Common use of Information Security and Privacy Clause in Contracts

Information Security and Privacy. 1.1. Consultant understands and agrees that, in the performance of the services under this Agreement, Consultant may have access to private or confidential information owned or controlled by City and that such information may contain confidential or proprietary details, the disclosure of which to third parties may be damaging to City. 1.2. Consultant’s provision of Hosted Services requires Consultant to collect information that may include confidential and private information from/or about third parties. 1.2.1. Consultant is not authorized by the Agreement to collect, store, disclose or otherwise handle data that is regulated or otherwise recognized by City as privacy data. 1.2.2. Consultant is authorized by the Agreement to collect, store, disclose or otherwise handle data that is regulated or otherwise recognized by City as Health Insurance Portability and Accountability Act (“HIPAA”) regulated data (including records and metadata). City, Consultant, and Consultant’s third-parties (Party) have obligations to protect the privacy and provide for the security of protected health information disclosed to Consultant and their third-parties under this Contract pursuant to HIPAA, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), and regulations promulgated thereunder including 45 CFR Sections 160 and 164. City and Consultant agree to comply with the Business Associate Addendum (BAA), attached as Exhibit C and made a part of this Contract. 1.2.3. Consultant is authorized by the Agreement to collect, store, disclose or otherwise handle data that is regulated or otherwise recognized by City as privacy data but not Health Insurance Portability and Accountability Act (“HIPAA”) regulated data (including records and metadata). Vendor shall retain data only for deliberate, documented purposes. Vendor shall ensure that the longest retention period any privacy data is subject to dictates the end of that data’s business purpose defined by City and this Agreement 1.3. Consultant will store the information on a secure remote server using reasonable safeguards in accordance with the Security Standards of the Agreement codified in DATA SECURITY (Section 2 below) and Consultant’s published on-line privacy policies and in compliance with applicable laws, codes of practice, and other legal obligations associated with the collection, use, and disclosure of personal information. Consultant shall exercise the same standard of care to protect such information as a reasonably prudent Consultant would use to protect its own proprietary and confidential data. City will be responsible for protecting the privacy and security of any information that City retrieves from Consultant‘s servers and shall prevent any unauthorized or illegal use or dissemination of such information and shall be solely responsible for ensuring compliance with any applicable data and privacy protection laws, codes of practice, and other legal obligations associated with the collection, use and disclosure of personal information by City, including such disclosure to Consultant as is necessary for Consultant to provide the Services to City. City shall exclusively own the personal data collected and managed by Consultant in connection with the Hosted Services, provided however that Consultant is granted a royalty-free, perpetual, non-exclusive right and license to use, reproduce, distribute and adapt the collected data as is necessary for Consultant to perform its obligations under this Agreement.