Professional Documents
Culture Documents
Guidance For Inclusion of Data Protection Clause Into Contracts v5 - 5 December 2003-2
Guidance For Inclusion of Data Protection Clause Into Contracts v5 - 5 December 2003-2
(November 2003)
1. INTRODUCTION:
It is very important that the Council’s contracts that involve third parties
accessing/being able to access personal information include appropriate data
protection clauses. In addition to this being good contractual practice, it is
also a legal requirement of the Data Protection Act 1998 (“Act”). Under the
Act the Council is a Data Controller of personal information, and the
individuals, companies and organisations that process the Council’s personal
information on the Council’s behalf are “Data Processors”. Under principle 7
of the Act the Council is required to have a written contract with its Data
Processors that impose certain obligations on those Data Processors.
This document provides guidance for the insertion of a data protection clause
into the Council’s contracts with its Data Processors (both existing and new
contracts). A Data Processor can be an individual (for example, a self
employed contractor), organisation (including voluntary) or company. For an
individual/organisation to be a “Data Processor” for the Council, the Council
must be in a position of being able to dictate the reasons for which the
personal data is processed and the ways in which it should be processed.
Therefore, if the Council believes it should have control over what happens to
the personal information, and reflects this in the contract, (for example, what
information is passed to the contractor, who can access the information, that
the information is the Council’s property, how long the information is kept for,
where the information is kept) the Council will be the Data Controller of the
personal information, and the contractor will be the Data Processor.
This guidance does not apply to contracts with Council employees, agency
workers or individuals providing un-paid services to the Council (for example,
volunteers or work experience students). These individuals will instead sign
personal confidentiality agreements before they commence work with the
Council. Please contact Corporate Personnel for information about these
agreements. The guidance also does not apply to information sharing
arrangements between the Council and other Data Controllers (for example,
sharing of information between Social Services and NHS organisations).
Where information is shared with other Data Controllers on a regular basis
there should be an information sharing protocol which governs the sharing
and, at times, specific data protection clauses which set out the legal
07290350
obligations of the data controllers. Please contact the Legal Services
Department for advice on these sharing arrangements.
It is emphasised that the clauses in this guidance are only example clauses,
and may often need to be amended for the particular contract. They are also
not a substitute for specific legal advice on the data protection implications of
a particular contract.
If you have any queries about these clauses you should contact the Legal
Services Department.
There are three example data protection clauses for three categories of
contracts. These are: (NB: references to “organisation” includes “person”
and “company”)
Examples of contracts that fall into this category are Social Services’
domiciliary care contracts and contracts with nursing homes.
Examples of contracts that fall into this category are IT contracts and
contracts with companies that destroy documents (e.g.: shred documents).
07290350
service, but may inadvertently come across information in
the course of providing the service.
Examples of contracts that fall into this category are minor work contracts and
cleaning contracts.
Guidance Points for Use of the Clauses in New and Existing Contracts:
The clause needs to be consistent with the other clauses in the contract
relating to confidentiality, security and ownership of information/records. It
may be best to combine these clauses together in one section of the
contract.
07290350
The non-disclosure paragraph (1(c)) may need to be
modified if the contractor will need to disclose Personal Data
to other third parties in order to carry out the service.
The clause needs to be consistent with the other clauses in the contract
relating to confidentiality, security and ownership of information/records. It
may be best to combine these clauses together in one section of the
contract.
This clause covers more than just data protection issues. It also covers
the confidentiality obligations of the contractor in respect of the contract
itself and any information/materials provided to the contractor under the
contract.
The clause needs to be consistent with any other clauses in the contract
relating to confidentiality and security of information/records. It may be
best to combine these clauses together in one section of the contract.
07290350
Contracts with significant Data Processors – e.g.
companies that destroy documents and store documents;
All IT contracts.
07290350
APPENDIX “A”
Definitions:
“Personal Data” means personal data as defined in the Data Protection Act
1998 that is Processed by the Contractor in connection with the Service;
“Processing” has the same definition as the term “Processing” under the Data
Protection Act 1998.
Clause:
(a) Comply with the data protection principles under the Data
Protection Act 1998 and any equivalent or associated legislation
(“the Act”) and the Council’s Data Protection policies (in so far as
they are relevant) in respect of the Processing of the Personal Data;
(b) Subject to compliance with the Act and any other clause in this
Contract, upon the Council’s request permit any authorised officers
of the Council to inspect the Contractor’s premises and data
systems, and have access to, and be provided with, copies of any
information (including, without limitation, Personal Data), to enable
the Council to:
(d) Not disclose Personal Data to any person other than to employees
and sub-contractors to whom disclosure is necessary for the
performance of the Service;
07290350
(e) Ensure that any disclosure to a sub-contractor is subject to a
binding legal obligation upon the sub-contractor to comply with the
obligations set out in this clause. For the avoidance of doubt, any
such sub-contract shall not relieve the Contractor of its obligation to
comply fully with this clause, and the Contractor shall remain fully
responsible and liable for ensuring full compliance with this clause
in all respects.
(f) Immediately inform the Council of any request from an individual for
access to their Personal Data, and comply with the Council’s
instructions in relation to complying with that request;
(g) Have in place, and undertake to maintain during the term of the
Contract, appropriate technical and organisational measures
against the accidental, unauthorised or unlawful processing,
destruction, loss, damage or disclosure of Personal Data, and
adequate security programmes and processes to ensure that
unauthorised persons do not have access to the Personal Data or
to any equipment used to process the Personal Data;
(h) Take all reasonable steps to ensure that any of its staff who have
access to Personal Data are honest, reliable and competent.
3. The Contractor will indemnify and keep indemnified the Council against all
claims, demands, actions, proceedings, damages, charges, costs and
expenses (including legal costs and expenses) which may be brought
against the Council in respect of or in any way arising out of or in
connection with:
07290350
APPENDIX “B”
Definitions:
“Personal Data” means personal data as defined in the Data Protection Act
1998 that is Processed by the Contractor in connection with the Service;
“Processing” has the same definition as the term “Processing” under the Data
Protection Act 1998.
Clause:
(a) Comply with the data protection principles under the Data
Protection Act 1998 and any equivalent or associated legislation
(“the Act”) and the Council’s Data Protection policies (in so far as
they are relevant) in respect of the Processing of the Personal Data;
(c) Not disclose Personal Data to any person other than to employees
and sub-contractors to whom disclosure is necessary for the
performance of the Service;
(e) Have in place, and undertake to maintain during the term of the
Contract, appropriate technical and organisational measures
against the accidental, unauthorised or unlawful processing,
destruction, loss, damage or disclosure of Personal Data, and
adequate security programmes and processes to ensure that
unauthorised persons do not have access to the Personal Data or
to any equipment used to process the Personal Data;
07290350
(f) Take reasonable steps to ensure that any of its staff who have
access to Personal Data are honest, reliable and competent.
3. The Contractor will indemnify and keep indemnified the Council against all
claims, demands, actions, proceedings, damages, charges, costs and
expenses (including legal costs and expenses) which may be brought
against the Council in respect of or in any way arising out of or in
connection with:
07290350
APPENDIX “C”
Draft Data Protection clause for contracts with organisations that do not
need to have access to personal information but may inadvertently
come across personal information when performing the service
Definitions:
Clause:
1. The Contractor shall not without the written consent of the [Insert title of
individual who would be authorised to give consent under contract] during
the Contract period or at any time thereafter save as may be necessary for
the proper performance of the Contract make use of for its own purposes
or disclose to any person (except as may be required by law) the following
(all of which shall be deemed to be confidential information):
(i) any information which comes into its possession in the course of
providing or arising out of or in connection with the
Service/Work;
(ii) any material provided to the Contractor by the Council arising
out of or in connection with the Contract or prepared by the
Contractor pursuant to the Contract.
2. The Contractor shall neither dispose of nor part with possession of any
such confidential information or material provided to the Contractor by the
Council pursuant to the Contract or prepared by the Contractor pursuant to
the Contract, other than in accordance with the express written instructions
of the Council.
3. The Contractor shall not, and shall ensure that its employees do not,
divulge to any third party any information (including, without limitation,
personal information) which comes into its or their possession in the
course of providing the Service/undertaking the Work.
4. The Contractor shall indemnify and keep indemnified the Council against
all actions, claims, demands, proceedings, damages, costs, charges and
expenses whatsoever in respect of any breach by the Contractor of this
clause.
07290350