19.2.  No Disclosure

19.2.1.  The Service Provider shall not disclose Personal Data to any third parties other than:

a)  to employees and Sub-Contractors to whom such disclosure is reasonably necessary in order for the Service Provider to perform the Services;

b)  to the extent required under a court order or Legislation; or

c)  disclosures made with the Data Subject's express written consent

provided that disclosure under clause 19.2.1.a) (No Disclosure) is made subject to written terms substantially the same as, and no less stringent than, the terms contained in this clause 19.2.1 (No Disclosure).  The Service Provider shall give notice in writing to the Authority of any disclosure of Personal Data which either the Service Provider or a Sub-Contractor is required to make under clause 19.2.1.b) (No Disclosure) immediately upon becoming aware of such a requirement.

19.2.2.  The Service Provider shall bring into effect and maintain and procure that all relevant Sub-Contractors have in effect and maintain all technical and organisational measures to prevent unauthorised or unlawful processing of Personal Data and accidental loss or destruction of, or damage to, Personal Data including to take reasonable steps to ensure the reliability of staff having access to the Personal Data.

19.2.3.  The Authority may, at reasonable intervals, request a written description of the technical and organisational methods employed by the Service Provider or the Sub-Contractors referred to in clause 19.2.2 (No Disclosure).  Within twenty (20) Business Days of such a request, the Service Provider shall supply written particulars of all such measures detailed to a reasonable level such that the Authority can determine whether or not, in connection with the Personal Data, it is compliant with the DPA.