Standard terms and conditions of contract for the purchase of services - High risk health and safety

Part F - Protection of information

F1 Intellectual property

  • F1.1 All Intellectual Property Rights in any Specifications, instructions, plans, data, drawings, databases, patents, patterns, models, designs or other material:
    • F1.1.1 provided to the Contractor by the Council shall remain the property of the Council;
    • F1.1.2 prepared by or for the Contractor specifically for the use, or intended use, in relation to the performance of the Contract shall belong to the Council subject to any exceptions set out in the Contract Particulars.
  • F1.2 The Contractor shall obtain necessary approval before using any material, in relation to the performance of the Contract which is or may be subject to any third party Intellectual Property Rights. The Contractor shall procure that the owner of the Intellectual Property Rights grant to the Council a non-exclusive licence, or if the Contractor is itself a licensee of those rights, the Contractor shall grant to the Council an authorised sub-licence, to use, reproduce, and maintain the Intellectual Property Rights. Such licence or sub-licence shall be non-exclusive, perpetual and irrevocable, shall include the right to sub-license, transfer, novate or assign to other Councils, the Replacement Contractor or to any other third party providing Services to the Council, and shall be granted at no cost to the Council.
  • F1.3 It is a condition of the Contract that the Services will not infringe any Intellectual Property Rights of any third party and the Contractor shall during and after the Contract Period on written demand indemnify and keep indemnified without limitation the Council against all Liabilities which the Council may suffer or incur as a result of or in connection with any breach of this clause, except where any such claim relates to the act or omission of the Council.
  • F1.4 At the termination of the Contract the Contractor shall at the request of the Council immediately return to the Council all materials, work or records held in relation to the Services, including any back-up media.

F2 Data protection

  • F2.1 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller and the Contractor is the Processor unless otherwise specified in the Data Protection Schedule (attached to this contract where applicable). The only processing that the Processor is authorised to do is listed in the Data Protection Schedule (attached to this contract where applicable) by the Controller and may not be determined by the Processor.
  • F2.2 The Processor shall notify the Controller immediately if it considers that any of the Controller's instructions infringe the Data Protection Legislation.
  • F2.3 The Processor shall provide all reasonable assistance to the Controller in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at the discretion of the Controller, include:
    • (a) a systematic description of the envisaged processing operations and the purpose of the processing;
    • (b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
    • (c) an assessment of the risks to the rights and freedoms of Data Subjects; and
    • (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
  • F2.4 The Processor shall, in relation to any Personal Data processed in connection with its obligations under this Agreement:
    • (a) process that Personal Data only in accordance with the Data Protection Schedule (attached to this contract where applicable) unless the Processor is required to do otherwise by Law. If it is so required the Processor shall promptly notify the Controller before processing the Personal Data unless prohibited by Law;
    • (b) ensure that it has in place Protective Measures, which are appropriate to protect against a Data Loss Event, which the Controller may reasonably reject (but failure to reject shall not amount to approval by the Controller of the adequacy of the Protective Measures), having taken account of the:
      • (i) nature of the data to be protected;
      • (ii) harm that might result from a Data Loss Event;
      • (iii) state of technological development; and
      • (iv) cost of implementing any measures;
    • (c) ensure that :
      • (i) the Processor Personnel do not process Personal Data except in accordance with this Agreement (and in particular the Data Protection Schedule attached to this contract where applicable);
      • (ii) it takes all reasonable steps to ensure the reliability and integrity of any Processor Personnel who have access to the Personal Data and ensure that they:
        • (a) are aware of and comply with the Processor’s duties under this clause;
        • (b) are subject to appropriate confidentiality undertakings with the Processor or any Sub-processor;
        • (c) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by the Controller or as otherwise permitted by this Agreement; and
        • (d )have undergone adequate training in the use, care, protection and handling of Personal Data; and
    • (d) not transfer Personal Data outside of the EU unless the prior written consent of the Controller has been obtained and the following conditions are fulfilled:
      • (i) the Controller or the Processor has provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by the Controller;
      • (ii) the Data Subject has enforceable rights and effective legal remedies;
      • (iii) the Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Controller in meeting its obligations); and
      • (iv) the Processor complies with any reasonable instructions notified to it in advance by the Controller with respect to the processing of the Personal Data;
    • (e) at the written direction of the Controller, delete or return Personal Data (and any copies of it) to the Controller on termination of the Agreement unless the Processor is required by Law to retain the Personal Data.
  • F2.5 Subject to clause 2.6, the Processor shall notify the Controller immediately if it:
    • (a) receives a Data Subject Request (or purported Data Subject Request);
    • (b) receives a request to rectify, block or erase any Personal Data;
    • (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Protection Legislation;
    • (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
    • (e) receives a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
    • (f) becomes aware of a Data Loss Event.
  • F2.6 The Processor’s obligation to notify under clause 2.5 shall include the provision of further information to the Controller in phases, as details become available.
  • F2.7 Taking into account the nature of the processing, the Processor shall provide the Controller with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under clause 2.5 (and insofar as possible within the timescales reasonably required by the Controller) including by promptly providing:
    • (a) the Controller with full details and copies of the complaint, communication or request;
    • (b) Such assistance as is reasonably requested by the Controller to enable the Controller to comply with a Data Subject Request within the relevant timescales set out in the Data Protection Legislation;
    • (c) the Controller, at its request, with any Personal Data it holds in relation to a Data Subject;
    • (d) assistance as requested by the Controller following any Data Loss Event;
    • (e) assistance as requested by the Controller with respect to any request from the Information Commissioner’s Office, or any consultation by the Controller with the Information Commissioner's Office.
  • F2.8 The Processor shall maintain complete and accurate records and information to demonstrate its compliance with this clause. This requirement does not apply where the Processor employs fewer than 250 staff, unless:
    • (a) the Controller determines that the processing is not occasional;
    • (b) the Controller determines the processing includes special categories of data as referred to in Article 9(1) of the GDPR or Personal Data relating to criminal convictions and offences referred to in Article 10 of the GDPR; or
    • (c) the Controller determines that the processing is likely to result in a risk to the rights and freedoms of Data Subjects.
  • F2.9 The Processor shall allow for audits of its Data Processing activity by the Controller or the Controller’s designated auditor.
  • F2.10 Each Party shall designate its own data protection officer if required by the Data Protection Legislation.
  • F2.11 Before allowing any Sub-processor to process any Personal Data related to this Agreement, the Processor must:
    • (a) notify the Controller in writing of the intended Sub-processor and processing;
    • (b) obtain the written consent of the Controller;
    • (c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause such that they apply to the Sub-processor; and
    • (d) provide the Controller with such information regarding the Sub-processor as the Controller may reasonably require.
  • F2.12 The Processor shall remain fully liable for all acts or omissions of any of its Sub-processors.
  • F2.13 The Controller may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
  • F2.14 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Controller may on not less than 30 Working Days’ notice to the Processor amend this agreement to ensure that it complies with any guidance issued by the Information Commissioner’s Office.
  • F2.15 Where the Parties include two or more Joint Controllers as identified in the Data Protection Schedule (attached to this contract where applicable) in accordance with GDPR Article 26, those Parties shall enter into a Joint Controller Agreement based on the terms outlined in the Schedule for Joint Controllers in replacement of Clauses F2.1- F2.14 for the Personal Data under Joint Control.

F3 Freedom of information

  • F3.1 The Contractor acknowledges that the Council is subject to the requirement of the Code of Practice on Government Information, FOIA and the EIR and shall assist and cooperate with the Council to enable the Council to comply with its Information disclosure obligations.
  • F3.2 The Contractor shall and shall procure that its sub-Contractors shall do all of the following where relevant;
    • F3.2.1 Transfer to the Council all requests for Information that it receives as soon as practicable and in any event within two working days of receiving a Request For Information.
    • F3.2.2 Provide the Council with a copy of all Information relating to the subject of the request in its possession, or power in the form that the Council requires within five working days (or such other period as the Council may specify) of the Council’s request.
    • F3.2.3 Provide all necessary assistance as reasonably requested by the Council to enable the Council to respond to the Request For Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the EIR.
  • F3.3 The Council shall be responsible for determining in its absolute discretion despite any other provision in this agreement or any other agreement whether the Commercially Sensitive Information and/or any other Information is exempt from disclosure in accordance with the provisions of the Code of Practice on Government Information, FOIA or the EIR.
  • F3.4 In no event shall the Contractor respond directly to a Request For Information unless expressly authorised to do so by the Council.
  • F3.5 The Contractor acknowledges that (despite the provisions of clause F4) the Council may, be obliged under the FOIA, or the EIR to disclose Information concerning the Contractor or the services as follows:
    • F3.5.1 In certain circumstances without consulting the Contractor:
    • F3.5.2 Following consultation with the Contractor and having taken their views into account.
  • F3.6 Provided always that where F3.5.1 applies the Council shall, in accordance with any recommendations of the code, take reasonable steps, where appropriate, to give the Contractor advance notice, or failing that, to draw the disclosure to the Contractor’s attention after any such disclosure.
  • F3.7 The Contractor shall make sure that all information is retained for disclosure in accordance with any record keeping obligations of the Contractor under this Contract and shall permit the Council to inspect such records as requested from time-to-time.
  • F3.8 The Contractor acknowledges that the Commercially Sensitive Information is indicative only and that the Council may be obliged to disclose it in accordance with clause F3.

F4 Confidentiality

  • F4.1 Except to the extent set out in this clause or where disclosure is expressly permitted elsewhere in this Contract, each party shall do each of the following.
    • F4.1.1 Treat the other party’s Confidential Information as confidential and safeguard it accordingly.
    • F4.1.2 Not disclose the other party’s Confidential Information to any other person without the owner’s prior written consent.
  • F4.2 Paragraph F4.1 shall not apply to the extent that any one or more of the following applies to the relevant Information or disclosures.
    • F4.2.1 Such disclosure is a requirement of Law placed upon the party making the disclosure, including any requirements for disclosure under the FOIA, Code of Practice on Access to Government Information or the EIR pursuant to clause F3 (Freedom of Information).
    • F4.2.2 Such Information was in the possession of the party making the disclosure without obligation of confidentiality prior to its disclosure by the Information owner.
    • F4.2.3 Such Information was obtained from a third party without obligation of confidentiality.
    • F4.2.4 Such Information was already in the public domain at the time of disclosure otherwise than by a breach of this Contract; and
    • F4.2.5 It is independently developed without access to the other party’s Confidential Information.
  • F4.3 The Contractor may only disclose the Council’s Confidential Information to the Contractor personnel who are directly involved in the provision of the Services and who need to know the Information, and shall make sure that such Contractor personnel are aware of and shall comply with these obligations as to confidentiality.
  • F4.4 The Contractor shall not, and shall procure that the Contractor personnel do not, use any of the Council’s Confidential Information received otherwise than for the purposes of this Contract.
  • F4.5 At the written request of the Council and if reasonable in the circumstances to make that request, the Contractor shall procure that those members of the Contractor personnel identified in the Council’s notice sign a confidentiality undertaking prior to commencing any work in accordance with this Contract.
  • F4.6 Nothing in this agreement shall prevent the Council from disclosing the Contractor’s Confidential Information in any one or more of the following circumstances;
    • F4.6.1 To any Crown body or any other contracting authority as defined in Regulation 5(2) of the Public Contracts (Works, Services and Supply) (Amendment) Regulations 2000 other than the Council. All crown bodies or such contracting authorities receiving such Confidential Information shall be entitled to further disclose the Confidential Information to other Crown bodies or other such contracting authorities on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown body or other contracting authority;
    • F4.6.2 To any consultant, Contractor or other person engaged by the Council or any person conducting an Office of Government Commerce gateway review;
    • F4.6.3 For the purpose of the examination and certification of the Council’s accounts; and/or
    • F4.6.4 For any examination pursuant to section 6(1) of the National Audit Act 1983 of the economy, efficiency and effectiveness with which the Council has used its resources.

F5 Record keeping and monitoring 

  • F5.1 The Council shall monitor the Services in order to establish whether Terms specified in this Contract are being fulfilled.
  • F5.2 The Contractor shall at all times cooperate with the Council for the purposes of monitoring this Contract.
  • F5.3 The Contractor will allow any officer nominated by the Council the enter the office or such other premises under the control of the Contractor at any reasonable time to monitor the Services in order to ascertain that the terms of this Contract have been and are being performed to the prescribed standard as outlined in the Contract.
  • F5.4 The Council may require the Contractor to provide statistical or other information regarding the Services or anyone accessing the Services in such a format and at such intervals as may be determined by the Council and/or Government Departments. Advance notice of such requirements shall be given. All information received by the Council shall be treated in confidence.
  • F5.5 The Contractor shall compile and maintain such information and data as the Council may reasonably require for the purposes of evaluating compliance with the terms of this Contract, performance indicators, outcomes monitoring data and other applicable indicators.
  • F5.6 The Contractor must make available to the Council the information referred to in clause F5.5 at such times as the Council may reasonably require.
  • F5.7 The Council has total accountability to Council Tax payers. In order to discharge this duty the Council may require access to financial information to establish the financial viability of the Contractor. All information received by the Council shall be treated in confidence and only for the purpose for which it was requested. The Council undertakes to inform the Contractor of any concerns which may subsequently arise.
  • F5.8 The Contractor will inform the Authorised Officer immediately of any information it has which may have a detrimental effect on the Contractor and/or the continuation of this Contract.
  • F5.9 In order to assist the Council in its record keeping and monitoring requirements including auditing and National Audit Office requirements, the Contractor shall keep and maintain for six (6) years (or such longer time period required in accordance with any specific legislation) after the Contract has been completed, full and accurate records of the Contract including the Services supplied under it, Service User records, all expenditure reimbursed by the Council, and all payments made by the Council. The Contractor shall on request allow the Council or the Council’s representatives such access to (and copies of) those records as may be required by the Council in connection with the Contract.
  • F5.10 The Contractor will at its own cost, provide any information that may be required by the Council to comply with the Council’s procedures for monitoring of the Agreement.