INFORMATION SECURITY SECTION (ISS), ITSC, CUHK Non-Disclosure Agreement Policy INFORMATION SECURITY SECTION (ISS), ITSC, CUHK 1 Purpose According to the “Recommended Procedures for IT Practitioners on Personal Data Handling”1, information users should not release information that contains confidential information to any IT contractors or third-party users unless it is absolutely necessary for them to complete the task. Under this situation, non-disclosure agreement should be used to govern the responsibility of the contractors or third-party users in maintaining the privacy of information. The purpose of this document is to communicate the policy in using non-disclosure agreement to protect the reputation and legal position of the University. It is important that all information users should fully understand and follow the policy. 2 Definitions The abbreviations and terms used in this document shall have the following meaning: z "Information" means but is not limited to information and data whether concerning personal data, commercial, financial, technical or any other matter. z “Information user” 2 means a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of the information. z "Confidential Information" means all information which is not marked as "non-confidential" or “non-proprietary" relating to the teaching, research, development or business activities of The Chinese University of Hong Kong. It is hereby expressly declared that all personal data of staff, students, professors, officers and all other members of The Chinese University of Hong Kong shall be Confidential Information. z “personal data” a) 3 means any data relating directly or indirectly to a living individual; 1 The “Recommended Procedures for IT Practitioners on Personal Data Handling” http://www.pcpd.org.hk/english/publications/files/isec.pdf is jointly published by Office of the Privacy Commissioner for Personal Data, ISACA Hong Kong Chapter, Internet Professional Association and The Hong Kong Institution of Engineers. 2 The definition is sated based on the definition of “data user” in Personal Data (Privacy) Ordinance http://www.pcpd.org.hk/english/ordinance/ordfull.html 3 Definition is quoted from Personal Data (Privacy) Ordinance http://www.pcpd.org.hk/english/ordinance/files/Ord1‐4e.pdf INFORMATION SECURITY SECTION (ISS), ITSC, CUHK b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and c) 3 in a form in which access to or processing of the data is practicable Policy statement Non-disclosure agreements MUST be signed in all situations with contractors or third-party users who may have access or may handle or involves confidential information in any manner whatsoever. 4 Implementation guidance Non-disclosure agreements should address the requirement to protect confidential information using legally enforceable terms. These agreements should comply with all applicable laws and regulations for the jurisdiction to which they apply. To identify requirements for non-disclosure agreements, the following elements should be considered: a) a definition of the information to be protected (e.g. confidential information); b) expected duration of an agreement, including cases where confidentiality might need to be maintained indefinitely; c) required actions when an agreement is terminated; d) responsibilities and actions of signatories to avoid unauthorized information disclosure (such as ‘need to know’); e) ownership of information, trade secrets and intellectual property, and how these relate to the protection of confidential information; f) the permitted use of confidential information, and rights of the signatory to use information; g) the right to audit and monitor activities that involve confidential information; h) process for notification and reporting of unauthorized disclosure or confidential information breaches; i) terms for information to be returned or destroyed at agreement cessation; and j) expected actions to be taken in case of a breach of this agreement. Based on your security requirements, other elements may be needed in a non-disclosure agreement. attached for your reference. Two samples of non-disclosure agreement are You may need to modify the samples or design your own non-disclosure agreements for different circumstances. INFORMATION SECURITY SECTION (ISS), ITSC, CUHK When you prepare the non-disclosure agreement, please note that if the receiving party is an individual, you should check his/her HKID to verify the HKID number as written on the agreement. If the receiving party is a company, you are advised to: - Request for a director of the company to sign the agreement. - Keep a copy of the Annual Return of the company, the Register of Directors and its Certificate of Incorporation. - Check the Annual Return of the company to ensure that the agreement is signed by a director - If the agreement is not signed by a director of the company but by another authorized representative, you should try your best to verify the identity and authority of that representative such as requesting the company to provide the minutes to prove the authorization Last but not least, you should familiarize yourself with the “Data Protection Principles” and the “Recommended Procedures for IT Practitioners on Personal Data Handling” in order to know how to deal with personal data and to ensure compliance with the law and regulations in Hong Kong. 5 References This document is written by referring to ISO17799:2005 (06.01.5 Confidentiality agreements and 07.2.1 Classification guidelines). In addition, the following documents are also used as references: z Personal Data (Privacy) Ordinance http://www.pcpd.org.hk/english/ordinance/ordfull.html z Data Protection Principles http://www.pcpd.org.hk/english/ordinance/ordglance1.html#dataprotect z Recommended Procedures for IT Practitioners on Personal Data Handling http://www.pcpd.org.hk/english/publications/files/isec.pdf z Personal Data Controlling Committee http://www.cuhk.edu.hk/policy/pdo/ 6 Contact This document is prepared by the Information Security Section (ISS) of University’s Information Technology Services Centre. For any comments and enquiries regarding the content of this document, please send email to [email protected] . INFORMATION SECURITY SECTION (ISS), ITSC, CUHK Sample 1 The Chinese University of Hong Kong For recruiting student helpers, Non-Disclosure Agreement issuing contract for service or acquiring third‐party service THIS AGREEMENT is made the [date] day of [month/year] BETWEEN (1) [Department] of The Chinese University of Hong Kong situate at Shatin, New Territories, Hong Kong ("the Disclosing Party"); and (2) [company name] (Company No.[ ]) whose registered office is situate at [address] or [individual name] (Hong Kong Identification No.[ ]) of [address] ("the Receiving Party"). WHEREAS (A) In order to [describe reason for making this non-disclosure agreement], the Disclosing Party is prepared to disclose confidential information to the Receiving Party ("the Permitted Purpose"). (B) The parties recognize that unauthorized disclosure or use of the confidential information of the Disclosing Party could cause harm to the Disclosing Party. Therefore, the Receiving Party is willing to enter into this Agreement in accordance with the provisions of this Agreement. WHEREBY IT IS AGREED by and between the parties hereto as follows:1 Definitions 1.1 "Information" means but is not limited to information and data whether concerning personal data, commercial, financial, technical or any other matter whatsoever provided directly or indirectly by the Disclosing Party to the Receiving Party in oral or documentary form or in any other form on or after the date of this Agreement. 1.2 "Confidential Information" is all Information which is not marked as "non-confidential" or “non-proprietary" relating to the teaching, research, development or business activities of the Disclosing Party. It is hereby expressly declared that all personal data of staff, students, professors, officers and all other members of the Disclosing Party as provided under Statute 3 of Cap.1109 The Chinese University of Hong Kong Ordinance INFORMATION SECURITY SECTION (ISS), ITSC, CUHK ("the Members") shall be Confidential Information for the purpose of this Agreement. 1.3 Headings contained in this Agreement are for reference purposes only and should not be incorporated into this Agreement and shall not be deemed to be any indication of the meaning of the clauses to which they relate. 1.4 All agreements on the part of either of the parties which comprise more than one person or entity shall be joint and several and the neuter singular gender throughout this Agreement shall include all genders and the plural and the assigns and successor in title to the parties. 2 Confidentiality and non-use The Receiving Party undertakes to the Disclosing Party: 2.1 to keep the Confidential Information secret at all times; 2.2 not to disclose, whether intentionally or unintentionally, the Confidential Information or allow it to be disclosed in whole or in part to any third party without the Disclosing Party's prior written consent; and 2.3 not to use it in whole or in part for any purpose except for the Permitted Purpose. The Receiving Party undertakes to take proper and all reasonable measures to ensure the protection, confidentiality and security of the Confidential Information. 3 Exceptions 3.1 The above obligations of confidentiality shall not apply to any Information which the Receiving Party can show by written records: 3.1.1 was publicly known at the time of disclosure or subsequently becomes publicly known through no fault of the Receiving Party; or 3.1.2 was discovered or created by the Receiving Party before disclosure by the Disclosing Party; or 3.1.3 was learned by the Receiving Party through legitimate means other than from the Disclosing Party or Disclosing Party's representatives; or INFORMATION SECURITY SECTION (ISS), ITSC, CUHK 3.1.4 was disclosed by the Receiving Party with Disclosing Party's prior written approval. 4 Time This Agreement shall remain in effect until the date of a written notice releasing the Receiving Party from this Agreement is sent by the Disclosing Party to the Receiving Party ("Disclosing Party's Written Notice"). 5 Taking Copies The Receiving Party agrees not to copy or record any Confidential Information except as reasonably necessary to further the Permitted Purpose. Within five (5) days from the date of the Disclosing Party's Written Notice, the Receiving Party must deliver to the Disclosing Party all copies or records of Confidential Information of the Disclosing Party in its custody, possession or control or deliver to the Disclosing such evidence of the deletion or destruction of the Confidential Information in its custody, possession or control as to the satisfaction of the Disclosing Party. 6 Indemnity Without affecting the generality of the foregoing, the Receiving Party agrees at all times fully and effectually to indemnify and keep indemnified the Disclosing Party and its agents, the Members and all persons claiming through or under the Disclosing Party or them against all losses, damages, costs, claims, demands, loss of profit, legal fees, penalties or expenses whatsoever that the Disclosing Party, its agents and the Members may suffer by reason of the Receiving Party's breach of the terms contained herein. 7 Acts of servants, invitees and licensees For the purposes of this Agreement any act, default, neglect or omission of any guest, visitor, servant, contractor, agent, licensee or invitee of the Receiving Party shall be deemed to be the act, default, neglect or omission of the Receiving Party. INFORMATION SECURITY SECTION (ISS), ITSC, CUHK 8 Compliance with Legislation The Receiving Party warrants that all relevant laws, ordinances, regulations and rules whatsoever valid and subsisting in Hong Kong on personal data privacy are complied, observed and performed. 9 Whole Agreement Each party acknowledges that this Agreement contains the whole agreement between the parties and that this Agreement supersedes any prior agreement between the parties whether written or oral and any such prior agreements are cancelled as at the date of this Agreement but without prejudice to any rights which have already accrued to either of the parties. 10 General Provisions 10.1 This Agreement shall be governed by and construed in accordance with the laws of Hong Kong. 10.2 Any proceedings arising out of or in connection with this Agreement shall be governed by and subject to the non-exclusive jurisdiction of the courts of Hong Kong. 10.3 If at any time any provision of this Agreement is or becomes illegal, invalid nor unenforceable in any respect, neither the legality, validity or enforceability of the remaining provisions of this Agreement shall in any way be affected or impaired thereby. 10.4 In this Agreement the words expressed in the singular shall where the context so requires or permits include the plural. INFORMATION SECURITY SECTION (ISS), ITSC, CUHK AS WITNESS the hands of the Disclosing Party and the Receiving Party and IN WITNESS whereof this Agreement has been duly executed by the Disclosing Party and the Receiving Party hereto the day and year first above written. SIGNED by ) [Name of the authorized representative ) [Signature of authorized representative from from the Disclosing Party], [post of the Disclosing Party] authorized representative] ) for and on behalf of the Disclosing Party ) ) [company chop] ) ) SIGNED by ) [Name of the authorized representative ) [Signature of authorized representative from from the Receiving Party], [post of the Receiving Party] authorized representative] ) for and on behalf of the Receiving Party ) ) [company chop] ) ) DATED the [date] day of [month/year] [Department] of The Chinese University of Hong Kong and [Company name of the Receiving Party] Non-Disclosure Agreement V.2.4 INFORMATION SECURITY SECTION (ISS), ITSC, CUHK The Chinese University of Hong Kong Sample 2 Non-Disclosure Agreement For adding as terms in computer maintenance contact THIS AGREEMENT is BETWEEN [Department] of The Chinese University of Hong Kong situate at Shatin, New Territories, Hong Kong (“CUHK”) and [company name] (Company No.[ ]) whose registered office is situate at [address] ("Company"). In the event that any data-carrying item (e.g. hard disk, tape drive, etc) is to be taken away from CUHK by the Company for repair, replacement or for any other reason, the Company agrees that: (i) the data stored in this item will be kept confidential. (ii) the management of the Company will direct their agents, contractors, suppliers, employees, and representatives to treat such data as confidential and such persons are not to disclose such data to any third parties except under circumstances stated in Clause (iii) of this non-disclosure agreement. (iii) if the Company dispatches a third party to collect the data-carrying item or passes the data-carrying item to a third-party, the Company is responsible also to prevent the third party from disclosing any data from the item. (iv) this non-disclosure agreement shall remain in effect until CUHK sends the Company written notice releasing the Company from this agreement. (v) in the case of any claim or action brought against CUHK alleging infringement of the agreement, the Company shall undertake to defend or settle such claim or action at its own expense. Signature and Company Chop: [_______________________________] Name: [_________________________] Post: [__________________________] Dated: [_________________________] V.2.4
© Copyright 2024