Client Data The Subrecipient shall maintain client data demonstrating client eligibility for services provided. Such data shall include, but not be limited to, client name, address, income level or other basis for determining eligibility, and description of service provided. Such information shall be made available to Grantee monitors or their designees for review upon request.
Security of Data a. Each of the parties shall:
i. ensure as far as reasonably practicable, that Data is properly stored, is not accessible to unauthorised persons, is not altered, lost or destroyed and is capable of being retrieved only by properly authorised persons;
ii. subject to the provisions of Sub-Clause 8.a. ensure that, in addition to any security, proprietary and other information disclosure provision contained in the Contract, Messages and Associated Data are maintained in confidence, are not disclosed or transmitted to any unauthorised person and are not used for any purpose other than that communicated by the sending party or permitted by the Contract; and
iii. protect further transmission to the same degree as the originally transmitted Message and Associated Data when further transmissions of Messages and Associated Data are permitted by the Contract or expressly authorised by the sending party.
b. The sending party shall ensure that Messages are marked in accordance with the requirements of the Contract. If a further transmission is made pursuant to Sub-Clause 3. a. iii. the sender shall ensure that such markings are repeated in the further transmission.
c. The parties may apply special protection to Messages by encryption or by other agreed means, and may apply designations to the Messages for protective Interchange, handling and storage procedures. Unless the parties otherwise agree, the party receiving a Message so protected or designated shall use at least the same level of protection and protective procedures for any further transmission of the Message and its Associated Data for all responses to the Message and for all other communications by Interchange or otherwise to any other person relating to the Message.
d. If either party becomes aware of a security breach or breach of confidence in relation to any Message or in relation to its procedures or systems (including, without limitation, unauthorised access to their systems for generation, authentication, authorisation, processing, transmission, storage, protection and file management of Messages) then it shall immediately inform the other party of such breach. On being informed or becoming aware of a breach the party concerned shall:
i. immediately investigate the cause, effect and extent of such breach;
ii. report the results of the investigation to the other party; and
iii. use all reasonable endeavours to rectify the cause of such breach.
e. Each party shall ensure that the contents of Messages that are sent or received are not inconsistent with the law, the application of which could restrict the content of a Message or limit its use, and shall take all necessary measures to inform without delay the other party if such an inconsistency arises.
Protection of Customer Data The Supplier shall not delete or remove any proprietary notices contained within or relating to the Customer Data. The Supplier shall not store, copy, disclose, or use the Customer Data except as necessary for the performance by the Supplier of its obligations under this Call Off Contract or as otherwise Approved by the Customer. To the extent that the Customer Data is held and/or Processed by the Supplier, the Supplier shall supply that Customer Data to the Customer as requested by the Customer and in the format (if any) specified by the Customer in the Call Off Order Form and, in any event, as specified by the Customer from time to time in writing. The Supplier shall take responsibility for preserving the integrity of Customer Data and preventing the corruption or loss of Customer Data. The Supplier shall perform secure back-ups of all Customer Data and shall ensure that up-to-date back-ups are stored off-site at an Approved location in accordance with any BCDR Plan or otherwise. The Supplier shall ensure that such back-ups are available to the Customer (or to such other person as the Customer may direct) at all times upon request and are delivered to the Customer at no less than six (6) Monthly intervals (or such other intervals as may be agreed in writing between the Parties). The Supplier shall ensure that any system on which the Supplier holds any Customer Data, including back-up data, is a secure system that complies with the Security Policy and the Security Management Plan (if any). If at any time the Supplier suspects or has reason to believe that the Customer Data is corrupted, lost or sufficiently degraded in any way for any reason, then the Supplier shall notify the Customer immediately and inform the Customer of the remedial action the Supplier proposes to take. If the Customer Data is corrupted, lost or sufficiently degraded as a result of a Default so as to be unusable, the Supplier may: require the Supplier (at the Supplier's expense) to restore or procure the restoration of Customer Data to the extent and in accordance with the requirements specified in Call Off Schedule 8 (Business Continuity and Disaster Recovery) or as otherwise required by the Customer, and the Supplier shall do so as soon as practicable but not later than five (5) Working Days from the date of receipt of the Customer’s notice; and/or itself restore or procure the restoration of Customer Data, and shall be repaid by the Supplier any reasonable expenses incurred in doing so to the extent and in accordance with the requirements specified in Call Off Schedule 8 (Business Continuity and Disaster Recovery) or as otherwise required by the Customer.
Security of Information Unless otherwise specifically authorized by the DOH IT Security Officer, Contractor receiving confidential information under this contract assures that: It is compliant with the applicable provisions of the Washington State Office of the Chief Information Officer’s policy, Securing Information Technology Assets, available at ▇▇▇▇://▇▇▇.▇▇.▇▇▇/ocio. It will provide DOH copies of its IT security policies, practices and procedures upon the request of the DOH IT Security Officer. DOH may at any time conduct an audit of the Contractor’s security practices and/or infrastructure to assure compliance with the security requirements of this contract. It has implemented physical, electronic and administrative safeguards that are consistent with ISB IT security standards and guidelines to prevent unauthorized access, use, modification or disclosure of DOH Confidential Information in any form. This includes, but is not limited to, restricting access to specifically authorized individuals and services through the use of: Documented access authorization and change control procedures; Card key systems that restrict, monitor and log access; Locked racks for the storage of servers that contain Confidential Information or AES encryption (128bit or stronger) to protect confidential data at rest; Documented patch management practices that assure all network systems are running critical security updates within 6 days of release when the exploit is in the wild, and within 30 days of release for all others; Documented anti-virus strategies that assure all systems are running the most current anti-virus signatures within 1 day of release; Complex passwords that are systematically enforced and expire at least every 180 days; Strong (Two Factor) authentication mechanisms that assure the identity of individuals who access Confidential Information; Account lock-out after 5 failed authentication attempts for a minimum of 20 minutes, or for Confidential Information, until administrator reset; AES encrypted (128bit or stronger) sessions for all data transmissions. Firewall rules and network address translation that isolate database servers from web servers and public networks; Regular review of firewall rules and configurations to assure compliance with authorization and change control procedures; Log management and intrusion detection/prevention systems; A documented and tested incident response plan Any breach of this clause may result in termination of the contract and the demand for return of all personal information.
Privacy of Customer Information The Seller’s Customer Information in the possession of the Administrative Agent or the Buyers, other than information independently obtained by the Administrative Agent or the Buyers and not derived in any manner from or using information obtained under or in connection with this Agreement, is and shall remain confidential and proprietary information of the Seller. Except in accordance with this Section 16.9, the Administrative Agent and the Buyers shall not use any Seller’s Customer Information for any purpose, including the marketing of products or services to, or the solicitation of business from, Customers, or disclose any Seller’s Customer Information to any Person, including any of the Administrative Agent’s or the Buyers’ employees, agents or contractors or any third party not affiliated with the Administrative Agent or a Buyer. The Administrative Agent and the Buyers may use or disclose Seller’s Customer Information only to the extent necessary (i) for examination and audit of the Administrative Agent’s or the Buyers’ respective activities, books and records by their regulatory authorities, (ii) to market or sell Purchased Mortgage Loans or to enforce or exercise their rights under any Repurchase Document, (iii) to carry out the Administrative Agent’s, the Buyers’ and the Custodian’s express rights and obligations under this Agreement and the other Repurchase Documents (including providing Seller’s Customer Information to Approved Investors), or (iv) in connection with an assignment or participation as authorized by Section 22 or in connection with any hedging transaction related to the Purchased Loans and for no other purpose; provided that the Administrative Agent and the Buyers may also use and disclose the Seller’s Customer Information as expressly permitted by the Seller in writing, to the extent that such express permission is in accordance with the Privacy Requirements. The Administrative Agent and the Buyers shall ensure that each Person to which the Administrative Agent or a Buyer intends to disclose Seller’s Customer Information, before any such disclosure of information, agrees to keep confidential any such Seller’s Customer Information and to use or disclose such Seller’s Customer Information only to the extent necessary to protect or exercise the Administrative Agents, the Buyers’ or the Custodian’s rights and privileges, or to carry out the Administrative Agent’s, the Buyers’ and the Custodian’s express obligations, under this Agreement and the other Repurchase Documents (including providing Seller’s Customer Information to Approved Investors). The Administrative Agent agrees to maintain an Information Security Program and to assess, manage and control risks relating to the security and confidentiality of Seller’s Customer Information pursuant to such program in the same manner as the Administrative Agent does in respect of its own customers’ information, and shall implement the standards relating to such risks in the manner set forth in the Interagency Guidelines Establishing Standards for Safeguarding Company Customer Information set forth in 12 C.F.R. Parts 30, 208, 211, 225, 263, 308, 364, 568 and 570. Without limiting the scope of the foregoing sentence, the Administrative Agent and the Buyers shall use at least the same physical and other security measures to protect all of the Seller’s Customer Information in their possession or control as each of them uses for its own customers’ confidential and proprietary information.