Security15

20.5.  The Service Provider shall comply, and shall procure the compliance of the Service Provider's staff, with the Security Policy.

20.6.  The Authority shall notify the Service Provider of any changes or proposed changes to the Security Policy.

20.7.  If the Service Provider believes that a change or proposed change to the Security Policy will have a material and unavoidable cost implication to the Services it may submit a Service Provider Notice of Change.  In doing so, the Service Provider must support its request by providing evidence of the cause of any increased costs and the steps that it has taken to mitigate those costs.  Any change to the Payment shall then be agreed in accordance with the Change Protocol.

20.8.  Until and/or unless a change to the Payment is agreed by the Authority pursuant to clause 20.7 the Service Provider shall continue to perform the Services in accordance with its existing obligations.

__________________________________________________________________________________________

15  Guidance: The Security Policy referred to in this clause will need to be set out in the Output Specification. The Authority will want to ensure that it has not drafted the Security Policy in a way which constrains the output specification of the Services by assuming (and requiring) an identical form of service provision methodology for the future.