Data Protection After Contract Termination
Data Protection After Contract Termination
Why is this Important:
Similar to data use provisions, an institution of higher education may want to consider data protection provisions that stipulate how institution data is to be handled following the conclusion of the contracted project or early termination of the contract. Without such a term in the contract, an institution has no way to require that the contracting third party return institution data or otherwise dispose of such data in a way that does not jeopardize the security of the institution or its constituents.
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(b)(5); (v)
Clauses include instructions to return the data to originating institution or destroying the data under the originating institutions direction (and subject to subsequent audit)
Sample RFP Language:
- What procedures and safeguards does the Proposer have in place for sanitizing and disposing of Institution data according to prescribed retention schedules or following the conclusion of a project or termination of a contract to render it unrecoverable and prevent accidental and/or unauthorized access to Institution data?
Sample Contract Clauses:
- The [Vendor] agrees that at the termination of this contract, all Institution data will be either returned to the Institution or destroyed as indicated by the Institution at the time of contract termination.
- Upon termination, cancellation, expiration or other conclusion of the Agreement, Service Provider shall return all [term for sensitive data] to Institution or, if return is not feasible, destroy any and all [term for sensitive data].
- Within 30 days after the termination or expiration of a Purchase Order, Contract or Agreement for any reason, [Vendor] shall either: Return or destroy, as applicable, all Sensitive Data provided to the [Vendor] by Institution to [Vendor], including all Sensitive Data provided to [Vendor]'s employees, subcontractors, agents, or other affiliated persons or entities; or In the event that returning or destroying the Sensitive Data is not feasible, provide notification of the conditions that make return or destruction not feasible, in which case, the [Vendor] must continue to protect all Sensitive Data that it retains and agree to limit further uses and disclosures of such Data to those purposes that make the return or destruction not feasible as [Vendor] maintains such Data.
- The [Vendor] agrees, upon termination, cancellation, expiration, or other conclusion of this Agreement, within 30 days to return to the Institution or if return is not feasible, destroy and not retain any copies (and furnish the Institution with an appropriate Certificate of Destruction) of any and all Confidential Information that is in its possession.
- Upon termination, cancellation, expiration or other conclusion of the Agreement, [Vendor] shall return the Covered Data to Institution unless Institution requests that such data be destroyed. This provision shall also apply to all Covered Data that is in the possession of subcontractors or agents of [Vendor]. [Vendor] shall complete such return or destruction not less than thirty (30) days after the conclusion of this Agreement. Within such thirty (30) day period, [Vendor] shall certify in writing to Institution that such return or destruction has been completed.
- At the completion of this agreement, [Vendor] will physically or electronically destroy beyond all ability to recover all Institution data provided to them. This includes any and all copies of the data such as backup copies created at any [Vendor] site.
- End of Agreement Data Handling. The [Vendor] also agrees that upon termination of this Agreement it shall erase, destroy, and render unreadable all Institution data according to the standards enumerated in D.O.D. 5015.2 and certify in writing that these actions have been complete within 30 days of the termination of this Agreement or within 7 days of the request of an agent of Institution, whichever shall come first.
- Upon request by Customer made before or within sixty (60) days after the effective date of termination, [Vendor] will make available to Customer for a complete and secure (i.e. encrypted and appropriated authenticated) download file of Customer Data in XML format including all schema and transformation definitions and/or delimited text files with documented, detailed schema definitions along with attachments in their native format. [Vendor] will be available throughout this period to answer questions about data schema, transformations, and other elements required to fully understand and utilize Customer's data file. After such sixty (60) day period, [Vendor] and its hosted service provider shall have no obligation to maintain or provide any Customer Data and shall thereafter, unless legally prohibited, delete in such a manner as prevents recovery through normal/laboratory means, all Customer Data in its systems or otherwise in its possession or under its control.
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).