Each party shall implement and maintain appropriate technical and organisational measures to protect any personal data processed under or in connection with this Agreement against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm that might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the personal data and the nature of the personal data to be protected.
Here is a plain English explanation of the Security Measures clause:
- This clause applies when the parties are processing personal data related to the Agreement.
- Both parties must implement and maintain security measures for the personal data.
- This protects the personal data from unauthorized or illegal processing.
- It also protects against accidental loss, destruction, damage or disclosure.
- The security measures should match the potential harm from unauthorized access or loss of the data.
- They should also fit the type of personal data involved. More sensitive data merits higher security.
- The goal is to reasonably protect personal data handled under the Agreement.
- It requires the parties apply security suited to the data sensitivity.
- This helps meet legal obligations for securing personal information.
Overall, the clause mandates adequate security for personal data without prescribing specific technical requirements.
Contractual data security requirements stem from privacy laws enacted in the 1970s.
Statutes like the US Privacy Act 1974 and UK Data Protection Act 1984 created obligations to protect individual information. However, technical specifications for security remained vague.
In the 1980s and 90s, data breaches increased with computerization. Security clauses were used to supplement broad legal duties. Specific technical controls like encryption and access limitations were sometimes included. Critics argued these overly prescriptive terms became outdated as technology advanced.
The EU Data Protection Directive 1995 mandated “appropriate technical and organizational measures” for data security. This functional language avoided mandating specific technical controls. Influential laws like HIPAA in the US later adopted a similar standard.
Today, principles-based security clauses are widely utilized, requiring reasonable protections appropriate for data sensitivity. Prescriptive technical specifications are disfavored due to rapid evolution of IT security capabilities. Customizability allows adapting safeguards as threats develop.
Data security clauses will continue balancing risks and solutions. As technology progresses, reasonableness remains the touchstone for security.
Contracts supplement privacy laws by mandating protections proportional to evolving data vulnerabilities.