67.3  Prevention of unauthorised processing

The Service Provider:

(a)  shall bring into effect, and maintain, all technical and organisational measures necessary to prevent unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data including to take reasonable steps to ensure the reliability of staff having access to the Personal Data; and

(b)  provide to the Authority request a written description of the technical and organisational methods employed by the Service Provider or the sub-contractors referred to in clause 67.3(a) within twenty (20) Business Days of a request.  The written particulars shall be detailed to a reasonable level such that the Authority can determine whether or not, in connection with the Personal Data, it is compliant with the DPA.