Common use of Information Handling Clause in Contracts

Information Handling. 4.1. Both parties are data controllers, and subject to the data protection principles set out in the DPA. Additionally, as part of Her Majesty’s Government, both DfE and HO must process personal data in compliance with both the mandatory requirements set out in Information Assurance Standard 6 and the Security Policy Framework issued by HM Cabinet Office, when handling, transferring, storing, accessing or destroying information assets. 4.2. Each party will expect the other to have taken every reasonable measure to comply with the above standards and may conduct a risk assessment of the exchange against these requirements. 4.3. The exporting party will ensure that data integrity meets their party’s standards, unless more rigorous or higher standards are required and agreed at the information exchange specific MoU stage. 4.4. DfE and HO must ensure effective measures are in place to manage potential or actual incidents as per Cabinet Office guidance, as defined in its Checklist for Managing Potential Loss of Data or Information. 4.5. Without limiting the exporting party’s legal obligations under Data Protection legislation or otherwise, the receiving party will ensure that they: • Only use the information for purposes that are legal under the legal basis on which they received it; • Even where not legally required to do so, will, as a courtesy, notify the exporting party if they are going to use the information for any purpose other than that for which they received it (in the event there is an urgent need to share they will be informed as soon as possible afterwards); • Store data received securely; • Notify the exporting party if they are going to disclose information received from that party to another party or body due to a legal or moral requirement (in the event there is an urgent need to share they will be informed as soon as possible afterwards); • Ensure that only people who have a genuine business need to see that data will have access to it; • Report any data losses, wrongful disclosures or breaches of security relating to information originating in the other party to the designated contacts immediately (within 24 hours of becoming aware). This includes both advising, and consulting with, the other party on the appropriate steps to take, e.g. notification of the Information Commissioner’s Office or dissemination of any information to the data subjects; • Only hold data while there is a business need to keep it and destroy it in line with Government guidelines; and • Regularly review the assessment of risks to information and the effectiveness of measures taken to mitigate risks.

Information Handling. 4.1. Both parties Parties are data controllers, and subject to the data protection principles set out in the DPA. Additionally, as part of Her Majesty’s Government, both DfE and HO must process personal data in compliance with both the mandatory requirements set out in Information Assurance Standard 6 and the Security Policy Framework issued by HM Cabinet Office, when handling, transferring, storing, accessing or destroying information assets. 4.2. Each party will expect the other to have taken every reasonable measure to comply with the above standards and may conduct a risk assessment of the exchange against these requirements. 4.3. The exporting party will ensure that data integrity meets their party’s standards, unless more rigorous or higher standards are required and agreed at the information exchange specific MoU stage. 4.4. DfE and HO must ensure effective measures are in place to manage potential or actual incidents as per Cabinet Office guidance, as defined in its Checklist for Managing Potential Loss of Data or Information. 4.5. Without limiting the exporting party’s legal obligations under Data Protection legislation or otherwise, the receiving party will ensure that they: •  Only use the information for purposes that are legal under the legal basis on which they received it; •  Even where not legally required to do so, will, as a courtesy, notify the exporting party if they are going to use the information for any purpose other than that for which they received it (in the event there is an urgent need to share they will be informed as soon as possible afterwards); •  Store data received securely; •  Notify the exporting party if they are going to disclose information received from that party to another party or body due to a legal or moral requirement (in the event there is an urgent need to share they will be informed as soon as possible afterwards); •  Ensure that only people who have a genuine business need to see that data will have access to it; •  Report any data losses, wrongful disclosures or breaches of security relating to information originating in the other party to the designated contacts immediately (within 24 hours of becoming aware). This includes both advising, and consulting with, the other party on the appropriate steps to take, e.g. notification of the Information Commissioner’s Office or dissemination of any information to the data subjects; •  Only hold data while there is a business need to keep it and destroy it in line with Government guidelines; and •  Regularly review the assessment of risks to information and the effectiveness of measures taken to mitigate risks.

Information Handling. 4.1. Both parties are data controllers, and subject to the data protection principles set out in the DPA. Additionally, as part of Her Majesty’s Government, both DfE and HO must process personal data in compliance with both the mandatory requirements set out in Information Assurance Standard 6 and the Security Policy Framework issued by HM Cabinet Office, when handling, transferring, storing, accessing or destroying information assets. 4.2. Each party will expect the other to have taken every reasonable measure to comply with the above standards and may conduct a risk assessment of the exchange against these requirements. 4.3. The exporting party will ensure that data integrity meets their party’s standards, unless more rigorous or higher standards are required and agreed at the information exchange specific MoU stage. 4.4. DfE and HO must ensure effective measures are in place to manage potential or actual incidents as per Cabinet Office guidance, as defined in its Checklist for Managing Potential Loss of Data or Information. 4.5. Without limiting the exporting party’s legal obligations under Data Protection legislation or otherwise, the receiving party will ensure that they: •  Only use the information for purposes that are legal under the legal basis on which they received it; •  Even where not legally required to do so, will, as a courtesy, notify the exporting party if they are going to use the information for any purpose other than that for which they received it (in the event there is an urgent need to share they will be informed as soon as possible afterwards); •  Store data received securely; •  Notify the exporting party if they are going to disclose information received from that party to another party or body due to a legal or moral requirement (in the event there is an urgent need to share they will be informed as soon as possible afterwards); •  Ensure that only people who have a genuine business need to see that data will have access to it; •  Report any data losses, wrongful disclosures or breaches of security relating to information originating in the other party to the designated contacts immediately (within 24 hours of becoming aware). This includes both advising, and consulting with, the other party on the appropriate steps to take, e.g. notification of the Information Commissioner’s Office or dissemination of any information to the data subjects; •  Only hold data while there is a business need to keep it and destroy it in line with Government guidelines; and •  Regularly review the assessment of risks to information and the effectiveness of measures taken to mitigate risks.

Information Handling. 4.1. Both parties Departments are data controllers, and subject to the data protection principles Data Protection Principles set out in the DPA. Additionally, Additionally as part of Her Majesty’s Government, both DfE DWP and HO UK Border Agency must process personal data in compliance with both the mandatory requirements set out in Information Assurance Standard 6 and the Security Policy Framework issued by HM Cabinet Office, when handling, transferring, storing, accessing or destroying information assets. 4.2. Each party department will expect the other to have taken every reasonable measure to comply with the above standards and may conduct a risk assessment of the exchange against these requirements. 4.3. The exporting party department will ensure that data integrity meets their partydepartment’s standards, unless more rigorous or higher standards are required and agreed at the information exchange specific MoU stage. 4.4. DfE DWP and HO UK Border Agency must ensure effective measures are in place to manage potential or actual incidents as per Cabinet Office guidance, as defined in its Checklist for Managing Potential Loss of Data or Information. 4.5. Without limiting the exporting partyreceiving department’s legal obligations under Data Protection legislation or otherwise, the receiving party department in receipt of information will ensure that they: •  Only use the information for purposes that are legal under the legal basis on which they received it; •  Even where not legally required to do so, will, as a courtesy, notify the exporting party other department if they are going to use the information for any purpose other than that for which they received it (in the event there is an urgent need to share they will be informed as soon as possible afterwards); •  Store data received securely; •  Notify the exporting party other department if they are going to onwardly disclose information received from that party to another party or body due to a legal or moral requirement information; (in the event there is an urgent need to share they will be informed as soon as possible afterwards); •  Ensure that only people who have a genuine business need to see that data will have access to it; •  Report any data information losses, wrongful disclosures or breaches of security relating to information originating in the other party department to the designated contacts immediately (within 24 hours of becoming aware). This includes both advising, and consulting with, the other party department on the appropriate steps to take, e.g. notification of the Information CommissionerICO’s Office or dissemination of any information to the data subjects; •  Only hold data information while there is a business need to keep it and destroy it in line with Government guidelines; and •  Regularly review the assessment of risks to information and the effectiveness of measures taken to mitigate risks.

Information Handling. 4.1. Both parties Parties are data controllers, and subject to the data protection principles set out in the DPA. Additionally, Additionally as part of Her Majesty’s Government, both DfE and HO must process personal data in compliance with both the mandatory requirements set out in Information Assurance Standard 6 and the Security Policy Framework issued by HM Cabinet Office, when handling, transferring, storing, accessing or destroying information assets. 4.2. Each party will expect the other to have taken every reasonable measure to comply with the above standards and may conduct a risk assessment of the exchange against these requirements. 4.3. The exporting party will ensure that data integrity meets their party’s standards, unless more rigorous or higher standards are required and agreed at the information exchange specific MoU stage. 4.4. DfE and HO must ensure effective measures are in place to manage potential or actual incidents as per Cabinet Office guidance, as defined in its Checklist for Managing Potential Loss of Data or Information. 4.5. Without limiting the exporting receiving party’s legal obligations under Data Protection legislation or otherwise, the receiving party in receipt of information will ensure that they: •  Only use the information for purposes that are legal under the legal basis on which they received it; •  Even where not legally required to do so, will, as a courtesy, notify the exporting other party if they are going to use the information for any purpose other than that for which they received it (in the event there is an urgent need to share they will be informed as soon as possible afterwards); •  Store data received securely; •  Notify the exporting other party if they are going to disclose information received from that party to another party or body due to a legal or moral requirement (in the event there is an urgent need to share they will be informed as soon as possible afterwards); •  Ensure that only people who have a genuine business need to see that data will have access to it; •  Report any data losses, wrongful disclosures or breaches of security relating to information originating in the other party to the designated contacts immediately (within 24 hours of becoming aware). This includes both advising, and consulting with, the other party on the appropriate steps to take, e.g. notification of the Information Commissioner’s Office or dissemination of any information to the data subjects; •  Only hold data while there is a business need to keep it and destroy it in line with Government guidelines; and •  Regularly review the assessment of risks to information and the effectiveness of measures taken to mitigate risks.