SECURITY AND PRIVACY SAFEGUARDS Clause Samples

The SECURITY AND PRIVACY SAFEGUARDS clause establishes requirements for protecting sensitive information and ensuring compliance with privacy standards. It typically mandates that parties implement appropriate technical and organizational measures to prevent unauthorized access, disclosure, or misuse of personal or confidential data. For example, this may include encryption, access controls, and regular security assessments. The core function of this clause is to mitigate the risk of data breaches and ensure that both parties uphold their legal and ethical responsibilities regarding information security and privacy.
SECURITY AND PRIVACY SAFEGUARDS. General Security Requirements 1. Administrative Safeguards Access to the data matched and to any data created by the match will be restricted to only those authorized employees and officials who need it to perform their official duties in connection with the uses of the data authorized in this agreement. Further, all personnel who will have access to the data matched and to any data created by the match will be advised of the confidential nature of the data, the safeguards required to protect the data, and the civil and criminal sanctions for noncompliance contained in the applicable Federal laws.
View SourceView Similar (3)
SECURITY AND PRIVACY SAFEGUARDS. 1. SSS and ED will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014 (FISMA), section 208 of the E-Government Act of 2002, the Privacy Act, OMB Memorandum 08-05, “Implementation of Trusted Internet Connections (TIC)” and all subsequent related memoranda, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, Rev. 4, and NIST SP 800-37, Rev. 1). Specific security requirements include, but are not limited to, the following: a. Data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. b. SSS’s Registration, Compliance, and Verification System (RCV) and FSA’s Central Processing System (CPS) have completed the security authorization process (formerly called certification and accreditation) within the last three years, using the required NIST guidance, and have an Authorization to Operate (ATO) with the appropriate signatures. c. Electronic files are encrypted using the FIPS 140-2 standard and are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees and support contractors authorized to have an HSPD-12 card (HSPD-12 = Homeland Security Presidential Directive #12). d. Electronic files are encrypted while in transit, with the use of FIPS 140-2 product(s) that provide a secure tunnel between SSS and FSA sites. e. SSS and ED information systems reside behind a Trusted Internet Connection (TIC). i. FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. SSS and ED agree that they are responsible for oversight and compliance of their own contractors and agents. SSS and ED each reserve the right to conduct onsite inspections of any contractor or agent who has access to matched data in order to monitor compliance with FISMA regulations during the lifetime of this agreement. ii. ED and SSS will also comply with the personally identifiable information (PII) bre...
View SourceView Similar (3)
SECURITY AND PRIVACY SAFEGUARDS. General Security Requirements
View Source
SECURITY AND PRIVACY SAFEGUARDS eHealth Ontario has implemented strong administrative, physical and technical safeguards, consistent with industry best practices, to protect the information being transferred, processed or stored from theft, loss, unauthorised use, modification, disclosure, destruction and/or damage. These safeguards include security software and encryption protocols, firewalls, locks and other access controls, privacy impact assessments, staff training and confidentiality agreements.
View Source
SECURITY AND PRIVACY SAFEGUARDS. 2.1 All eHealth Ontario Products and Services: eHealth Ontario’s security program is based on two standards from the International Organization for Standardization (ISO), as recommended by the Government of Canada: • ISO/IEC 27002:2005, – Code of Practice for Information Security Management, and • ISO/IEC 27001:2005, – Information Security Management Systems – Requirements. and is in compliance with the Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act. Security of information and protection of privacy within, and by use of, eHealth Ontario’s products and services is achieved by collaboration of all parties who are partners in providing or using these services. For its part, eHealth Ontario has implemented the following safeguards: (i) Administrative Safeguards • eHealth Ontario regularly reviews and enhances its security policies. Staff and contractors read the relevant policies and sign that they have read and understood them. • eHealth Ontario has mandatory security staff awareness and training programs. • eHealth Ontario Staff and contractors generally have no ability or permission to access personal health information. If access to personal health information is required in the course of providing eHealth Ontario services, individuals are prohibited from using or disclosing such information. • All staff and contractors must sign confidentiality agreements and undergo criminal background checks prior to joining eHealth Ontario. eHealth Ontario has a security screening policy that requires staff to have an appropriate level of clearance for the sensitivity of the information they may access. • Client obligations, for their part in maintaining security, are detailed in individual contracts and Service Level Agreements (SLAs). • eHealth Ontario ensures, through formal contracts/SLAs, that any third party it retains to assist in providing services to health information custodians will comply with the restrictions and conditions necessary for eHealth Ontario to fulfil its legal responsibilities. • eHealth Ontario staff, consultants, suppliers and clients must promptly report any security breaches to eHealth Ontario for investigation. • Security risk assessments are conducted as part of both product/service development and client deployments. Mitigation activities are well established and tracked as part of each assessment. • eHealth Ontario provides a written copy of the results of a security risk assess...
View Source
SECURITY AND PRIVACY SAFEGUARDS. VA and ED agree to comply with the requirements of the Federal Information Security Management Act of 2002, title III of the E-Government Act of 2002 (Pub. L. 107-347), as amended by the Federal Information Security Modernization Act of 2014 (Pub. L. 113-283) (FISMA); the Privacy Act; related OMB circulars and memoranda, including Circular A-130, “Managing Information as a Strategic Resource,” (July 28, 2016) and Memorandum M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information” (January 3, 2017); National Institute of Standards and Technology (NIST) directives related to cybersecurity (SP 800 series); and the Federal Acquisition Regulations (FAR). ED’s CPS and COD systems, and the VA “Compensation, Pension, Education, and Vocational Rehabilitation and Employment Records – VA” (58VA21/22/28) system have a current Authorization to Operate (ATO) in accordance with FISMA. As of August 2023, ED’s FPS is undergoing the security authorization process and is expected to receive an ATO in December 2023. These laws, directives, and regulations include requirements for safeguarding Federal information systems and personally identifiable information (PII) used in Federal agency business processes, as well as related reporting requirements. Both agencies recognize and will comply with the laws, regulations, NIST standards, OMB directives, and related guidance, including those published after the effective date of this CMA. Specific security requirements include, but are not limited to, the following: • At a minimum, data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information, and Information Systems. • All systems involved in this match have completed the security authorization process within the last three years, using the required NIST guidance, and have an active ATO with the appropriate signatures. Note: as of August 2023, FPS is undergoing the security authorization process and is expected to receive an ATO in December 2023. • Electronic files are encrypted using the FIPS 140-3 standard, per the NIST Implementation Schedule, and, to the extent possible, are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees and support contractors authorized to have an HSPD-12 card (HSPD-12 = Homeland Security Presidential Di...
View Source
SECURITY AND PRIVACY SAFEGUARDS. ED and DoD will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Modernization Act of 2014 (FISMA), the E-Government Act of 2002, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, Rev. 4, and NIST SP 800-37, Rev.
View Source
SECURITY AND PRIVACY SAFEGUARDS eHealth Ontario warrants that it has implemented and will maintain strong administrative, physical and technical safeguards, consistent with industry best practices as applicable to health care systems in Ontario, to protect the Personal Health Information being transferred, processed or stored from theft, loss, unauthorised use, modification, disclosure, destruction and/or damage and will ensure its Representatives comply with its privacy and security requirements. These safeguards include security software and encryption protocols, firewalls, locks and other access controls, privacy impact assessments, staff training and confidentiality agreements. Additional information can be found at ▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇.▇▇/about.
View Source
SECURITY AND PRIVACY SAFEGUARDS 
View SourceView Similar (3)

Related to SECURITY AND PRIVACY SAFEGUARDS

  • Security and Privacy Security and privacy policies for the Genesys Cloud Service addressing use of Customer Data, which are incorporated by reference and may be updated from time to time in accordance with Section 10.12 of the Agreement, are located at ▇▇▇▇▇://▇▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇▇/articles/purecloud-security-compliance/.

  • Data Security and Privacy Except as would not, individually or in the aggregate, reasonably be expected to be material to the business of the Company Group, taken as a whole, the Company and each of its Subsidiaries (i) is in compliance with all Data Security Requirements and (ii) has taken commercially reasonable steps consistent with standard industry practice by companies of similar size and maturity, and in compliance in all material respects with all Data Security Requirements to protect (A) the confidentiality, integrity, availability and security of its Business Systems that are involved in the Processing of Personally Identifiable Information, in the conduct of the business of the Company and its Subsidiaries as currently conducted; and (B) Personally Identifiable Information Processed by or on behalf of the Company or such Subsidiary or on their behalf from unauthorized use, access, disclosure, theft and modification. Except as would not, individually or in the aggregate, reasonably be expected to be material to the business of the Company Group, taken as a whole, (i) there are, and since January 1, 2022, have been, no pending complaints, investigations, inquiries, notices, enforcement proceedings, or Actions by or before any Governmental Authority and (ii) since January 1, 2022, no fines or other penalties have been imposed on or written claims, notice, complaints or other communications have been received by the Company or any Subsidiary, relating to any Specified Data Breach or alleging non-compliance with any Data Security Requirement. The Company and each of its Subsidiaries have not, since January 1, 2022, (1) experienced any Specified Data Breaches, or (2) been involved in any Legal Proceedings related to or alleging any violation of any Data Security Requirements by the Company Group or any Specified Data Breaches, each except as would not be material to the business of the Company Group, taken as a whole. The consummation of the transactions contemplated by this Agreement will not cause the Company Group to breach any Data Security Requirement, except as would not reasonably be expected to be material to the business of the Company Group, taken as a whole.

  • Data Security and Privacy Plan As more fully described herein, throughout the term of the Master Agreement, Vendor will have a Data Security and Privacy Plan in place to protect the confidentiality, privacy and security of the Protected Data it receives from the District. Vendor’s Plan for protecting the District’s Protected Data includes, but is not limited to, its agreement to comply with the terms of the District’s Bill of Rights for Data Security and Privacy, a copy of which is set forth below and has been signed by the Vendor. Additional components of Vendor’s Data Security and Privacy Plan for protection of the District’s Protected Data throughout the term of the Master Agreement are as follows: (a) Vendor will implement all state, federal, and local data security and privacy requirements including those contained within the Master Agreement and this Data Sharing and Confidentiality Agreement, consistent with the District’s data security and privacy policy. (b) Vendor will have specific administrative, operational and technical safeguards and practices in place to protect Protected Data that it receives from the District under the Master Agreement. (c) Vendor will comply with all obligations contained within the section set forth in this Exhibit below entitled “Supplemental Information about a Master Agreement between Chazy Central Rural School District and [Name of Vendor].” Vendor’s obligations described within this section include, but are not limited to: (i) its obligation to require subcontractors or other authorized persons or entities to whom it may disclose Protected Data (if any) to execute written agreements acknowledging that the data protection obligations imposed on Vendor by state and federal law and the Master Agreement shall apply to the subcontractor, and (ii) its obligation to follow certain procedures for the return, transition, deletion and/or destruction of Protected Data upon termination, expiration or assignment (to the extent authorized) of the Master Agreement. (d) Vendor has provided or will provide training on the federal and state laws governing confidentiality of Protected Data for any of its officers or employees (or officers or employees of any of its subcontractors or assignees) who will have access to Protected Data, prior to their receiving access. (e) Vendor will manage data security and privacy incidents that implicate Protected Data and will develop and implement plans to identify breaches and unauthorized disclosures. Vendor will provide prompt notification to the District of any breaches or unauthorized disclosures of Protected Data in accordance with the provisions of Section 5 of this Data Sharing and Confidentiality Agreement.

  • DATA PROTECTION AND PRIVACY 14.1 In addition to Supplier’s obligations under Sections 6, 9, 10, and 15, Supplier will comply with this Section 14 when processing Accenture Personal Data. "Accenture Personal Data" means personal data owned, licensed, or otherwise controlled or processed by Accenture including personal data processed by Accenture on behalf of its clients. “Accenture Data” means all information, data and intellectual property of Accenture or its clients or other suppliers, collected, stored, hosted, processed, received and/or generated by Supplier in connection with providing the Deliverables to Accenture, including Accenture Personal Data.

  • Data Privacy and Security Laws The Company is, and at all prior times was, in material compliance with all applicable state and federal data privacy and security laws and regulations in the United States, including, without limitation, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health Act, and all applicable provincial and federal data privacy and security laws and regulations in Canada, including without limitation the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) (“PIPEDA”); and the Company has taken commercially reasonable actions to prepare to comply with, and have been and currently are in compliance with, the European Union General Data Protection Regulation (“GDPR”) (EU 2016/679) (collectively, the “Privacy Laws”). To ensure compliance with the Privacy Laws, the Company has in place, comply with, and take appropriate steps reasonably designed to ensure compliance in all material respects with their policies and procedures relating to data privacy and security and the collection, storage, use, disclosure, handling, and analysis of Personal Data (the “Policies”). “Personal Data” means (i) a natural person’s name, street address, telephone number, e-mail address, photograph, social security number or tax identification number, driver’s license number, passport number, credit card number, bank information, or customer or account number; (ii) any information which would qualify as “personally identifying information” under the Federal Trade Commission Act, as amended; (iii) Protected Health Information as defined by HIPAA; (iv) “personal information”, “personal health information”. and “business contact information” as defined by PIPEDA; (v) “personal data” as defined by GDPR; and (vi) any other piece of information that allows the identification of such natural person, or his or her family, or permits the collection or analysis of any data related to an identified person’s health or sexual orientation. The Company has at all times made all disclosures to users or customers required by applicable laws and regulatory rules or requirements, and none of such disclosures made or contained in any Policy have, to the knowledge of the Company, been inaccurate or in violation of any applicable laws and regulatory rules or requirements in any material respect. The Company further certifies: (i) it has not received notice of any actual or potential liability under or relating to, or actual or potential violation of, any of the Privacy Laws, and has no knowledge of any event or condition that would reasonably be expected to result in any such notice; (ii) is currently conducting or paying for, in whole or in part, any investigation, remediation, or other corrective action pursuant to any Privacy Law; or (iii) is a party to any order, decree, or agreement that imposes any obligation or liability under any Privacy Law.