Common use of Information Sharing and Data Handling Clause in Contracts

Information Sharing and Data Handling. Implementing this MoU will require the IMA and SG to exchange information. All arrangements for collaboration and exchange of information set out in this MoU and any supplementary agreements will take account of, and comply with, all relevant legislation and any IMA and SG codes of practice, frameworks or other policies relating to confidential personal information. The IMA and SG will have UK GDPR and DPIA obligations. It is acknowledged that the IMA will require information sharing from SG and as such the IMA will need to sign up to the data sharing agreements that SG will have in operation for such information to be released; and assist fully with DPIA considerations. The IMA and SG are committed to the fair, lawful and transparent handling of data. Only those personnel that need access to and use of the personal data in order to carry out their assigned duties correctly, will be permitted access the data held. All personnel handling data should be made fully aware of their individual responsibilities and should be appropriately trained to handle such data. The IMA and SG must comply with the following when processing personal data: • Personal data must always be handled with care and must not be shared with any IMA or SG colleague or any third party without authorisation. • Physical records must not be left unattended or in the view of unauthorised IMA or SG employees, agents, contractors, or other parties at any time and must not be removed from the business premises without authorisation. • If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period, the IMA or SG user must lock the computer and screen before leaving it. • Any and all physical copies of personal data, along with any electronic copies stored on physical, removable media, should be stored securely in a locked filing cabinet, drawer, box or similar. • All electronic copies of personal data are to be stored securely using passwords which are changed regularly, and which do not use words or phrases that can be easily guessed or otherwise compromised. • Personal data must not be transferred to any device personally belonging to an IMA or SG employee or transferred or uploaded to any personal file sharing, storage, communication, or equivalent service (such as a personal cloud service). • Personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the IMA or SG where the party in question has agreed to comply fully with the letter and spirit of the law (which may include demonstrating that all suitable technical and organisational measures have been taken, or by entering into a data processor contract). • All personal data stored electronically shall be backed-up regularly and securely; and • Under no circumstances must any passwords be written down or shared between any IMA or SG employees, agents, contractors, or other parties working on behalf of the IMA or SG, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. In addition to the obligations set out above, all IMA and SG personnel involved in processing personal data are required to read and adhere to the relevant IMA and SG information security policies. IMA and SG will ensure personnel will complete the required mandatory training necessary to protect personal data. The IMA and SG shall implement appropriate technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of personal data. Such measures shall be proportionate to the risks associated with the processing activities in question, and shall include (without limitation): • Encryption and pseudonymisation of personal data where appropriate. • Policies relating to information security, including the secure processing of data. • Information security awareness training, including the secure handling of personal data. • Business continuity and disaster recovery capabilities to ensure the ongoing availability of and access to IMA and SG personal data; and • Upon reasonable requests demonstrate evidence of processes for regularly testing the technical and organisational measures implemented to ensure the security of the processing. If a data incident, data breach or near miss occurs involving personal data, both the IMA and the SG designated contacts must be notified without delay, and in any event, within 24 hours of either party becoming aware of it. Once assessment of any data incident, data breach or near miss has been completed by both parties, the next course of escalation shall be mutually agreed prior to informing the regulatory authority. If an identified data breach is likely to result in a risk to the rights and freedoms of IMA or SG data subjects, the appropriate data protection authority must be notified of the breach without delay, and in any event, within 72 hours of the IMA or SG becoming aware of it. Further, in the event that a personal data breach is likely to result in a high risk to the rights and freedoms of IMA or SG data subjects, all affected data subjects are to be informed of the breach directly and without undue delay. The IMA or SG will not retain any personal data for longer than is necessary. Once IMA and SG personal data records have reached the end of their life, they will be securely destroyed in a manner that ensures that they can no longer be used or accessed. The IMA is subject to the Freedom of Information Act 2000. The Scottish Government is subject to the Freedom of Information (Scotland) Act 2002. The IMA and the Scottish Government are both subject to the Data Protection Act 2018. If one organisation receives a request for information that originated from the other, the receiving organisation will discuss the request with the other before responding. However, each organisation is required to comply with its statutory obligations and the ultimate decision on the release of information will remain with the organisation that has been requested to release it.

Information Sharing and Data Handling. Implementing this MoU will require the IMA and SG DLUHC to exchange information. All arrangements for collaboration and exchange of information set out in this MoU and any supplementary agreements will take account of, and comply with, all relevant legislation and any IMA and SG DLUHC codes of practice, frameworks or other policies relating to confidential personal information. The IMA and SG DLUHC will have UK GDPR and DPIA obligations. It is acknowledged that the IMA will require information sharing from SG DLUHC and as such the IMA will need to sign up to the data sharing agreements that SG DLUHC will have in operation for such information to be released; and assist fully with DPIA considerations. The IMA and SG DLUHC are committed to the fair, lawful and transparent handling of data. Only those personnel that need access to and use of the personal data in order to carry out their assigned duties correctly, will be permitted access to the data held. All personnel handling data should be made fully aware of their individual responsibilities and should be appropriately trained to handle such data. The IMA and SG DLUHC must comply with the following when processing personal data: • Personal data must always be handled with care and must not be shared with any IMA or SG DLUHC colleague or any third party without authorisation. • Physical records must not be left unattended or in the view of unauthorised IMA or SG DLUHC employees, agents, contractors, or other parties at any time and must not be removed from the business premises without authorisation. • If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period, the IMA or SG DLUHC user must lock the computer and screen before leaving it. • Any and all physical copies of personal data, along with any electronic copies stored on physical, removable media, should be stored securely in a locked filing cabinet, drawer, box or similar. • All electronic copies of personal data are to be stored securely using passwords which are changed regularly, and which do not use words or phrases that can be easily guessed or otherwise compromised. • Personal data must not be transferred to any device personally belonging to an IMA or SG DLUHC employee or transferred or uploaded to any personal file sharing, storage, communication, or equivalent service (such as a personal cloud service). • Personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the IMA or SG DLUHC where the party in question has agreed to comply fully with the letter and spirit of the law (which may include demonstrating that all suitable technical and organisational measures have been taken, or by entering into a data processor contract). • All personal data stored electronically shall be backed-up regularly and securely; and • Under no circumstances must any passwords be written down or shared between any IMA or SG DLUHC employees, agents, contractors, or other parties working on behalf of the IMA or SGDLUHC, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. In addition to the obligations set out above, all IMA and SG DLUHC personnel involved in processing personal data are required to read and adhere to the relevant IMA and SG DLUHC information security policies. IMA and SG DLUHC will ensure personnel will complete the required mandatory training necessary to protect personal data. The IMA and SG DLUHC shall implement appropriate technical and organisational measures to ensure the confidentiality, integrity, availability, and resilience of personal data. Such measures shall be proportionate to the risks associated with the processing activities in question, and shall include (without limitation): • Encryption and pseudonymisation of personal data where appropriate. • Policies relating to information security, including the secure processing of data. • Information security awareness training, including the secure handling of personal data. • Business continuity and disaster recovery capabilities to ensure the ongoing availability of and access to IMA and SG DLUHC personal data; and • Upon reasonable requests demonstrate evidence of processes for regularly testing the technical and organisational measures implemented to ensure the security of the processing. • If a data incident, data breach or near miss occurs involving personal data, both the IMA and the SG DLUHC designated contacts must be notified without delay, and in any event, within 24 hours of either party becoming aware of it. Once assessment of any data incident, data breach or near miss has been completed by both parties, the next course of escalation shall be mutually agreed prior to informing the regulatory authority. If an identified data breach is likely to result in a risk to the rights and freedoms of IMA or SG DLUHC data subjects, the appropriate data protection authority must be notified of the breach without delay, and in any event, within 72 hours of the IMA or SG DLUHC becoming aware of it, where feasible. Further, in the event that a personal data breach is likely to result in a high risk to the rights and freedoms of IMA or SG DLUHC data subjects, all affected data subjects are to be informed of the breach directly and without undue delay. The IMA or SG DLUHC will not retain any personal data for longer than is necessary. Once IMA and SG DLUHC personal data records have reached the end of their life, they will be securely destroyed in a manner that ensures that they can no longer be used or accessed. The Both the IMA is and DLUHC are subject to the Freedom of Information Act 2000. The Scottish Government is subject to the Freedom of Information (Scotland) Act 2002. The IMA 2000 and the Scottish Government are both subject to the Data Protection Act 2018. If one organisation receives a request for information that originated from the other, the receiving organisation will discuss the request with the other before responding. However, each organisation is required to comply with its statutory obligations and the The ultimate decision on the release of information information, will remain with the organisation that has been requested to release it. The Freedom of Information Policy is available upon request.