26.3  PERSONAL DATA

26.3.1  Suitable drafting is set out below:

26.3  Personal Data

(a)  In relation to all Personal Data, the Contractor shall at all times comply with the DPA as a data controller if necessary, including maintaining a valid and up to date registration or notification under the DPA covering the data processing to be performed in connection with the Service.

(b)  The Contractor and any sub-contractor shall only undertake processing of Personal Data reasonably required in connection with the Service and shall not transfer any Personal Data to any country or territory outside the European Economic Area.

(c)  The Contractor shall not disclose Personal Data to any third parties other than:

(i)  to employees and sub-contractors to whom such disclosure is reasonably necessary in order for the Contractor to carry out the Service; or

(ii)  to the extent required under a court order,

provided that disclosure under paragraph (i) is made subject to written terms substantially the same as, and no less stringent than, the terms contained in this Clause 26.3 and that the Contractor shall give notice in writing to the Authority of any disclosure of Personal Data it or a sub-contractor is required to make under paragraph (ii) immediately it is aware of such a requirement.

(d)  The Contractor shall bring into effect and maintain all technical and organisational measures to prevent unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data including but not limited to take reasonable steps to ensure the reliability of staff having access to the Personal Data.

(e)  The Authority may, at reasonable intervals, request a written description of the technical and organisational methods employed by the Contractor and/or the sub-contractors referred to in paragraph (d). Within [30] days of such a request, the Contractor shall supply written particulars of all such measures detailed to a reasonable level such that the Authority can determine whether or not, in connection with the Personal Data, it is compliant with the DPA.

(f)  The Contractor shall indemnify and keep indemnified the Authority against all losses, claims, damages, liabilities, costs and expense (including reasonable legal costs) incurred by it in respect of any breach of this Clause 26.3 caused by the Contractor or by any act or omission of any sub-contractor.500

"DPA"

means the Data Protection Act 1998.

"Personal Data"

means personal data as defined in the DPA which is supplied to the Contractor by the Authority or obtained by the Contractor in the course of performing the Service.




___________________________________________________________________________

500  See Section 24.3 (Indemnity).