GATEKEEPER ACCREDITATION HEAD AGREEMENT PARTIES: 1. Commonwealth of Australia represented by the
advertisement
PARTIES: 1. Commonwealth of Australia represented by the Department of Finance 2. [Service Provider] GATEKEEPER ACCREDITATION HEAD AGREEMENT Contents 1. Definitions ..............................................................................................................3 2. Interpretation .........................................................................................................3 3. Scope of Head Agreement ....................................................................................3 4. Term of Head Agreement ......................................................................................4 5. Gatekeeper Accreditation .....................................................................................4 6. Gatekeeper Certificate of Accreditation ..............................................................4 7. Gatekeeper Accreditation Certificate ..................................................................4 8. Delivery of Services ..............................................................................................4 9. Maintaining Accreditation ....................................................................................4 10. Gatekeeper Evaluators .........................................................................................5 11. Gatekeeper Audits.................................................................................................5 12. Amendment of Accreditation Process, Criteria and Policies ............................7 13. Changes to Approved Documents.......................................................................8 14. Change of Circumstances ....................................................................................8 15. Management of Aggregate Commonwealth Risk ...............................................8 16. Consequences of Accreditation...........................................................................9 17. Service Provider Not Sole Supplier .....................................................................9 18. Warranties............................................................................................................ 10 19. Indemnity ............................................................................................................. 11 20. Termination by Finance ...................................................................................... 12 21. Termination by Service Provider ....................................................................... 12 22. Termination for Convenience ............................................................................. 13 23. Consequences of Termination / Expiry ............................................................. 14 24. Limitation of Liability .......................................................................................... 15 25. Confidential Information ..................................................................................... 15 26. Privacy ................................................................................................................. 16 27. Publicity ............................................................................................................... 20 28. Intellectual Property ............................................................................................ 20 29. Dispute Resolution.............................................................................................. 20 30. Variation of Head Agreement ............................................................................. 20 31. Assignment and Novation .................................................................................. 20 32. Waiver .................................................................................................................. 21 33. Entire Agreement ................................................................................................ 21 34. Archives Act 1983 ............................................................................................... 21 Document1ii March 2014 35. Subcontracting .................................................................................................... 21 36. Applicable Law .................................................................................................... 22 37. Conflict of Interest............................................................................................... 22 38. Notices ................................................................................................................. 22 39. Survival of Clauses ............................................................................................. 23 Schedule 1 – Agreement Details ........................................................................ 24 1. Address of Department of Finance (Parties) .............................................. 24 2. Address of Service Provider (Parties)......................................................... 24 3. Type of Accreditation Granted to Service Provider (clause 5).................. 24 Schedule 2 - Approved Documents and Accreditation Policies and Criteria 25 iii Document1 March 2014 This deed of agreement is made on …………………………………………………2009 1. Commonwealth of Australia (Commonwealth) represented by the Department of Finance (Finance), ABN 61 970 632 495 of the address set out at Item 1 of Schedule 1. 2. [Service Provider] (Service Provider), ABN ( )whose registered office is at the address set out at Item 2 of Schedule 1. Recitals A. On 6 May 1998 the Australian Government published the Gatekeeper Strategy for the use of Public Key Technology (PKT) for Australian Government purposes, and commenced to implement this Strategy. B In September 2006 the Australian Government published the Gatekeeper Public Key Infrastructure (PKI) Framework (the Framework) which is designed to meet emerging business needs and reduce the cost and complexity of implementing PKT for Australian Government purposes and which is to be administered by Finance. C. Under the Framework, service providers involved in providing a range of services are granted Gatekeeper Accreditation by the Gatekeeper Competent Authority after a successful evaluation against the Accreditation Policies and Criteria to enable them to provide these Services to, or in relation to, Commonwealth Agencies. D The Service Provider applied to obtain Gatekeeper Accreditation, and the evaluation of the Service Provider’s operation against the relevant Policies and Criteria has been successfully completed. E. The Gatekeeper Competent Authority has agreed to grant Gatekeeper Accreditation of the kind described at Item 3 of Schedule 1 to the Service Provider and that accreditation continues subject to the terms of this Head Agreement. F On and from the Commencement Date, the Service Provider is entitled to provide Services to, or in relation to, Commonwealth Agencies within the framework of this Head Agreement. 1 Document1 March 2014 Signed sealed and delivered for and on behalf of the Commonwealth of ) ) Australia represented by the Department ____________________________________ ) of Finance ) ) __________________________________ ) Witness ) ________________________________ Representative THE COMMON SEAL of ............................ ) ................................................................... ) was hereunto affixed in Accordance with ) its Articles of Association in the presence ) of: ) ) __________________________________ ) Witness ) ________________________________ Director 2 Document1 March 2014 The Parties agree as follows: 1. Definitions The terms used in this Head Agreement, unless the contrary intention appears, have the same meaning as in the Gatekeeper Glossary at www.gatekeeper.gov.au 2. Interpretation In this Head Agreement, unless the contrary intention appears: (a) monetary references are references to Australian dollars; (b) clause headings are for convenient reference only and have no effect in limiting or extending the language of the provisions to which they refer; (c) a reference to a person includes a partnership and a body whether corporate or otherwise; (d) where a word or phrase is given a particular meaning, other parts of speech and grammatical forms of that word or phrase have corresponding meanings; (e) a reference to a clause or schedule is a reference to a clause of or schedule to this Head Agreement; (f) a reference to a body, a position or an authority whether statutory or not: (i) which ceases to exist; (ii) whose powers or functions are transferred to another body, position or authority; or (iii) which retains its powers and functions but changes its name; is a reference to the body, position or authority which: (iv) replaces it; (v) substantially succeeds to its powers or functions; (vi) has the new name; or (vii) is notified to the Service Provider from time to time by the Minister of State that is responsible for the body, position or authority; (g) a reference to a website by address or location is a reference to a website located at a replacement address or location as notified to the Service Provider by Finance from time to time; (h) no provision of this Head Agreement will be construed adversely to a Party solely on the ground that the Party was responsible for the preparation of this Head Agreement or that provision; (i) a reference to writing, or written, refers to any representation of words, figures or symbols capable of being rendered in a visible form; and (j) words in the singular include the plural and vice versa. 3. Scope of Head Agreement 3.1 This Head Agreement sets out the terms and conditions under which the Service 3 Document1 March 2014 Provider has obtained and maintains Gatekeeper Accreditation and provides Services to, or in relation to, Customers. 3.2 For the avoidance of doubt, this Head Agreement only applies in relation to the supply of Services, and not to any other services supplied by the Service Provider. 3.3 Subject to clause 16.3, nothing in this Head Agreement prevents the Service Provider from providing services outside the scope of its Gatekeeper Accreditation to a customer other than a Customer. 3.4 Any function, power or right in this Head Agreement given to the Commonwealth may be performed or exercised by the Gatekeeper Competent Authority or an appointee of the Gatekeeper Competent Authority. 3.5 The Parties agree that they will undertake their obligations and exercise their rights under this Head Agreement in good faith and in a spirit of cooperation. 4. Term of Head Agreement 4.1 This Head Agreement commences on the Commencement Date and, subject to this Head Agreement, continues from Year to Year. 5. Gatekeeper Accreditation 5.1 The Parties are executing this Head Agreement to signify that the Service Provider has been granted the type of Accreditation described at Item 3 of Schedule 1, and to ensure that the Services are provided in accordance with the arrangements described in this Head Agreement. 5.2 The Service Provider has been granted Accreditation on the basis of the Approved Documents. 6. Gatekeeper Certificate of Accreditation Finance must issue a paper Certificate of Accreditation to the Service Provider after the Gatekeeper Competent Authority has granted Gatekeeper Accreditation to the Service Provider, and that Certificate must set out the date on which the Gatekeeper Competent Authority granted that Accreditation. 7. Gatekeeper Accreditation Certificate Once the Gatekeeper Accreditation Certificate (GAC) arrangement is operational, the Gatekeeper Competent Authority must issue a GAC to the Service Provider after that Authority has granted Gatekeeper Accreditation to the Service Provider. 8. Delivery of Services Where the Service Provider wishes to provide Services, it must provide the Services in accordance with the Approved Documents, but only on and from the Commencement Date. 9. Maintaining Accreditation 9.1 To maintain Gatekeeper Accreditation, the Service Provider must: (a) continue to comply with the Accreditation Policies and Criteria; 4 Document1 March 2014 (b) conduct its operations in accordance with the Approved Documents; (c) comply after a reasonable period of notice with a reasonable direction from the Gatekeeper Competent Authority or its delegate relating to the Accreditation Policies and Criteria; (d) provide the Services from within Australia; and (e) continue to be on the ICT Multi-Use List. 9.2 The Gatekeeper Competent Authority may revoke the Service Provider’s Gatekeeper Accreditation if: (a) the Service Provider breaches the requirements of clause 9.1; (b) the Gatekeeper Competent Authority has given the Service Provider written notice specifying that breach; and (c) the Service Provider fails to remedy that breach to the reasonable satisfaction of the Competent Authority within 20 Business Days of receipt of that notice, or such longer period as may be specified in the notice. 9.3 If this Head Agreement is terminated (see clauses 21, 22 and 23), the Service Provider will cease to hold Gatekeeper Accreditation from the date of expiry or termination of this Head Agreement. 10.Gatekeeper Evaluators 10.1 The Service Provider must, in response to a request by Finance arising in relation to either clause 12 or clause 13: (a) allow Authorised Evaluators and/or Finance, reasonable access on reasonable notice during normal working hours to the Service Provider’s personnel, premises, equipment, systems and documentation for the purpose of evaluating the Service Provider’s operation against the Accreditation Policies and Criteria; (b) co-operate fully with the Authorised Evaluators and Finance, and respond promptly to, and comply with, any reasonable request from them; and (c) where required by an Authorised Evaluator, pay all fees and costs incurred as a direct result of them carrying out their role as an Authorised Evaluator. 10.2 The cost of all actions required to be taken by the Service Provider to address any issues identified by an Authorised Evaluator, or Finance, is to be borne by the Service Provider. 11.Gatekeeper Audits 11.1 Finance requires an annual audit to be conducted by an Authorised Auditor of the Service Provider’s compliance with the Accreditation Policies and Criteria and Approved Documents. 11.2 Finance may also require an audit by an Authorised Auditor if Finance has issued a notice under clause 9.2(b) or clause 20.1(a) - to investigate whether or not a breach has been remedied. 11.3 The Service Provider must: 5 Document1 March 2014 (a) allow an Authorised Auditor reasonable access on reasonable notice during normal working hours to the Service Provider’s personnel, premises, equipment, systems and documentation for the purposes of auditing the Service Provider’s compliance with the Accreditation Criteria, Policies and Approved Documents; (b) co-operate fully with an Authorised Auditor and respond promptly to, and comply with, any reasonable request from them; and (c) where required by an Authorised Auditor, pay all costs incurred by the Authorised Auditor as a direct result of them carrying out their role as an Authorised Auditor. 11.4 Where Finance specifies in a written Non-compliance Notice to the Service Provider that the audit findings reveal: (a) major non-compliance, failure or significant compromise of the Service Provider's operations in particular with respect to any aspect of the security of the Service Provider’s operations (in this Agreement called, and the written notice to be described as, a ‘Major Non-compliance Notice) - the Service Provider must take immediate action to remedy the items specified in the Major Non-compliance Notice; or (b) minor non-compliances or weaknesses (in this Agreement called, and the written notice to be described as, a Minor Non-compliance Notice) - the Service Provider must take action to remedy the items specified in the Minor Non-compliance Notice as soon as possible. 11.5 The Service Provider must advise Finance within 10 Business Days (or such other period as may be specified in a Non-Compliance Notice sent under clause 11.4) of the actions taken pursuant to the Non-compliance Notice, and the expected timeframe for completion of corrective action. 11.6 If the Service Provider does not remedy items described in a Major Noncompliance Notice in a timeframe that the Gatekeeper Competent Authority considers is reasonable in all the circumstances, and the Gatekeeper Competent Authority takes the view that compliance with the Accreditation Policies and Criteria and Approved Documents requires the Service Provider to take action or further action: (a) the Gatekeeper Competent Authority may direct the Service Provider to take those actions by a particular date, and provide reasons why it requires those actions to be taken; and (b) the Service Provider must take those actions by that date unless otherwise agreed with the Gatekeeper Competent Authority. 11.7 The cost of any actions required under this clause 11 to be taken by the Service Provider is to be borne by the Service Provider. 6 Document1 March 2014 12.Amendment of Accreditation Process, Criteria and Policies 12.1 Finance may amend the Accreditation Process or the Accreditation Policies and Criteria at any time in accordance with this clause 12. 12.2 All amendments to the Accreditation Process and the Accreditation Policies and Criteria must be raised with and agreed by the Gatekeeper Policy Committee in accordance with its Terms of Reference and endorsed in writing by the Gatekeeper Competent Authority. 12.3 Finance must give written notice to the Service Provider describing any amendments to the Accreditation Process and/or the Accreditation Policies and Criteria relevant to the Service Provider that have been endorsed in writing by the Gatekeeper Competent Authority, and the timeframe and manner (each of which must be agreed with the Service Provider) within which the Service Provider must comply with those amendments. 12.4 The Service Provider must comply with the amended Accreditation Process and/or the Accreditation Policies and Criteria (as the case may be) within the timeframe and the manner specified in the notice referred to in clause 12.3. 12.5 If the Service Provider does not comply with the clause 12.3 notice in a timeframe that the Gatekeeper Competent Authority considers is reasonable in all the circumstances, and the Gatekeeper Competent Authority takes the view that compliance with the terms of the notice requires the Service Provider to take action or further action: (a) the Gatekeeper Competent Authority may direct the Service Provider to take those actions and provide reasons why it requires those actions to be taken; and (b) the Service Provider must take those actions. 12.6 The cost of any actions required under this clause 12 to be taken by the Service Provider is to be borne by the Service Provider. 12.7 An amendment to the Accreditation Process need not affect any Contract entered into by the Service Provider before the date specified by the Gatekeeper Competent Authority in accordance with clause 12.3 notice. 7 Document1 March 2014 13.Changes to Approved Documents 13.1 No changes are to be made to the Approved Documents, including the Security Profile, except in accordance with this clause 13. 13.2 No changes are to be made to the Service Provider’s Security Profile without the prior approval in writing of the Gatekeeper Competent Authority. 13.3 Subject to clause 13.2, changes to the Approved Documents must be conducted in accordance with the change process described in the relevant Approved Document, and if there is no change process in the relevant document, in accordance with a process approved in writing by the Gatekeeper Competent Authority. 13.4 All changes made to the Approved Documents (including the Security Profile) are subject to audit in accordance with clause 11. 13.5 Upon a submission to Finance of a change to the Approved Documents by the Service Provider, Finance shall: a. confirm receipt of the relevant Approved Document; b. record the new Approved Documents in its internal log of Approved Documents; and c. initiate a variation to Schedule 2 of this Agreement in accordance with clause 30. 14.Change of Circumstances If the Service Provider’s circumstances change and the Service Provider considers that this may impact on its ability to maintain its Accreditation, or if the Service Provider wishes to change some aspect of the manner of its operations specifically related to its Accreditation (as described in the Approved Documents), the Parties must consult with each other in good faith with a view to deciding what action to take in relation to, among other things, the Service Provider’s Gatekeeper Accreditation, this Head Agreement and the Approved Documents. 15.Management of Aggregate Commonwealth Risk 15.1 The Gatekeeper Competent Authority may: (a) after consultation with the Service Provider and Customers; (b) taking into account, amongst other things, the available technology, security issues and concerns, and business issues raised by the Service Provider and Agencies; and (c) for the purposes of effectively managing Aggregate Commonwealth Risk; issue a direction in writing to the Service Provider requiring the Service Provider to take the action specified in the direction within the period or periods specified in the direction. 15.2 While the Gatekeeper Competent Authority has discretion to direct the Service Provider to take whatever action is required for the purpose described in clause 15.1(c), the Gatekeeper Competent Authority must: 8 Document1 March 2014 (a) act reasonably in all the circumstances; (b) only require the Service Provider to take those actions which are necessary to achieve the purposes outlined in clause 15.1(c); and (c) notify the Service Provider in writing of the reasons for issuing the direction. 15.3 In this clause 15, the term Aggregate Commonwealth Risk includes, but is not limited to, security, business or technology risks that in the Gatekeeper Competent Authority’s reasonable opinion have the potential to adversely impact the operations of Commonwealth Agencies. 16.Consequences of Accreditation 16.1 Obtaining Gatekeeper Accreditation entitles the Service Provider to: (a) represent to third parties that it has been granted Gatekeeper Accreditation; and (b) provide Services to, or in relation to, a Customer. 16.2 The Service Provider must not represent to any party that its Gatekeeper Accreditation implies any guarantee of any kind by the Commonwealth, Finance, the Gatekeeper Competent Authority, the Authorised Evaluators or the Authorised Auditors in relation to the provision of Services by the Service Provider, or in relation to products supplied by, or through, the Service Provider. 16.3 If the Service Provider offers services to a customer other than to, or for the purposes of, a Customer, the Service Provider must not state, warrant or represent to that other customer that the Service Provider’s Gatekeeper Accreditation will ensure that those Services will be fit for that nonCommonwealth purpose. 16.4 The Service Provider agrees to indemnify the Commonwealth against any substantiated damages by way of final judgement or settlement that the Commonwealth suffers or incurs as a result of a breach by the Service Provider of this clause 16. 17.Service Provider Not Sole Supplier This Head Agreement does not mean that: (a) the Service Provider has the right to be a sole supplier of Services to Agencies; or (b) any Agency will enter into a Contract with the Service Provider. 9 Document1 March 2014 18.Warranties 18.1 The Service Provider warrants that: (a) use by the Commonwealth (including its contractors) of any item provided by the Service Provider for the purposes of the Accreditation Process or this Head Agreement will not infringe the Intellectual Property Rights of any person; and (b) the Service Provider will perform its obligations under this Head Agreement in a manner that does not infringe any Intellectual Property Rights of the Commonwealth or any third party. 18.2 The Service Provider warrants that: the Service Provider’s execution and delivery of the Head Agreement, and the performance of its obligations under this Head Agreement, will not constitute: (a) (i) a violation of any judgement, order or decree; (ii) a default under any contract by which it or any of its assets are bound; or (iii) an event that would, with notice or lapse of time, or both, constitute such a default; (b) the Service Provider is duly constituted as a corporation under the Corporations Law; (c) the constituting documents of the Service Provider empowers the Service Provider to enter into this Head Agreement and to do all things that it can reasonably contemplate will be required by this Head Agreement; (d) all necessary corporate approvals have been obtained by the Service Provider to render this Head Agreement binding on, and legally enforceable against, the Service Provider in accordance with its terms; (e) it will immediately notify Finance of the occurrence of, or the pending or threatened occurrence of, any event of which it is aware that may cause or constitute a breach of any of the representations, warranties or covenants contained or made in connection with this Head Agreement, including without limitation, any event that may result in a material adverse change in the business of the Service Provider or may affect the financial viability of the Service Provider’s business; (f) it has disclosed to Finance prior to the Commencement Date details of any litigation or proceeding whatsoever, actual or threatened, against the Service Provider that may have an adverse effect on the ability of the Service Provider to provide the Services to a Commonwealth Agency and these disclosures are true and correct as at the Commencement Date; and (g) throughout the term of this Head Agreement, any additional issues of the kind and described in clause 18.2(f) that arise from time to time subsequent to the Commencement Date will be disclosed by the Service Provider to Finance when they occur. 10 Document1 March 2014 19.Indemnity 19.1 The Service Provider releases and indemnifies the Commonwealth, (‘those indemnified’) against any losses (including reasonable legal costs and expenses) reasonably sustained or incurred by the Commonwealth as a result of: a. a claim, action or proceeding by a third party against those indemnified where that loss or liability was caused by, or arose out of any negligent, unlawful or wilfully wrong act or omission of the Service Provider, its personnel or subcontractors; or a claim, action or proceeding by a third party against those indemnified where that loss or liability was caused by, or arose out of b. use by any of those indemnified of an item provided by the Service Provider to the Commonwealth, which use the third party succeeds in a final judgement or settlement is an infringement of the Intellectual Property Rights of the third party. For the purposes of this clause 19.1(b), an infringement of Intellectual Property Rights includes unauthorised acts which would, but for the operation of section 163 of the Patents Act 1990 (Cth), section 96 of the Designs Act 2003 (Cth), section 183 of the Copyright Act 1968 (Cth) and section 25 of the Circuit Layouts Act 1989 (Cth), constitute an infringement. 19.2 The Commonwealth shall notify the Service Provider in writing as soon as practicable of any claim, action or proceeding referred to in clause 19.1 that is threatened or brought against any of those indemnified. 19.3 The Service Provider acknowledges that the Commonwealth is bound to conduct any claim, action or proceeding in accordance with current Commonwealth policy and in particular, the Legal Services Directions issued by the Commonwealth Attorney-General pursuant to section 55ZF of the Judiciary Act 1903 (Cth). 19.4 Each indemnity in this Head Agreement is a continuing indemnity, separate and independent from the other obligations of the Parties, and survives termination and repudiation of this Head Agreement. 11 Document1 March 2014 20.Termination by Finance 20.1 Each of the following is an Event of Default: (a) the Service Provider commits a material breach of this Head Agreement which is capable of being remedied but the breach continues for 15 Business Days after the Service Provider is given a notice by the Gatekeeper Competent Authority requiring the breach to be remedied; (b) the Service Provider commits a breach which cannot be remedied, which breach is, in the reasonable opinion of the Gatekeeper Competent Authority, a serious breach of this Head Agreement; (c) the Service Provider ceases to hold any licence, approval, authorisation endorsement or consent required to enable it to comply with its obligations under this Head Agreement; (d) the Service Provider’s Gatekeeper Accreditation is revoked; (e) where there occurs either a single incident, or a series of incidents, that in the reasonable opinion of the Gatekeeper Competent Authority, constitutes a material compromise of the Service Provider’s security in relation to the provision of the Services; (f) any action is taken to make the Service Provider an externally administered body corporate as defined by the Corporations Law, or an insolvent under administration; or (g) the Service Provider ceases to be controlled by its existing parent company and that change of control, in the reasonable opinion of the Gatekeeper Competent Authority, has a materially adverse effect on the provision of Services to a Commonwealth Agency. 20.2 A failure by the Service Provider to comply with a direction issued by the Gatekeeper Competent Authority under this Head Agreement in accordance with the terms of that direction shall be deemed to be a breach of the kind referred to in clause 20.1(b). 20.3 Without prejudice to any other right or remedy that Finance has, if any Event of Default occurs, the Commonwealth may terminate this Head Agreement by giving 20 Business Days notice to the Service Provider. 21.Termination by Service Provider Without prejudice to any other right or remedy which the Service Provider has, the Service Provider may terminate this Head Agreement: (a) by giving 20 Business Days notice to Finance if: (i) Finance commits a breach of this Head Agreement which is capable of being remedied but the breach continues for 20 Business Days after Finance is given a notice by the Service Provider requiring the breach to be remedied; or (ii) Finance commits a breach which cannot be remedied, which breach is, in the Service Provider’s reasonable view, a serious breach of this Head Agreement; or 12 Document1 March 2014 (b) by giving notice to Finance before the time for compliance with a direction issued by the Gatekeeper Competent Authority has arrived – where the Service Provider does not wish to comply with that direction. 22.Termination for Convenience 22.1 The Gatekeeper Competent Authority may terminate this Head Agreement at any time by written notice to the Service Provider. 22.2 The Service Provider must immediately comply with any directions given in the notice in relation to subsequent performance of its obligations under this Head Agreement, any Contracts, or the conduct of any activities under the Approved Documents, and do all that is possible to mitigate its losses arising from the termination of this Head Agreement. 22.3 The Commonwealth will indemnify the Service Provider against any liabilities or expenses which are reasonably and properly incurred by the Service Provider as a direct consequence of termination under this clause 22, but the Commonwealth will not be liable to indemnify the Service Provider for any loss of profits. 22.4 The Service Provider must, in each of its sub-contracts where the fees or other consideration to be paid exceeds $20,000, reserve a right of termination in similar terms to this clause 22. 13 Document1 March 2014 23.Consequences of Termination / Expiry 23.1 If the Service Provider: (a) receives a Termination Notice under clause 20 or 22; or (b) issues a Termination Notice under clause 21; then: (c) from the date it issues or receives the notice – where it has issued or received a Termination Notice; the Service Provider must: (d) not enter into any new Contracts with Customers, or renew any existing Contracts; (e) not enter into any new Subscriber Agreements, or renew any existing Subscriber Agreements that were entered into for Commonwealth Agency purposes; (f) make arrangements to novate to a Gatekeeper accredited CA or terminate all Subscriber Agreements that were entered into for Commonwealth Agency purposes in accordance with the relevant Certificate Policy; (g) give notice to all Commonwealth Agencies terminating its Contracts with them, the termination to be, subject to clause 23.4, effective in accordance with the terms of the relevant Contract; (h) subject to the requirements of this clause 23, continue to provide the Services in accordance with the contractual arrangements it has with Commonwealth Agencies, and any relevant Approved Documents which include arrangements to accommodate significant interruptions in the provision of the Services; and (i) co-operate with Finance (and Finance must co-operate with the Service Provider), and any Commonwealth Agencies, to achieve a seamless and secure migration of the Agencies and Subscribers to a new Gatekeeper accredited CA, or RA, as the case may be. 23.2 The Gatekeeper Competent Authority may give reasonable written directions to the Service Provider on the requirements of clause 23.1 and the Service Provider must comply with any such directions given within a timeframe to be agreed between the Parties. 23.3 The Gatekeeper Competent Authority may, after receiving a written request from the Service Provider, by notice to the Service Provider, agree to vary any of the times or time periods specified in clause 23.2. 23.4 The Service Provider must, in each Contract, reserve a right to terminate, which termination is to be effective on the date this Head Agreement terminates or expires. 23.5 Subject to this clause 23, if this Head Agreement expires, or is terminated, the accrued rights of the Parties remain unaffected. 14 Document1 March 2014 24.Limitation of Liability 24.1 The aggregate liability of either Party for all Causes of Action is limited to $50,000Australian Dollars per Year during the term of this Head Agreement. 24.2 The limitation in clause 24.1 does not apply in relation to liability for: (a) personal injury, including sickness and death; (b) loss of, or damage to, tangible property; or (c) an indemnity provided under this Head Agreement. 24.3 The aggregate liability of either Party pursuant to any indemnity under this Agreement shall be limited to $400,000 (four hundred thousand Australian dollars only). 24.4 In no event shall a Party that incurs liability for a Cause of Action be liable for any indirect or consequential loss or damage or loss of revenue, profits, goodwill, bargain or opportunities or loss or corruption of data or loss of anticipated savings incurred or suffered by the other Party whether caused by negligence or otherwise or whether or not the first Party was or should have been aware of the possibility of such loss or damage. 24.5 In this clause, Cause of Action means a breach of this Head Agreement or any other common law, equitable or statutory cause of action arising out of the operation of this Head Agreement. 24.6 This clause 24 survives the expiry or termination of this Head Agreement. 25.Confidential Information 25.1 Subject to clause 25.3, a Party must not, without the prior written consent of the other Party, disclose any Confidential Information (see clause 25.8) of the other Party to a third party. 25.2 In giving written consent to the disclosure of Finance’s Confidential Information, Finance may impose such conditions as it thinks fit, and the Service Provider agrees to comply with these conditions. 25.3 The obligations on the Parties under this clause 25 will not be taken to have been breached to the extent that Confidential Information: (a) is disclosed by a Party to its Advisers or employees solely in order to comply with obligations, or to exercise rights, under this Head Agreement; (b) is disclosed to a Party’s internal management personnel, solely to enable effective management or auditing of Head Agreement-related activities; (c) is disclosed by Finance to its responsible Minister; (d) is disclosed by Finance, in response to a request by a House or a Committee of the Parliament of the Commonwealth of Australia1; 1 This would include a request to publish information on the Internet, for example, pursuant to the Senate Order on Government Agency Contracts dated 27 September 2001. 15 Document1 March 2014 (e) is shared within Finance, or with another Commonwealth Agency, where this serves the Commonwealth’s legitimate interests; (f) is authorised or required by law to be disclosed; (g) is disclosed by Finance and is information in a material form in respect of which an interest, whether by licence or otherwise, in the Intellectual Property Rights in relation to that material form, has vested in, or is assigned to, Finance under this Head Agreement or otherwise, and that disclosure is permitted by that licence or otherwise; or (h) is in the public domain otherwise than due to a breach of this clause 25. 25.4 Where a Party discloses Confidential Information to another person: (a) pursuant to clauses 25.3 (a), (b) or (e), the disclosing Party must: (i) and notify the receiving person that the information is Confidential Information; (ii) not provide the information unless the receiving person agrees to keep the information confidential; or (b) pursuant to clauses 25.3 (c) and (d), the disclosing party must notify the receiving party that the information is Confidential Information. 24.5 The Parties may agree in writing after the Commencement Date that certain additional information is to constitute Confidential Information for the purposes of this Head Agreement, and where the Parties so agree, that documentation is incorporated into, and becomes part of this Head Agreement, on the date by which both Parties have signed that documentation. 25.6 The obligations under this clause 25 continue, notwithstanding the expiry or termination of this Head Agreement: (a) (b) in relation to an item of information described at Item 4 of Schedule 1 – for the period set out in that schedule in respect of that item; and in relation to any information which the Parties agree in writing after the Commencement Date is to constitute Confidential Information for the purposes of this Head Agreement – for the period agreed by the Parties in writing in respect of that information. 25.7 Nothing in this clause 25 affects any obligation which the Service Provider may have either under the Privacy Act 1988 as amended from time to time, or under this Head Agreement, in relation to the protection of Personal Information. 25.8 Subject to the operation of the law relating to confidential information, for the purposes of this Agreement, the information specified at Item 4 of Schedule 1, and information specified in any agreement referred to in clause 25.5, is the Confidential Information of the respective Parties. 26.Privacy 26.1 The parties acknowledge that they are bound by the provisions of the Privacy Act 1988 (Cth) as amended from time to time. 26.2 The Service Provider agrees to abide by the Australian Privacy Principles as if it were a Commonwealth Agency and will, in the course of providing the Services, 16 Document1 March 2014 comply with the obligations set out in this clause 26 in the light of its obligation described in clause 26.1 and 26.2. 26.3 The Service Provider shall take all reasonable measures to ensure that: (a) (b) Personal Information held in connection with a Subscriber Agreement is protected against loss, and against unauthorised access, use, modification, disclosure or other misuse in accordance with the procedures set out in the Approved Documents and that only authorised personnel have access to the Personal Information; and search access to Certificate Revocation Logs and Relationship Certificate Directories is restricted in a manner that ensures compliance by the Service Provider with clause 26.2. 26.4 The Service Provider may only vary the Security Profile insofar as it impacts on the protection of Personal Information if it complies with clause 13. 17 Document1 March 2014 26.5 The Service Provider shall: (a) use any Personal Information held in connection with issuance of a Certificate only for the purposes of fulfilling its obligations under the relevant Certificate Policy; and (b) ensure that Subscribers are informed in a timely manner of their privacy and security responsibilities in relation to Key generation and security of the Subscriber’s Keys. 26.6 The Service Provider shall not disclose, other than to a sub-contractor for the purposes of providing the Services, any Personal Information obtained in connection with issuance of a Certificate without the prior written approval of the Subscriber, and the Service Provider shall immediately notify the Subscriber where it becomes aware that a disclosure of Personal Information may be required by law. 26.7 The Service Provider shall not transfer Personal Information held in connection with issuance of a Certificate outside Australia, or allow parties outside Australia to have access to it, without the prior written approval of the Subscriber. 26.8 The Service Provider agrees in respect of any Services that it is Gatekeeper Accredited to provide to Commonwealth Agencies: (a) to notify individuals whose personal information the Service Provider holds, that complaints about acts or practices of the Service Provider may be investigated by the Australian Information Commissioner who has power to award compensation against the Service Provider in appropriate circumstances; (b) not to use or disclose Personal Information or engage in an act or practice that would breach section 16F of the Privacy Act 1988 (Cth) (direct marketing), and APPs (particularly APP 7) or an Approved Privacy Code (APC), where that section, APP or APC is applicable to the Service Provider, unless: (i) in the case of section 16F of the Privacy Act 1988 (Cth) - the use or disclosure is necessary, directly or indirectly, to discharge an obligation under this Head Agreement or Subscriber Agreement; or (ii) in the case of an APP or an APC - where the activity or practice is engaged in for the purpose of discharging, directly or indirectly, an obligation under this Head Agreement or a Subscriber Agreement, and the activity or practice which is authorised by the relevant contract is inconsistent with the APP or APC2; (c) to disclose in writing to any person who asks, the content of the provisions of this Head Agreement or Subscriber Agreement (if any) that are inconsistent with an APP or an APC binding a party to the relevant contract3. 26.9 The Service Provider shall ensure that any of its employees requiring access to any Personal Information held in connection with issuance of a Certificate must, before they get access to that Personal Information: 2 3 Note that section 6A of the Privacy Act 1988 (Cth) requires that the Service Provider be ‘obliged’ to carry out the activity. Section 95C, Privacy Act 1988 (Cth). 18 Document1 March 2014 (a) give a written undertaking not to access, use, disclose or retain Personal Information except in performing their duties of employment; and (b) be informed that failure to comply with the written undertaking may be a criminal offence and may also lead the Service Provider to take disciplinary action against the employee. 26.9 The Service Provider agrees to ensure that any subcontract entered into for the purpose of providing Services to a Commonwealth Agency contains provisions to ensure that the subcontractor has the same awareness and obligations as the Service Provider has under this clause, including the requirement in relation to subcontracts. 26.10 Clauses 26.8 and 26.9 shall not be read so as to prevent an employee or subcontractor from using, for their own purposes, any information that it acquires independently of its employment or work for the Service Provider. 26.11 The Service Provider acknowledges that: (a) any unauthorised and intentional access, destruction, alteration, addition or impediment to access or usefulness of Personal Information stored in any Commonwealth computer, or in a computer containing information on behalf of the Commonwealth, in the course of performing its obligations under this Head Agreement or a Subscriber Agreement may be an offence under Part VIA of the Crimes Act 1914 (Cth) for which there are a range of penalties, including a maximum of ten years imprisonment; and (b) the publication or communication of any fact or document by a person which has come to their knowledge or into their possession or custody by virtue of the performance of any of their obligations under this Head Agreement or a Subscriber Agreement (other than to a person to whom the Service Provider is authorised to publish or disclose the fact or document) may be an offence under section 70 of the Crimes Act 1914 (Cth), the maximum penalty for which is two years imprisonment. 26.12 The Service Provider shall, in respect of any Personal Information held in connection with the issuance of a Certificate, co-operate with any reasonable requests or directions of Finance arising directly from, or in connection with the exercise of the functions of the Australian Information Commissioner under the Privacy Act 1988 (Cth) or otherwise, including, but not limited to, the issuing of any guideline concerning the handling of Personal Information. 26.13 The Service Provider agrees to indemnify the Commonwealth in respect of any loss, liability or expense suffered or incurred by the Commonwealth which arises directly or indirectly from a breach of any of the obligations of the Service Provider under this clause 26, or a subcontractor under the subcontract provisions referred to in subclause 26.9. 26.14 This clause 26 shall continue to have effect after the termination or completion of this Head Agreement. 26.15 In this clause 26 the terms ‘approved privacy code’ (APC) and ‘Australian Privacy Principles’ (APPs) have the same meaning as they have in section 6 of the 19 Document1 March 2014 Privacy Act 1988 (Cth), and the term ‘Commonwealth Agency’ has the same meaning as the term ‘agency’ has in that Act. 27.Publicity The Service Provider must not make, or authorise the making of, any public statement relating in any way to Gatekeeper Accreditation that is misleading or deceptive in any manner. 28.Intellectual Property 28.1 The Commonwealth acknowledges that the Service Provider retains all Intellectual Property Rights in the Approved Documents. 28.2 Subject to clause 25, and except as otherwise agreed by the Parties, the Service Provider grants the Commonwealth a non-exclusive, non-transferable, royalty-free, world-wide licence during the term of this Head Agreement to exercise the Service Provider’s Intellectual Property Rights in the Approved Documents so as to enable the Commonwealth to use, reproduce and distribute the Approved Documents for the sole purposes of evaluating the Service Provider’s operation, granting Accreditation and auditing the Service Provider’s ongoing compliance with the Accreditation Criteria, Policies and Approved Documents. 29.Dispute Resolution 29.1 If a dispute arises between the Parties in relation to this Head Agreement (Dispute), either Party may by written notice to the other Party specify the details of the Dispute (Dispute Notice). 29.2 If a Dispute Notice is given then the Parties must promptly meet and negotiate in good faith to resolve the Dispute. 29.3 If the Dispute remains unresolved 20 Business Days after receipt of the Dispute Notice, the Parties agree to submit the Dispute to mediation administered by and in accordance with the mediation rules of the Australian Commercial Disputes Centre (ACDC). 29.4 A single mediator will be agreed by the Parties or, failing agreement, appointed by the ACDC. The mediation will be held in Canberra and be subject to the laws in force in the Australian Capital Territory. A Party may be represented by legal counsel in any mediation. 29.5 Nothing in this clause 29 prevents a Party from seeking urgent relief before an appropriate Court. 30.Variation of Head Agreement This Head Agreement shall only be varied by way of a deed of variation signed by the Parties. 31.Assignment and Novation 31.1 The Service Provider may not assign or novate the whole or part of this Head Agreement without the prior written consent of Finance. 31.2 Finance may decline to consent to a proposed assignment or novation. 20 Document1 March 2014 31.3 Without limiting Finance’s absolute discretion under clause 31.2, the grounds on which Finance may decline to consent to a proposed assignment or novation include that the proposed assignee or the entity to whom the obligations are to be transferred, as the case requires, does not have Gatekeeper Accreditation. 32.Waiver The failure of either Party to enforce this Head Agreement shall in no way be interpreted as a waiver of its rights under this Head Agreement. 33.Entire Agreement This Head Agreement constitutes the entire agreement between the Parties and supersedes all prior representations, agreements, statements and understandings relating to its subject matter, whether verbal or in writing. 34.Archives Act 1983 34.1 The Parties will ensure that the custody or ownership of Commonwealth records as that term is defined in the Archives Act 1983 (Cth) is not transferred without the prior written approval of the National Archives of Australia. 34.2 The Service Provider agrees to comply with any direction given by Finance for the purpose of transferring Commonwealth records to the National Archives of Australia or providing the National Archives of Australia with full and free access to those records. 35.Subcontracting 35.1 The Service Provider must not, without the prior written approval of the Gatekeeper Competent Authority, subcontract the provision of any significant element of Services under a Contract without the written approval of the Gatekeeper Competent Authority. 35.2 If the Gatekeeper Competent Authority consents to the work being performed by a sub-contractor, the Service Provider: is in no way relieved from performing its obligations under this Head Agreement; (c) must ensure that the sub-contractor has been granted Gatekeeper Accreditation to the extent that the sub-contractor’s activities fall within the activities that would normally require such Accreditation prior to it commencing the sub-contracting activities; (d) must ensure that the sub-contractor is aware of the provisions of this Head Agreement relevant to the part of the work to be performed by the subcontractor; and (e) must include in any sub-contract where the fees or other consideration to be paid valued at $20,000 or more a right of termination of the kind described in clause 22. 35.3 The Service Provider agrees that the Competent Authority may request withdrawal and replacement of any sub-contractor, and if Finance wishes to do this, it must notify the Service Provider in writing setting out reasons for making such a request for withdrawal or replacement. 21 Document1 March 2014 35.4 A failure by the Service Provider to comply with a request issued by the Gatekeeper Competent Authority to withdraw and replace a sub-contractor under this Head Agreement shall give rise to a Dispute Notice being provided to the Service Provider and the Dispute will be resolved in accordance with clause 29. 36.Applicable Law 36.1 This Head Agreement is governed by, and is to be construed in accordance with, the laws from time to time in force in the Australian Capital Territory. 36.2 The Parties agree to submit to the jurisdiction of the courts having jurisdiction in the Australian Capital Territory. 37.Conflict of Interest 37.1 Each Party undertakes to the other that, to the best of its knowledge, at the Commencement Date, no conflict of interest exists or is likely to arise in the performance of its obligations under this Head Agreement. 37.2 Each Party will promptly notify the other in writing if a likely conflict of interest arises during the term of this Head Agreement. 37.3 Should a conflict of interest arise which significantly affects the interests of the other Party, that conflict may be treated by the other Party as a breach of this Head Agreement of the kind described in clause 20.1(b) or clause 21(a)(ii). 38.Notices 38.1 Any notice, advice, agreement, undertaking or any other communication given by one Party to the other for the purposes of this Head Agreement must be in writing. 38.2 The address for service of notice of each Party is as set out at Item 5 of Schedule 1 unless otherwise advised in writing by the relevant Party. 38.3 A notice under this Head Agreement is deemed to have been given if: (a) it is delivered by hand - on the date upon which it is delivered and a receipt obtained; it is sent by registered post - on the day upon which it is delivered and a receipt obtained; transmitted by facsimile transmission - when the sender receives confirmation of a successful transmission; transmitted by email - when the sender receives confirmation that the email has been opened; and the Parties have previously agreed that notices can be digitally signed and delivered electronically – when the sender receives confirmation of successful receipt. 38.4 If delivery or receipt of a notice occurs on a day on which business is not normally conducted in the place of receipt, or it is received later than 4 PM local time it will be deemed to be given on the next day on which business is normally conducted in that place. 22 Document1 March 2014 39.Survival of Clauses If this Head Agreement is terminated for any reason, or expires, those clauses that are necessary for the Parties to effectively exercise their rights, and discharge their obligations and responsibilities to each other, and in particular to ensure that the operations of Commonwealth Agencies are not unduly disrupted, will survive the termination or expiration of this Head Agreement. 23 Document1 March 2014 Schedule 1 – Agreement Details 1. Address of Department of Finance (Parties) John Gorton Building King Edward Terrace PARKES ACT 2600 2. Address of Service Provider (Parties) [insert address] 3. Type of Accreditation Granted to Service Provider (clause 5) [Specify here the type of Gatekeeper Accreditation granted to Service Provider] 4. Confidential Information of the Parties (clause 25) 4.1 Finance Confidential Information [Describe any information that Finance considers is confidential and the period during which it is to be protected by the Service Provider] 4.2 Service Provider Confidential Information [Describe any information that the Service Provider considers is confidential and the period during which it is to be protected by Finance] 5. Addresses for Notices (clause 38) 5.1 Commonwealth of Australia General Manager Australian Government Information Management Office Department of Finance John Gorton Building King Edward Terrace PARKES ACT 2600 Attention: Director, Gatekeeper Facsimile Number: (02) 6215 1544 Email: gatekeeper@finance.gov.au 5.2 Service Provider Address of the Service Provider: [Insert details] Facsimile Number: [Insert number] 24 Document1 March 2014 Schedule 2 - Approved Documents and Accreditation Policies and Criteria [Set out in this schedule a list of the Accreditation Policies and Criteria the Service Provider was evaluated against, and the latest version of the Service Provider’s Approved Documents] 25 Document1 March 2014
