Handling Sensitive Personal Information and Breach Notification A. As part of its contract with HHSC Contractor may receive or create sensitive personal information, as section 521.002 of the Business and Commerce Code defines that phrase. Contractor must use appropriate safeguards to protect this sensitive personal information. These safeguards must include maintaining the sensitive personal information in a form that is unusable, unreadable, or indecipherable to unauthorized persons. Contractor may consult the “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” issued by the U.S. Department of Health and Human Services to determine ways to meet this standard. B. Contractor must notify HHSC of any confirmed or suspected unauthorized acquisition, access, use or disclosure of sensitive personal information related to this Contract, including any breach of system security, as section 521.053 of the Business and Commerce Code defines that phrase. Contractor must submit a written report to HHSC as soon as possible but no later than 10 business days after discovering the unauthorized acquisition, access, use or disclosure. The written report must identify everyone whose sensitive personal information has been or is reasonably believed to have been compromised. C. Contractor must either disclose the unauthorized acquisition, access, use or disclosure to everyone whose sensitive personal information has been or is reasonably believed to have been compromised or pay the expenses associated with HHSC doing the disclosure if: 1. Contractor experiences a breach of system security involving information owned by HHSC for which disclosure or notification is required under section 521.053 of the Business and Commerce Code; or 2. Contractor experiences a breach of unsecured protected health information, as 45 C.F.R. §164.402 defines that phrase, and HHSC becomes responsible for doing the notification required by 45 C.F.R. §164.404. HHSC may, at its discretion, waive Contractor's payment of expenses associated with HHSC doing the disclosure.
Sensitive data Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
Contractor Designation of Trade Secrets or Otherwise Confidential Information If the Contractor considers any portion of materials to be trade secret under section 688.002 or 812.081, F.S., or otherwise confidential under Florida or federal law, the Contractor must clearly designate that portion of the materials as trade secret or otherwise confidential when submitted to the Department. The Contractor will be responsible for responding to and resolving all claims for access to Contract-related materials it has designated trade secret or otherwise confidential.
Return or Destruction of Confidential Information If an Interconnection Party provides any Confidential Information to another Interconnection Party in the course of an audit or inspection, the providing Interconnection Party may request the other party to return or destroy such Confidential Information after the termination of the audit period and the resolution of all matters relating to that audit. Each Interconnection Party shall make Reasonable Efforts to comply with any such requests for return or destruction within ten days of receiving the request and shall certify in writing to the other Interconnection Party that it has complied with such request.
Destruction of Confidential Information Upon the Disclosing Party’s written request, at any time during or after the term of this Agreement, the Recipient and its Representatives shall promptly return all copies, in any form or media, of the Disclosing Party’s Confidential Information, or destroy such copies and certify in writing that the Confidential Information has been destroyed. Additionally, the Recipient shall destroy all copies of any Notes created by the Recipient or its Representatives and certify that such Notes have been destroyed. However, the following exceptions apply: The Recipient and its Representatives are not required to destroy electronic copies of Confidential Information created as part of standard backup and archival processes, provided that: personnel not primarily involved in information technology do not have access to such retained copies; and information technology personnel only access such copies as necessary to perform regular IT functions (e.g., system recovery). The Recipient and its Representatives may retain: one copy of the Confidential Information as necessary to defend or maintain any litigation related to this Agreement or the Confidential Information, or to comply with established document retention policies; and copies of the Confidential Information as required by applicable law, regulation, or rule, or as necessary to comply with any request or requirement of a legal, regulatory, governmental, or supervisory authority, provided that the Recipient and its Representatives remain bound by the terms of this Agreement concerning any retained Confidential Information.