Data Protection After Contract Termination

Why is this Important

Reference
Overview
Criticality
Sample RFP Language
Sample Contract Clauses

Why is this Important:

Similar to data use provisions, an institution of higher education may want to consider
data protection provisions that stipulate how institution data is to be handled following
the conclusion of the contracted project or early termination of the contract. Without
such a term in the contract, an institution has no way to require that the contracting third
party return institution data or otherwise dispose of such data in a way that does not
jeopardize the security of the institution or its constituents.

Reference:
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(b)(5); (v)

Overview:
Clauses include instructions to return the data to originating institution or destroying the
data under the originating institutions direction (and subject to subsequent audit)

Criticality: Category 2 and Category 3.

Sample RFP Language:

1. What procedures and safeguards does the Proposer have in place for sanitizing
and disposing of Institution data according to prescribed retention schedules or
following the conclusion of a project or termination of a contract to render it
unrecoverable and prevent accidental and/or unauthorized access to Institution
data?

Top

Sample Contract Clauses:

1. The [Vendor] agrees that at the termination of this contract, all Institution data

will be either returned to the Institution or destroyed as indicated by
the Institution at the time of contract termination.
2. Upon termination, cancellation, expiration or other conclusion of the Agreement,
Service Provider shall return all [term for sensitive data] to Institution or, if
return is not feasible, destroy any and all [term for sensitive data].
3. Within 30 days after the termination or expiration of a Purchase Order, Contract
or Agreement for any reason, [Vendor] shall either: Return or destroy, as
applicable, all Sensitive Data provided to the [Vendor] by Institution to
[Vendor], including all Sensitive Data provided to [Vendor]'s employees,
subcontractors, agents, or other affiliated persons or entities; or In the event that
returning or destroying the Sensitive Data is not feasible, provide notification of
 the conditions that make return or destruction not feasible, in which case, the
[Vendor] must continue to protect all Sensitive Data that it retains and agree to
limit further uses and disclosures of such Data to those purposes that make the
return or destruction not feasible as [Vendor] maintains such Data.
4. The [Vendor] agrees, upon termination, cancellation, expiration, or other
conclusion of this Agreement, within 30 days to return to the Institution or if
return is not feasible, destroy and not retain any copies (and furnish
the Institution with an appropriate Certificate of Destruction) of any and all
Confidential Information that is in its possession.
5. Upon termination, cancellation, expiration or other conclusion of the
Agreement, [Vendor] shall return the Covered Data to Institution
unless Institution requests that such data be destroyed. This provision shall also
apply to all Covered Data that is in the possession of subcontractors or agents of
[Vendor]. [Vendor] shall complete such return or destruction not less than thirty
(30) days after the conclusion of this Agreement. Within such thirty (30) day
period, [Vendor] shall certify in writing to Institution that such return or
destruction has been completed.
6. At the completion of this agreement, [Vendor] will physically or electronically
destroy beyond all ability to recover all Institution data provided to them. This
includes any and all copies of the data such as backup copies created at any
[Vendor] site.
7. End of Agreement Data Handling. The [Vendor] also agrees that upon
termination of this Agreement it shall erase, destroy, and render unreadable
all Institution data according to the standards enumerated in D.O.D. 5015.2 and
certify in writing that these actions have been complete within 30 days of the
termination of this Agreement or within 7 days of the request of an agent of
Institution, whichever shall come first.
8. Upon request by Customer made before or within sixty (60) days after the
effective date of termination, [Vendor] will make available to Customer for a
complete and secure (i.e. encrypted and appropriated authenticated) download
file of Customer Data in XML format including all schema and transformation
definitions and/or delimited text files with documented, detailed schema
definitions along with attachments in their native format. [Vendor] will be
available throughout this period to answer questions about data schema,
transformations, and other elements required to fully understand and utilize
Customer's data file. After such sixty (60) day period, [Vendor] and its hosted
service provider shall have no obligation to maintain or provide any Customer
Data and shall thereafter, unless legally prohibited, delete in such a manner as
prevents recovery through normal/laboratory means, all Customer Data in its
systems or otherwise in its possession or under its control.