The Supplier shall (a) Process the Personal Data only in accordance with instructions from the Authority to perform its obligations under this Framework Agreement; (b) ensure that at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction, or damage to the Personal Data; (c) not disclose or transfer the Personal Data to any third party or Supplier Personnel unless necessary for the provision of the Goods and/or Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Authority (save where such disclosure or transfer is specifically authorised under this Framework Agreement); (d) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: (i) are aware of and comply with the Supplier’s duties under this Clause 24.5.2 and Clause 24.2 (Confidentiality); (ii) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority or as otherwise permitted by this Framework Agreement; and (iii) have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); (e) notify the Authority within five (5) Working Days if it receives: (i) from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request), a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Authority's obligations under the DPA; (ii) any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or (iii) a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; (f) provide the Authority with full cooperation and assistance (within the timescales reasonably required by the Authority) in relation to any complaint, communication or request made (as referred to at Clause 24.5.2(e), including by promptly providing: (i) the Authority with full details and copies of the complaint, communication or request; (ii) where applicable, such assistance as is reasonably requested by the Authority to enable the Authority to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and (iii) the Authority, on request by the Authority, with any Personal Data it holds in relation to a Data Subject; and (g) if requested by the Authority, provide a written description of the measures that the Supplier has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 24.5.2 and provide to the Authority copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals.