DATA PROTECTION ACT 1998

GUIDANCE FOR INCLUSION OF DATA PROTECTION CLAUSE INTO

CONTRACTS

(November 2003)

1. INTRODUCTION:

It is very important that the Council’s contracts that involve third parties
accessing/being able to access personal information include appropriate data
protection clauses. In addition to this being good contractual practice, it is
also a legal requirement of the Data Protection Act 1998 (“Act”). Under the
Act the Council is a Data Controller of personal information, and the
individuals, companies and organisations that process the Council’s personal
information on the Council’s behalf are “Data Processors”. Under principle 7
of the Act the Council is required to have a written contract with its Data
Processors that impose certain obligations on those Data Processors.

This document provides guidance for the insertion of a data protection clause
into the Council’s contracts with its Data Processors (both existing and new
contracts). A Data Processor can be an individual (for example, a self
employed contractor), organisation (including voluntary) or company. For an
individual/organisation to be a “Data Processor” for the Council, the Council
must be in a position of being able to dictate the reasons for which the
personal data is processed and the ways in which it should be processed.
Therefore, if the Council believes it should have control over what happens to
the personal information, and reflects this in the contract, (for example, what
information is passed to the contractor, who can access the information, that
the information is the Council’s property, how long the information is kept for,
where the information is kept) the Council will be the Data Controller of the
personal information, and the contractor will be the Data Processor.

Section two of this document provides guidance on when a data protection

clause is appropriate, and gives three examples of data protection clauses
that should be appropriate for the majority of contracts with Data Processors
that the Council enters into.

This guidance does not apply to contracts with Council employees, agency
workers or individuals providing un-paid services to the Council (for example,
volunteers or work experience students). These individuals will instead sign
personal confidentiality agreements before they commence work with the
Council. Please contact Corporate Personnel for information about these
agreements. The guidance also does not apply to information sharing
arrangements between the Council and other Data Controllers (for example,
sharing of information between Social Services and NHS organisations).
Where information is shared with other Data Controllers on a regular basis
there should be an information sharing protocol which governs the sharing
and, at times, specific data protection clauses which set out the legal

07290350
obligations of the data controllers. Please contact the Legal Services
Department for advice on these sharing arrangements.

It is emphasised that the clauses in this guidance are only example clauses,
and may often need to be amended for the particular contract. They are also
not a substitute for specific legal advice on the data protection implications of
a particular contract.

If you have any queries about these clauses you should contact the Legal
Services Department.

2. THE DATA PROTECTION CLAUSES:

There are three example data protection clauses for three categories of
contracts. These are: (NB: references to “organisation” includes “person”
and “company”)

 Type 1 Contracts (see Appendix “A”). This clause is to be used where:

 The Council contracts another person/organisation to carry

out functions on its behalf; and
 The organisation is providing services to the Council’s
clients/employees; and
 The organisation uses the Council’s clients’/employees’
personal information (because the Council provides it with
personal information, and/or it collects personal information
from the clients/employees).

Examples of contracts that fall into this category are Social Services’
domiciliary care contracts and contracts with nursing homes.

 Type 2 Contracts (see Appendix “B”). This clause is to be used where:

 The Council contracts another organisation to carry out

functions on its behalf or provide it with a service or works;
and
 The organisation will have access to client/employee
personal information in the course of providing the
service/work, but is not actually providing a service to
clients/employees.

Examples of contracts that fall into this category are IT contracts and
contracts with companies that destroy documents (e.g.: shred documents).

 Type 3 Contracts (see Appendix “C”). This clause is to be used where:

 The Council contracts another organisation to carry out

functions on its behalf or provide it with a service; and
 The organisation does not need to have access to
client/employee personal information in order to carry out the

07290350
 service, but may inadvertently come across information in
the course of providing the service.

Examples of contracts that fall into this category are minor work contracts and
cleaning contracts.

Guidance Points for Use of the Clauses in New and Existing Contracts:

Type 1 Contract Clause (Appendix A):

 The clause will need to be tailored for specific contractual requirements.

For example:

 You need to make a decision as to how much control you

want over the Personal Data held by the contractor.
Depending on the Council’s requirements, paragraphs 1(b)
and (2) may not be entirely appropriate for the contract.
Also, often the contract will require more detail about the
Council’s control over the information processed by the Data
Processor than is set out in the example clause (for example,
the Council’s specific inspection rights, where the information
is to be kept, who it may be disclosed to). Social Services
contracts often require this detail;

 The non-disclosure paragraph (1(d)) may need to be

modified if the contractor will need to disclose Personal Data
to other third parties in order to carry out the service.

 The clause needs to be consistent with the other clauses in the contract
relating to confidentiality, security and ownership of information/records. It
may be best to combine these clauses together in one section of the
contract.

 You should consider inserting a provision that requires the contractor to

destroy the Personal Data after a set period of time (this time limit must be
consistent with the Council’s retention and deletion policies). This is
important for both data protection and freedom of information reasons.

 If you are passing client/employee information to the contractor, or will

have access to client/employee information collected by the contractor,
you need to ensure that the client/employee is aware that this will happen.

Type 2 Contract Clause (Appendix B):

 The clause may need to be tailored for specific contractual requirements.

For example:

 if the contract is for the destroying of documents, paragraph

2(a) should not be included;

07290350
  The non-disclosure paragraph (1(c)) may need to be
modified if the contractor will need to disclose Personal Data
to other third parties in order to carry out the service.

 The clause needs to be consistent with the other clauses in the contract
relating to confidentiality, security and ownership of information/records. It
may be best to combine these clauses together in one section of the
contract.

 You should consider inserting a provision that requires the contractor to

destroy the Personal Data after a set period of time (this time limit must be
consistent with the Council’s retention and deletion policies). This is
important for both data protection and freedom of information reasons.

Type 3 Contract Clause (Appendix C):

 This clause covers more than just data protection issues. It also covers
the confidentiality obligations of the contractor in respect of the contract
itself and any information/materials provided to the contractor under the
contract.

 The clause needs to be consistent with any other clauses in the contract
relating to confidentiality and security of information/records. It may be
best to combine these clauses together in one section of the contract.

Use of Indemnity( sub clause 3 in Appendices A and B, sub clause 4 in

Appendix C) :

 If the contract conditions already include a general indemnity clause you

could incorporate the data protection indemnity into this clause. If the
clauses remain separate you must ensure that they are consistent;

 Whether indemnities should be included in a contract is sometimes a

matter of risk assessment that needs to be determined on a case-by-case
basis. For example, contractors may not be willing to accept the indemnity
without substantially increasing the contract price. Where this is the case
the risk to the Council of not including the indemnity needs to be balanced
against the contract price and other factors in order for a decision to be
made in relation to a specific contract (including what the Council’s
insurance policy covers).

Guidance Points for Amending Existing Contracts:

 At a minimum, Departments should ensure that existing type 1 and 2

contracts include an appropriate data protection/confidentiality clause. For
example:

 Social Services’ contracts with organisations that

provide services to vulnerable clients;

07290350
  Contracts with significant Data Processors – e.g.
companies that destroy documents and store documents;

 All IT contracts.

 If a contract is to be amended you need to

consider whether it can be varied by written instructions provided by the
Council or whether the other party needs to agree to the amendment.

 If the other party needs to agree to the

amendment, it is possible that it may oppose the changes (particularly the
indemnity clause). It will therefore be important to explain why the
changes are required. (i.e. to ensure that the Council complies with its
obligations under the Act). You should involve Legal Services in this
process.

 Many contracts (particularly recent ones)

already include some form of data protection/confidentiality clause. Where
this is the case the example clause will need to be modified in order to be
consistent with the rest of the contract and to avoid duplication.

07290350
 APPENDIX “A”

Draft Data Protection clause for contracts with organisations that

provide services to clients/employees

Definitions:

“Service” would need to be defined as the service provided by the Contractor

under the Contract.

“Personal Data” means personal data as defined in the Data Protection Act
1998 that is Processed by the Contractor in connection with the Service;

“Processing” has the same definition as the term “Processing” under the Data
Protection Act 1998.

Clause:

1. The Contractor shall:

(a) Comply with the data protection principles under the Data
Protection Act 1998 and any equivalent or associated legislation
(“the Act”) and the Council’s Data Protection policies (in so far as
they are relevant) in respect of the Processing of the Personal Data;

(b) Subject to compliance with the Act and any other clause in this
Contract, upon the Council’s request permit any authorised officers
of the Council to inspect the Contractor’s premises and data
systems, and have access to, and be provided with, copies of any
information (including, without limitation, Personal Data), to enable
the Council to:

(i) satisfy itself that the Contractor is complying with

its obligations under this clause;

(ii) assess compliance with the Contract and the

provision of the Service; and

(iii) comply with its own legal functions, duties and

responsibilities in respect of the Service.

(c) Only undertake Processing of Personal Data reasonably required to

perform the Service and, in any event, strictly in accordance with
the Council’s instructions from time to time;

(d) Not disclose Personal Data to any person other than to employees
and sub-contractors to whom disclosure is necessary for the
performance of the Service;

07290350
 (e) Ensure that any disclosure to a sub-contractor is subject to a
binding legal obligation upon the sub-contractor to comply with the
obligations set out in this clause. For the avoidance of doubt, any
such sub-contract shall not relieve the Contractor of its obligation to
comply fully with this clause, and the Contractor shall remain fully
responsible and liable for ensuring full compliance with this clause
in all respects.

(f) Immediately inform the Council of any request from an individual for
access to their Personal Data, and comply with the Council’s
instructions in relation to complying with that request;

(g) Have in place, and undertake to maintain during the term of the
Contract, appropriate technical and organisational measures
against the accidental, unauthorised or unlawful processing,
destruction, loss, damage or disclosure of Personal Data, and
adequate security programmes and processes to ensure that
unauthorised persons do not have access to the Personal Data or
to any equipment used to process the Personal Data;

(h) Take all reasonable steps to ensure that any of its staff who have
access to Personal Data are honest, reliable and competent.

2. The Personal Data:

(a) Is the property of the Council;

(b) shall be returned immediately to the Council upon termination or
expiration of this Contract; and
(c) shall not be copied and/or retained in any form by the Contractor
upon expiration or termination of this Contract, except as required
by law or under this Contract.

3. The Contractor will indemnify and keep indemnified the Council against all
claims, demands, actions, proceedings, damages, charges, costs and
expenses (including legal costs and expenses) which may be brought
against the Council in respect of or in any way arising out of or in
connection with:

(a) a breach by the Contractor of this clause; or

(b) a claim that the Council is in breach of the Council’s obligations
under the Act as a result of any action by the Contractor.

07290350
 APPENDIX “B”

Draft Data Protection clause for contracts with organisations that

process personal information but do not provide a service to
clients/employees

Definitions:

“Service” would need to be defined as the services provided by the Contractor

under the Contract;

“Personal Data” means personal data as defined in the Data Protection Act
1998 that is Processed by the Contractor in connection with the Service;

“Processing” has the same definition as the term “Processing” under the Data
Protection Act 1998.

Clause:

1. The Contractor shall:

(a) Comply with the data protection principles under the Data
Protection Act 1998 and any equivalent or associated legislation
(“the Act”) and the Council’s Data Protection policies (in so far as
they are relevant) in respect of the Processing of the Personal Data;

(b) Only undertake Processing of Personal Data reasonably required to

perform the Service and, in any event, strictly in accordance with
the Council’s instructions from time to time;

(c) Not disclose Personal Data to any person other than to employees
and sub-contractors to whom disclosure is necessary for the
performance of the Service;

(d) Ensure that any disclosure to a sub-contractor is subject to a

binding legal obligation upon the sub-contractor to comply with the
obligations set out in this clause. For the avoidance of doubt, any
such sub-contract shall not relieve the Contractor of its obligation to
comply fully with this clause, and the Contractor shall remain fully
responsible and liable for ensuring full compliance with this clause
in all respects;

(e) Have in place, and undertake to maintain during the term of the
Contract, appropriate technical and organisational measures
against the accidental, unauthorised or unlawful processing,
destruction, loss, damage or disclosure of Personal Data, and
adequate security programmes and processes to ensure that
unauthorised persons do not have access to the Personal Data or
to any equipment used to process the Personal Data;

07290350
 (f) Take reasonable steps to ensure that any of its staff who have
access to Personal Data are honest, reliable and competent.

2. The Personal Data:

(a) Is the property of the Council;

(b) shall be returned immediately to the Council upon termination or
expiration of this Contract; and
(c) shall not be copied and/or retained in any form by the Contractor
upon expiration or termination of this Contract, except as required
by law or under this Contract.

3. The Contractor will indemnify and keep indemnified the Council against all
claims, demands, actions, proceedings, damages, charges, costs and
expenses (including legal costs and expenses) which may be brought
against the Council in respect of or in any way arising out of or in
connection with:

(a) a breach by the Contractor of this clause; or

(b) a claim that the Council is in breach of the Council’s obligations
under the Act as a result of any action by the Contractor.

07290350
 APPENDIX “C”

Draft Data Protection clause for contracts with organisations that do not
need to have access to personal information but may inadvertently
come across personal information when performing the service

Definitions:

“Service/Work” would need to be defined as the services provided or work

undertaken by the Contractor under the Contract

Clause:

1. The Contractor shall not without the written consent of the [Insert title of
individual who would be authorised to give consent under contract] during
the Contract period or at any time thereafter save as may be necessary for
the proper performance of the Contract make use of for its own purposes
or disclose to any person (except as may be required by law) the following
(all of which shall be deemed to be confidential information):

(i) any information which comes into its possession in the course of
providing or arising out of or in connection with the
Service/Work;
(ii) any material provided to the Contractor by the Council arising
out of or in connection with the Contract or prepared by the
Contractor pursuant to the Contract.

2. The Contractor shall neither dispose of nor part with possession of any
such confidential information or material provided to the Contractor by the
Council pursuant to the Contract or prepared by the Contractor pursuant to
the Contract, other than in accordance with the express written instructions
of the Council.

3. The Contractor shall not, and shall ensure that its employees do not,
divulge to any third party any information (including, without limitation,
personal information) which comes into its or their possession in the
course of providing the Service/undertaking the Work.

4. The Contractor shall indemnify and keep indemnified the Council against
all actions, claims, demands, proceedings, damages, costs, charges and
expenses whatsoever in respect of any breach by the Contractor of this
clause.

07290350