Common use of SECURITY AND TRAINING Clause in Contracts

SECURITY AND TRAINING. 10.1 The Data Discloser shall be responsible for the security of transmission of any Shared Personal Data in transmission to the Data Receiver by using appropriate technical methods. These are detailed below: • Reports will be emailed in password protected Excel format with password disclosure issued in a separate email. 10.2 The Parties agree to implement appropriate technical and organisational measures to protect the Shared Personal Data in their possession against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, including but not limited to: • Ensuring IT equipment, including portable equipment is kept secure at all time ; • not leaving portable equipment containing the Personal Data unattended; • ensuring that staff use appropriate secure passwords for logging into systems or databases containing the Personal Data; • ensuring that all IT equipment is protected by antivirus software, firewalls, passwords and suitable encryption devices; • In particular ensure that any Sensitive Personal Data is stored and transferred (including where stored or transferred on portable devices or removable media) using industry standard 256-bit AES encryption or suitable equivalent; • limiting access to relevant databases and systems to those of its officers, staff agents and sub- contractors who need to have access to the Personal Data, and ensuring that passwords are changed and updated regularly to prevent inappropriate access when individuals are no longer engaged by the Party; • conducting regular threat assessment or penetration testing on systems. • Ensuring all staff handling Personal Data have been made aware of their responsibilities with regards to handling of Personal Data. • Allowing for inspections and assessments to be undertaken by the other Party in respect of the security measures taken, or producing evidence of those measures if requested. • Conducting regular threat assessment and penetration testing on the systems. 10.3 The Data Receiver shall obtain a commitment of confidentiality from any person it allows to process the Personal Data, unless such persons are already under such a duty by law.

SECURITY AND TRAINING. 10.1 The Data Discloser shall be responsible for the security of transmission of any Shared Personal Data in transmission to the Data Receiver by using appropriate technical methods. These are detailed below: • Reports The University will be emailed only share Shared Personal Data in password protected Excel format compliance with password disclosure issued in a separate email.the IT Regulations and the Information Security Policy 10.2 The Parties agree to implement appropriate technical and organisational measures to protect the Shared Personal Data in their possession against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, including but not limited to: • o Ensuring IT equipment, including portable equipment is kept secure at all time in lockable areas when unattended; • o not leaving portable equipment containing the Personal Data unattended; • o ensuring that staff use appropriate secure passwords for logging into systems or databases containing the Personal Data; • o ensuring that all IT equipment is protected by antivirus software, firewalls, passwords and suitable encryption devices; • o In particular ensure that any Sensitive Personal Data is stored and transferred (including where stored or transferred on portable devices or removable media) using industry standard 256-256- bit AES encryption or suitable equivalent; • o limiting access to relevant databases and systems to those of its officers, staff agents and sub- contractors subcontractors who need to have access to the Personal Data, and ensuring that passwords are changed and updated regularly to prevent inappropriate access when individuals are no longer engaged by the Party; • o conducting regular threat assessment or penetration testing on systems. • o Ensuring all staff handling Personal Data have been made aware of their responsibilities with regards to handling of Personal Data. • o Allowing for inspections and assessments to be undertaken by the other Party in respect of the security measures taken, or producing evidence of those measures if requested. • Conducting regular threat assessment and penetration testing on the systems. 10.3 The Data Receiver shall obtain a commitment of confidentiality from any person it allows to process the Personal Data, unless such persons are already under such a duty by law.

SECURITY AND TRAINING. 10.1 The Data Discloser shall be responsible for the security of transmission of any Shared Personal Data in transmission to the Data Receiver by using appropriate technical methods. These are detailed below: •  Reports will be emailed in password protected Excel format with password disclosure issued in a separate email. 10.2 The Parties agree to implement appropriate technical and organisational measures to protect the Shared Personal Data in their possession against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, including but not limited to: •  Ensuring IT equipment, including portable equipment is kept secure at all time ; •  not leaving portable equipment containing the Personal Data unattended; •  ensuring that staff use appropriate secure passwords for logging into systems or databases containing the Personal Data; •  ensuring that all IT equipment is protected by antivirus software, firewalls, passwords and suitable encryption devices; •  In particular ensure that any Sensitive Personal Data is stored and transferred (including where stored or transferred on portable devices or removable media) using industry standard 256-bit AES encryption or suitable equivalent; •  limiting access to relevant databases and systems to those of its officers, staff agents and sub- sub-contractors who need to have access to the Personal Data, and ensuring that passwords are changed and updated regularly to prevent inappropriate access when individuals are no longer engaged by the Party; •  conducting regular threat assessment or penetration testing on systems. •  Ensuring all staff handling Personal Data have been made aware of their responsibilities with regards to handling of Personal Data. •  Allowing for inspections and assessments to be undertaken by the other Party in respect of the security measures taken, or producing evidence of those measures if requested. •  Conducting regular threat assessment and penetration testing on the systems. 10.3 The Data Receiver shall obtain a commitment of confidentiality from any person it allows to process the Personal Data, unless such persons are already under such a duty by law.