Non-Disclosure Agreement Policy INFORMATION  SECURITY  SECTION  (ISS),  ITSC,  CUHK   

Transcription

Non-Disclosure Agreement Policy INFORMATION  SECURITY  SECTION  (ISS),  ITSC,  CUHK   
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK Non-Disclosure Agreement Policy
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK 1
Purpose
According to the “Recommended Procedures for IT Practitioners on Personal
Data Handling”1, information users should not release information that contains
confidential information to any IT contractors or third-party users unless it is
absolutely necessary for them to complete the task.
Under this situation,
non-disclosure agreement should be used to govern the responsibility of the
contractors or third-party users in maintaining the privacy of information.
The purpose of this document is to communicate the policy in using
non-disclosure agreement to protect the reputation and legal position of the
University.
It is important that all information users should fully understand and
follow the policy.
2
Definitions
The abbreviations and terms used in this document shall have the following
meaning:
z
"Information" means but is not limited to information and data whether
concerning personal data, commercial, financial, technical or any other
matter.
z
“Information user”
2
means a person who, either alone or jointly or in
common with other persons, controls the collection, holding, processing or
use of the information.
z
"Confidential Information" means all information which is not marked as
"non-confidential" or “non-proprietary" relating to the teaching, research,
development or business activities of The Chinese University of Hong Kong.
It is hereby expressly declared that all personal data of staff, students,
professors, officers and all other members of The Chinese University of
Hong Kong shall be Confidential Information.
z
“personal data”
a)
3
means any data
relating directly or indirectly to a living individual;
1
The “Recommended Procedures for IT Practitioners on Personal Data Handling” http://www.pcpd.org.hk/english/publications/files/isec.pdf is jointly published by Office of the Privacy Commissioner for Personal Data, ISACA Hong Kong Chapter, Internet Professional Association and The Hong Kong Institution of Engineers. 2
The definition is sated based on the definition of “data user” in Personal Data (Privacy) Ordinance http://www.pcpd.org.hk/english/ordinance/ordfull.html
3
Definition is quoted from Personal Data (Privacy) Ordinance http://www.pcpd.org.hk/english/ordinance/files/Ord1‐4e.pdf INFORMATION SECURITY SECTION (ISS), ITSC, CUHK b)
from which it is practicable for the identity of the individual to be
directly or indirectly ascertained; and
c)
3
in a form in which access to or processing of the data is practicable
Policy statement
Non-disclosure agreements MUST be signed in all situations with contractors or
third-party users who may have access or may handle or involves confidential
information in any manner whatsoever.
4
Implementation guidance
Non-disclosure agreements should address the requirement to protect
confidential information using legally enforceable terms.
These agreements
should comply with all applicable laws and regulations for the jurisdiction to which
they apply.
To identify requirements for non-disclosure agreements, the
following elements should be considered:
a)
a definition of the information to be protected (e.g. confidential information);
b)
expected duration of an agreement, including cases where confidentiality
might need to be maintained indefinitely;
c)
required actions when an agreement is terminated;
d)
responsibilities and actions of signatories to avoid unauthorized information
disclosure (such as ‘need to know’);
e)
ownership of information, trade secrets and intellectual property, and how
these relate to the protection of confidential information;
f)
the permitted use of confidential information, and rights of the signatory to
use information;
g)
the right to audit and monitor activities that involve confidential information;
h)
process for notification and reporting of unauthorized disclosure or
confidential information breaches;
i)
terms for information to be returned or destroyed at agreement cessation;
and
j)
expected actions to be taken in case of a breach of this agreement.
Based on your security requirements, other elements may be needed in a
non-disclosure agreement.
attached for your reference.
Two samples of non-disclosure agreement are
You may need to modify the samples or design
your own non-disclosure agreements for different circumstances.
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK When you prepare the non-disclosure agreement, please note that if the
receiving party is an individual, you should check his/her HKID to verify the HKID
number as written on the agreement.
If the receiving party is a company, you
are advised to:
-
Request for a director of the company to sign the agreement.
-
Keep a copy of the Annual Return of the company, the Register of Directors
and its Certificate of Incorporation.
-
Check the Annual Return of the company to ensure that the agreement is
signed by a director
-
If the agreement is not signed by a director of the company but by another
authorized representative, you should try your best to verify the identity and
authority of that representative such as requesting the company to provide
the minutes to prove the authorization
Last but not least, you should familiarize yourself with the “Data Protection
Principles” and the “Recommended Procedures for IT Practitioners on Personal
Data Handling” in order to know how to deal with personal data and to ensure
compliance with the law and regulations in Hong Kong.
5
References
This document is written by referring to ISO17799:2005 (06.01.5 Confidentiality
agreements and 07.2.1 Classification guidelines).
In addition, the following
documents are also used as references:
z
Personal Data (Privacy) Ordinance
http://www.pcpd.org.hk/english/ordinance/ordfull.html
z
Data Protection Principles
http://www.pcpd.org.hk/english/ordinance/ordglance1.html#dataprotect
z
Recommended Procedures for IT Practitioners on Personal Data Handling
http://www.pcpd.org.hk/english/publications/files/isec.pdf
z
Personal Data Controlling Committee
http://www.cuhk.edu.hk/policy/pdo/
6
Contact
This document is prepared by the Information Security Section (ISS) of University’s
Information Technology Services Centre. For any comments and enquiries regarding
the content of this document, please send email to [email protected] .
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK Sample 1 The Chinese University of Hong Kong
For recruiting student helpers, Non-Disclosure Agreement
issuing contract for service or acquiring third‐party service THIS AGREEMENT is made the [date] day of [month/year]
BETWEEN
(1)
[Department] of The Chinese University of Hong Kong situate at Shatin, New
Territories, Hong Kong ("the Disclosing Party"); and
(2)
[company name] (Company No.[
]) whose registered office is situate
at [address] or [individual name] (Hong Kong Identification No.[
])
of [address] ("the Receiving Party").
WHEREAS
(A)
In order to [describe reason for making this non-disclosure agreement], the
Disclosing Party is prepared to disclose confidential information to the
Receiving Party ("the Permitted Purpose").
(B)
The parties recognize that unauthorized disclosure or use of the confidential
information of the Disclosing Party could cause harm to the Disclosing Party.
Therefore, the Receiving Party is willing to enter into this Agreement in
accordance with the provisions of this Agreement.
WHEREBY IT IS AGREED by and between the parties hereto as follows:1
Definitions
1.1
"Information" means but is not limited to information and data whether
concerning personal data, commercial, financial, technical or any other
matter whatsoever provided directly or indirectly by the Disclosing Party to
the Receiving Party in oral or documentary form or in any other form on or
after the date of this Agreement.
1.2
"Confidential Information" is all Information which is not marked as
"non-confidential" or “non-proprietary" relating to the teaching, research,
development or business activities of the Disclosing Party.
It is hereby
expressly declared that all personal data of staff, students, professors,
officers and all other members of the Disclosing Party as provided under
Statute 3 of Cap.1109 The Chinese University of Hong Kong Ordinance
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK ("the Members") shall be Confidential Information for the purpose of this
Agreement.
1.3
Headings contained in this Agreement are for reference purposes only and
should not be incorporated into this Agreement and shall not be deemed to
be any indication of the meaning of the clauses to which they relate.
1.4
All agreements on the part of either of the parties which comprise more than
one person or entity shall be joint and several and the neuter singular
gender throughout this Agreement shall include all genders and the plural
and the assigns and successor in title to the parties.
2
Confidentiality and non-use
The Receiving Party undertakes to the Disclosing Party:
2.1
to keep the Confidential Information secret at all times;
2.2
not to disclose, whether intentionally or unintentionally, the Confidential
Information or allow it to be disclosed in whole or in part to any third party
without the Disclosing Party's prior written consent; and
2.3
not to use it in whole or in part for any purpose except for the Permitted
Purpose.
The Receiving Party undertakes to take proper and all reasonable measures to
ensure the protection, confidentiality and security of the Confidential
Information.
3
Exceptions
3.1
The above obligations of confidentiality shall not apply to any Information
which the Receiving Party can show by written records:
3.1.1 was publicly known at the time of disclosure or subsequently
becomes publicly known through no fault of the Receiving Party; or
3.1.2 was discovered or created by the Receiving Party before
disclosure by the Disclosing Party; or
3.1.3 was learned by the Receiving Party through legitimate means
other than from the Disclosing Party or Disclosing Party's
representatives; or
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK 3.1.4 was disclosed by the Receiving Party with Disclosing Party's prior
written approval.
4
Time
This Agreement shall remain in effect until the date of a written notice releasing
the Receiving Party from this Agreement is sent by the Disclosing Party to the
Receiving Party ("Disclosing Party's Written Notice").
5
Taking Copies
The Receiving Party agrees not to copy or record any Confidential Information
except as reasonably necessary to further the Permitted Purpose.
Within five
(5) days from the date of the Disclosing Party's Written Notice, the Receiving
Party must deliver to the Disclosing Party all copies or records of Confidential
Information of the Disclosing Party in its custody, possession or control or
deliver to the Disclosing such evidence of the deletion or destruction of the
Confidential Information in its custody, possession or control as to the
satisfaction of the Disclosing Party.
6
Indemnity
Without affecting the generality of the foregoing, the Receiving Party agrees at
all times fully and effectually to indemnify and keep indemnified the Disclosing
Party and its agents, the Members and all persons claiming through or under
the Disclosing Party or them against all losses, damages, costs, claims,
demands, loss of profit, legal fees, penalties or expenses whatsoever that the
Disclosing Party, its agents and the Members may suffer by reason of the
Receiving Party's breach of the terms contained herein.
7
Acts of servants, invitees and licensees
For the purposes of this Agreement any act, default, neglect or omission of any
guest, visitor, servant, contractor, agent, licensee or invitee of the Receiving
Party shall be deemed to be the act, default, neglect or omission of the
Receiving Party.
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK 8
Compliance with Legislation
The Receiving Party warrants that all relevant laws, ordinances, regulations and
rules whatsoever valid and subsisting in Hong Kong on personal data privacy
are complied, observed and performed.
9
Whole Agreement
Each party acknowledges that this Agreement contains the whole agreement
between the parties and that this Agreement supersedes any prior agreement
between the parties whether written or oral and any such prior agreements are
cancelled as at the date of this Agreement but without prejudice to any rights
which have already accrued to either of the parties.
10 General Provisions
10.1 This Agreement shall be governed by and construed in accordance with
the laws of Hong Kong.
10.2 Any proceedings arising out of or in connection with this Agreement shall
be governed by and subject to the non-exclusive jurisdiction of the courts
of Hong Kong.
10.3 If at any time any provision of this Agreement is or becomes illegal, invalid
nor unenforceable in any respect, neither the legality, validity or
enforceability of the remaining provisions of this Agreement shall in any
way be affected or impaired thereby.
10.4 In this Agreement the words expressed in the singular shall where the
context so requires or permits include the plural.
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK AS WITNESS the hands of the Disclosing Party and the Receiving Party and IN
WITNESS whereof this Agreement has been duly executed by the Disclosing Party
and the Receiving Party hereto the day and year first above written.
SIGNED
by
)
[Name of the authorized representative
) [Signature of authorized representative from
from the Disclosing Party], [post of
the Disclosing Party]
authorized representative]
)
for and on behalf of the Disclosing Party
)
) [company chop]
)
)
SIGNED
by
)
[Name of the authorized representative
) [Signature of authorized representative from
from the Receiving Party], [post of
the Receiving Party]
authorized representative]
)
for and on behalf of the Receiving Party
)
) [company chop]
)
)
DATED
the [date] day of [month/year]
[Department] of The Chinese University of Hong Kong
and
[Company name of the Receiving Party]
Non-Disclosure
Agreement
V.2.4
INFORMATION SECURITY SECTION (ISS), ITSC, CUHK The Chinese University of Hong Kong
Sample 2 Non-Disclosure Agreement
For adding as terms in computer maintenance contact
THIS AGREEMENT is BETWEEN
[Department] of The Chinese University of Hong Kong situate at Shatin, New
Territories, Hong Kong (“CUHK”) and [company name] (Company No.[
])
whose registered office is situate at [address] ("Company").
In the event that any data-carrying item (e.g. hard disk, tape drive, etc) is to be taken
away from CUHK by the Company for repair, replacement or for any other reason, the
Company agrees that:
(i)
the data stored in this item will be kept confidential.
(ii) the management of the Company will direct their agents, contractors, suppliers,
employees, and representatives to treat such data as confidential and such
persons are not to disclose such data to any third parties except under
circumstances stated in Clause (iii) of this non-disclosure agreement.
(iii) if the Company dispatches a third party to collect the data-carrying item or
passes the data-carrying item to a third-party, the Company is responsible also to
prevent the third party from disclosing any data from the item.
(iv) this non-disclosure agreement shall remain in effect until CUHK sends the
Company written notice releasing the Company from this agreement.
(v) in the case of any claim or action brought against CUHK alleging infringement of
the agreement, the Company shall undertake to defend or settle such claim or
action at its own expense.
Signature and Company Chop:
[_______________________________]
Name: [_________________________]
Post: [__________________________]
Dated: [_________________________]
V.2.4