify the Client Customer (within five (5) Working Days Days) if the Solicitor it receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person's Personal Data; or a complaint or request relating to the ClientCustomer's obligations under the Data Protection Legislation; provide the Client Customer with full cooperation and assistance in relation to any complaint or request made relating to the Client’s Personal Datamade, including by: providing the Client Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the ClientCustomer's instructions; providing the Client Customer with any Client’s Personal Data it holds in relation to a Data Subject (within the timescales required by the ClientCustomer); and providing the Client Customer with any information requested by the ClientCustomer; permit or procure permission for the Client Customer or the Client’s Customer Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the SolicitorSupplier's data Processing activities (and/or those of its agents agents, subsidiaries and Sub-ContractorsSub‑contractors) and comply with all reasonable requests or directions by the Client Customer to enable the Client Customer to verify and/or procure that the Solicitor Supplier is in full compliance with its obligations under the this Contract; provide a written description of the technical and organisational methods employed by the Solicitor Supplier for Processing the Client’s processing Personal Data (within the timescales required by the ClientCustomer); and not Process or otherwise transfer any ClientPersonal Data outside the European Economic Area. If, after the Commencement Date, the Supplier (or any Sub‑contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: the Supplier shall submit a request for Variation to the Customer which shall be dealt with in accordance with the Variation Procedure and paragraphs 19.5.2.12(b) to 19.5.2.12(d) below; the Supplier shall set out in its request for a Variation details of the following: the Personal Data which will be Processed and/or transferred outside the European Economic Area; the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; any Sub‑contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Contract or a separate data processing agreement between the parties; and procuring that any Sub‑contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area without enters into a direct data processing agreement with the prior written consent of the Client which may be given Customer on such terms as may be required by the Client in its discretion thinks fitCustomer, which the Supplier acknowledges may include the incorporation of standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). The Solicitor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the this Contract in such a way as to cause the Client Customer to breach any of its applicable obligations under the Data Protection Legislation. The Solicitor acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to the Client’s Personal Data that the Client may be irreparably harmed (including harm to its reputation). In such circumstances, the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor to comply with its obligations under the Contract, Client’s Personal Data is transmitted or Processed in connection with the Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor shall be liable for the cost of reconstitution of that data and shall reimburse the Client in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the Solicitor.

Protection of Personal Data. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Client is the Data Controller and that the Solicitor is the Data Processor in relation to the Client’s Personal Data. The Solicitor shall: Process the Client’s Personal Data only in accordance with instructions from the Client (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client to the Solicitor during the term of the Contract); Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protected; take reasonable steps to ensure the reliability of all members of the Solicitor’s Staff who have access to the Client’s Personal Data; obtain the Client’s prior written approval in order to transfer all or any of the Client’s Personal Data to any Sub-Contractors for the provision of the Contract Services; ensure that all members of the Solicitor’s Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1; ensure that none of the Solicitor’s Staff publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the Client; notify the Client within five (5) Working Days if the Solicitor receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person; or a complaint or request relating to the Client's obligations under the Data Protection Legislation; provide the Client with full cooperation and assistance in relation to any complaint or request made relating to the Client’s Personal Data, including by: providing the Client with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Client's instructions; providing the Client with any Client’s Personal Data it holds in relation to a Data Subject (within the timescales required by the Client); and providing the Client with any information requested by the Client; permit or procure permission for the Client or the Client’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the Solicitor's data Processing activities (and/or those of its agents and Sub-Contractors) and comply with all reasonable requests or directions by the Client to enable the Client to verify and/or procure that the Solicitor is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor for Processing the Client’s Personal Data (within the timescales required by the Client); and not Process or otherwise transfer any Client’s Personal Data outside the European Economic Area without the prior written consent of the Client which may be given on such terms as the Client in its discretion thinks fit. The Solicitor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client to breach any of its applicable obligations under the Data Protection Legislation. The Solicitor acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to the Client’s Personal Data that Data, the Client may be irreparably harmed (including harm to its reputation). In such circumstances, the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor to comply with its obligations under the Contract, Client’s Personal Data is transmitted or Processed in connection with the Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor shall be liable for the cost of reconstitution of that data and shall reimburse the Client in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the Solicitor.

Protection of Personal Data. With respect to the Parties' rights and obligations under the Contract, the Parties agree that the Client Authority is the Data Controller and that the Solicitor Contractor is the Data Processor in relation to the Client’s Personal DataProcessor. The Solicitor Contractor shall: Process the Client’s Personal Data only in accordance with instructions from the Client Authority (which may be specific instructions or instructions of a general nature as set out in the Contract or as otherwise notified by the Client Authority to the Solicitor Contractor during the term Contract Period) and the Contractor shall at the very least comply with the provisions of the Contract)Information Security Schedule; Process the Client’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Goods or Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Client’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Client’s Personal Data and having regard to the nature of the Client’s Personal Data which is to be protectedprotected and in any event the measures shall not be of a lesser standard than that set out in Schedule E (Information Security); take reasonable steps to ensure the reliability of all members of the Solicitorany Contractor’s Staff Personnel who have access to the Client’s Personal Data; obtain the Client’s prior written approval consent from the Authority in order to transfer all or any of the Client’s Personal Data to any Subsub-Contractors contractors or affiliates for the provision of the Contract Services; ensure that all members of the SolicitorContractor’s Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.1clause 18; ensure that none of the SolicitorContractor’s Staff Personnel publish, disclose or divulge any of the Client’s Personal Data to any third party unless directed in writing to do so by the ClientAuthority; notify the Client Authority (within five (5Working Days) Working Days if the Solicitor it receives: a request from a Data Subject to have access to the Client’s Personal Data relating to that person's Personal Data; or a complaint or request relating to the ClientAuthority's obligations under the Data Protection Legislation; provide the Client Authority with full cooperation co-operation and assistance in relation to any complaint or request made relating to the Client’s Personal Datamade, including by: providing the Client Authority with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the ClientAuthority's instructions; providing the Client Authority with any Client’s Personal Data it holds in relation to a Data Subject (Subject, within the timescales required by the Client)Authority; and providing the Client Authority with any information requested by the ClientAuthority; permit or procure permission for ‫‍permit the Client or the Client’s Representative Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 25, the SolicitorContractor's data Processing activities (and/or those of its agents and Sub-ContractorsPersonnel) and comply with all reasonable requests or directions by the Client Authority to enable the Client Authority to verify and/or procure that the Solicitor Contractor is in full compliance with its obligations under the Contract; provide a written description of the technical and organisational methods employed by the Solicitor Contractor for Processing the Client’s processing Personal Data (within the timescales required by the ClientAuthority); and not ‫‍not Process or otherwise transfer any Client’s Personal Data outside the European Economic Area without the prior written consent of the Client which may be given on such terms as Authority and, where the Client Authority consents to a transfer, to comply with: ‫‍the obligations of a Data Controller under the Eighth Data Protection Principle set out in its discretion thinks fitSchedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. The Solicitor ‫‍The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Contract in such a way as to cause the Client Authority to breach any of its applicable obligations under the Data Protection Legislation. Freedom of Information The Solicitor Contractor acknowledges that, in that the event that it breaches (or attempts or threatens to breach) its obligations relating Authority is subject to the Client’s Personal Data that requirements of the Client may be irreparably harmed (including harm Code of Practice on Government Information, FOIA and the Environmental Information Regulations and shall assist and co-operate with the Authority to its reputation). In such circumstances, enable the Client may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor Authority to comply with its Information disclosure obligations. The Contractor shall and shall procure that its sub-contractors shall: transfer to the Authority all Requests for Information that it receives as soon as practicable and in any event within two Working Days of receiving a Request for Information; provide the Authority with a copy of all Information in its possession, or power in the form that the Authority requires within five Working Days (or such other period as the Authority may specify) of the Authority's request; and provide all necessary assistance as reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the Environmental Information Regulations. ‫‍The Authority shall be responsible for determining in its absolute discretion and notwithstanding any other provision in the Contract or any other agreement whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of the Code of Practice on Government Information, FOIA or the Environmental Information Regulations. In no event shall the Contractor respond directly to a Request for Information unless expressly authorised to do so by the Authority. The Contractor acknowledges that (notwithstanding the provisions of this clause 19) the Authority may be obliged under the FOIA, or the Environmental Information Regulations to disclose information concerning the Contractor or the Services: ‫‍in certain circumstances without consulting the Contractor; or following consultation with the Contractor and having taken their views into account; ‫‍provided always that where clause 19.5.1 applies the Authority shall take reasonable steps, where appropriate, to give the Contractor advanced notice, or failing that, to draw the disclosure to the Contractor’s attention after any such disclosure. ‫‍The Contractor shall ensure that all Information is retained for disclosure and shall permit the Authority to inspect such records as requested from time to time. ‫‍Confidentiality ‫‍ The Parties acknowledge that, except for any information which is exempt from disclosure in accordance with the provisions of the FOIA, the content of this Contract is not Confidential Information. The Authority shall be responsible for determining in its absolute discretion whether any of the content of the Contract is exempt from disclosure in accordance with the provisions of the FOIA. Notwithstanding any other term of this Contract, the Contractor hereby gives consent for the Authority to publish the Contract in its entirety (but with any information which is exempt from disclosure in accordance with the provisions of the FOIA redacted), including from time to time agreed changes to the Contract, to the general public. The Contractor shall assist and cooperate with the Authority to enable the Authority to publish this Contract. Prior to publication the Authority may, at its sole discretion, in whole or in part, redact information for one or more of the following grounds: national security; personal data; information protected by intellectual property law; information which it is not in the public interest to disclose (under a Freedom of Information Act analysis) third party confidential information; IT security; or prevention of fraud ‫‍Except to the extent set out in this clause or where disclosure is expressly permitted elsewhere in the Contract, each Party shall: ‫‍treat the other Party's Confidential Information as confidential and safeguard it accordingly; and not disclose the other Party's Confidential Information to any other person without the owner's prior written consent. Clause 20.2 shall not apply to the extent that: such disclosure is a requirement of Law placed upon the Party making the disclosure, including any requirements for disclosure under the FOIA, Code of Practice on Access to Government Information or the Environmental Information Regulations pursuant to clause 19; such information was in the possession of the Party making the disclosure without obligation of confidentiality prior to its disclosure by the information owner; such information was obtained from a third party without obligation of confidentiality; such information was already in the public domain at the time of disclosure otherwise than by a breach of the Contract; or it is independently developed without access to the other Party's Confidential Information. ‫‍The Contractor may only disclose the Authority's Confidential Information to the Contractor’s Personnel who are directly involved in the provision of the Goods or Services any of the Authority’s Confidential Information and need to know, and shall ensure that the Contractor’s Personnel are aware of and shall comply with this clause 20. The Contractor shall not, and shall procure that the Contractor’s Personnel do not, use any of the Authority's Confidential Information received otherwise than for the purposes of the Contract. At the written request of the Authority, the Contractor shall procure that those members of the Contractor’s Personnel identified in the Authority's notice sign a confidentiality undertaking on similar terms to the Contract prior to commencing any work in accordance with the Contract. Nothing in the Contract shall prevent the Authority from disclosing the Contractor's Confidential Information (including the Management Information obtained under clause 24): ‫‍to any Crown Body or any other Contracting Authority on the understanding that they shall be entitled to further disclose the Confidential Information to other Crown Bodies or other Contracting Authorities on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority; to any consultant, contractor or other person engaged by the Authority or any entity specified in clause 20.7.1 (including any benchmarking organisation) for any purpose relating to or connected with this Contract, including for the avoidance of doubt any person conducting a Gateway review; to Parliament and Parliamentary Committees or if required by any Parliamentary reporting requirement; to the extent that the Authority (acting reasonably) deems disclosure necessary or appropriate in the course of carrying out its public functions or for the purpose of the exercise of its rights under this Contract; on a confidential basis to a proposed successor body in connection with any assignment, novation or disposal of any of its rights, obligations or liabilities under this Contract for the purpose of the examination and certification of the Authority's accounts; or for any examination pursuant to Section 6(1) of the National Audit Act 1983 of the economy, efficiency and effectiveness with which the Authority has used its resources. ‫‍The Authority shall use all reasonable endeavours to ensure that any government department, Contracting Authority, employee, third party or sub-contractor to whom the Contractor's Confidential Information is disclosed pursuant to clause 20.7 is made aware of the Authority's obligations of confidentiality. Nothing in this clause 20 shall prevent either Party from using any techniques, ideas or know-how gained during the performance of the Contract in the course of its normal business to the extent that this use does not result in a disclosure of the other Party's Confidential Information or an infringement of IPR. Official Secrets Acts 1911 to 1989, Section 182 of the Finance Act 1989 The Contractor undertakes to abide by, and ensure that its Personnel abide by, the provisions of:- ‫‍ ‫‍the Official Secrets Acts 1911 to 1989; and Section 182 of the Finance Act 1989. ‫‍In the event that the Contractor and its Personnel fail to comply with this clause, the Authority reserves the right to terminate the Contract by giving notice in writing to the Contractor. Publicity, Media and Official Enquiries Without prejudice to the Authority’s obligations under the ContractFOIA, Client’s Personal Data is transmitted neither Party shall make any press announcements or Processed publicise the Contract or any part thereof in connection any way, except with the Contract is either lost written consent of the other Party. Both Parties shall take reasonable steps to ensure that their Personnel comply with clause 22.1. Intellectual Property Rights Intellectual Property Rights in any guidance, specifications, instructions, toolkits, plans, data, drawings, databases, patents, patterns, models, designs or sufficiently degraded so as other material (the "IP Materials"): ‫‍furnished or made available to be unusable, the Solicitor Contractor by or on behalf of the Authority shall be liable remain the property of the Authority; and prepared by or for the cost Contractor on behalf of reconstitution the Authority for use, or intended use, in relation to the performance by the Contractor of that data its obligations under the Contract shall belong to the Authority; ‫‍and the Contractor shall not, and shall reimburse procure that the Client Contractor’s Personnel shall not, (except when necessary for the performance of the Contract) without prior Approval, use or disclose any such Intellectual Property Rights in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the SolicitorIP Materials.

Protection of Personal Data. With respect to the Parties' rights and obligations under the Legal Services Contract, the Parties agree that the Client Customer is the Data Controller and that the Solicitor Supplier is the Data Processor in relation to the ClientCustomer’s Personal Data. The Solicitor Supplier shall: Process the ClientCustomer’s Personal Data only in accordance with instructions from the Client Customer (which may be specific instructions or instructions of a general nature as set out in the Legal Services Contract or as otherwise notified by the Client Customer to the Solicitor Supplier during the term Term of the Legal Services Contract); Process the ClientCustomer’s Personal Data only to the extent, and in such manner, as is necessary for the provision of the Ordered Panel Services or as is required by Law or any Regulatory Bodyregulatory body; implement appropriate technical and organisational measures to protect the ClientCustomer’s Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the ClientCustomer’s Personal Data and having regard to the nature of the ClientCustomer’s Personal Data which is to be protected; take reasonable steps to ensure the reliability of all members of the SolicitorSupplier’s Staff Personnel who have access to the ClientCustomer’s Personal Data; obtain the Client’s prior written approval Approval in order to transfer all or any of the ClientCustomer’s Personal Data to any Sub-Contractors for the provision of the Contract Services; ensure that all members of the SolicitorSupplier’s Staff Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 6.19.1; ensure that none of the SolicitorSupplier’s Staff Personnel publish, disclose or divulge any of the ClientCustomer’s Personal Data to any third party unless directed in writing to do so by the ClientCustomer; notify the Client Customer within five (5) Working Days if the Solicitor Supplier receives: a request from a Data Subject to have access to the ClientCustomer’s Personal Data relating to that person; or a complaint or request relating to the ClientCustomer's obligations under the Data Protection Legislation; provide the Client Customer with full cooperation and assistance in relation to any complaint or request made relating to the ClientCustomer’s Personal Data, including by: providing the Client Customer with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the ClientCustomer's instructions; providing the Client Customer with any ClientCustomer’s Personal Data it holds in relation to a Data Subject (within the timescales required by the ClientCustomer); and providing the Client Customer with any information requested by the ClientCustomer; permit or procure permission for the Client Customer or the ClientCustomer’s Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, the SolicitorSupplier's data Processing activities (and/or those of its agents and Sub-Contractors) and comply with all reasonable requests or directions by the Client Customer to enable the Client Customer to verify and/or procure that the Solicitor Supplier is in full compliance with its obligations under the Legal Services Contract; provide a written description of the technical and organisational methods employed by the Solicitor Supplier for Processing the ClientCustomer’s Personal Data (within the timescales required by the ClientCustomer); and not Process or otherwise transfer any ClientCustomer’s Personal Data outside the European Economic Area without the prior written consent of the Client Customer which may be given on such terms as shall have the Client in its discretion thinks fitabsolute right grant (whether conditionally or otherwise) or deny. The Solicitor Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under the Legal Services Contract in such a way as to cause the Client Customer to breach any of its applicable obligations under the Data Protection Legislation. The Solicitor Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to the ClientCustomer’s Personal Data that the Client Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Client Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). In the event that through any failure by the Solicitor Supplier to comply with its obligations under the Legal Services Contract, ClientCustomer’s Personal Data is transmitted or Processed in connection with the Legal Services Contract is either lost or sufficiently degraded so as to be unusable, the Solicitor Supplier shall be liable for the cost of reconstitution of that data and shall reimburse the Client Customer in respect of any charge levied for its transmission and any other costs charged in connection with such failure by the SolicitorSupplier.