HomeMy WebLinkAbout2633 - Washington State - Agreement - Data Sharing Agreement - 2021 AuditAgency DSA 22-01
INTERAGENCY DATA SHARING AGREEMENT
Between
And the Office of the Washington State Auditor
This Interagency Data Sharing Agreement (DSA) is entered into by and between City of Marysville
hereinafter referred to as "Agency", and the Office of the Washington State Auditor, hereinafter referred
to as "SAO", pursuant to the authority granted by Chapter 39.34 RCW and 43.09 RCW.
Agency
Agency Name:
Contact Name:
Title:
Address:
Phone:
E-mail:
SAO
Agency Name:
Contact Name:
Title:
Address:
Phone:
E-mail:
City of Marysville
Gloria Hirashima
Chief Administrative Officer
1049 State Avenue
Marysville, WA 98270
(360) 363-8000
ghirashima@marysvillewa.gov
Office of the Washington State Auditor
Kristina Baylor
· Program Manager
15129 Main Street, Suite C 102
Mill Creek, WA 98012
(425) 951-0290
Kristina.Baylor@sao.wa.gov
1. PURPOSE OF THE DSA
The purpose of the DSA is to provide the requirements and authorization for the Agency to
exchange confidential information with SAO and SAO to share confidential information with the
Agency. This agreement is entered into between Agency and SAO to ensure compliance with
legal requirements and Executive Directives (Executive Order 16-01, RCW 42.56, and OCIO
policy 141, OCIO standard 141.10) in the handling of information considered confidential.
2. DEFINITIONS
"Agreement" means this Interagency Data Sharing Agreement, including all documents attached
or incorporated by reference.
DSA Agreement between.Agency and SAO
Agency DSA: 22-01
ORIGINAL
Agency DSA 22-01
"Data Transmission" refers to the methods and technologies to be used to move a copy of the data
between systems, networks and/ or employee workstations.
"Data Storage" refers to the place data is in when at rest. Data can be stored on removable or
portable media devices such as a USB drive or SAO managed systems or OCIO/ State approved
services or Agency provided Internet facing system.
"Data Encryption" refers to enciphering data with a NIST-approved algorithm or cryptographic
module using a NIST-approved key length. Encryption must be applied in such a way that it
renders data unusable to anyone but the authorized users.
"Personal Information" means information defined in RCW 42.56.590(10).
The State classifies data into categories based on the sensitivity of the data pursuant to the
Security policy and standards promulgated by the Office of the state of Washington Chief
Information Officer. The Data that is the subject of this DSA is classified as indicated below:
Category I -Public Information Public information is information that can be or
currently is released to the public. It does not need protection from unauthorized
disclosure, but does need integrity and availability protection controls.
Category 2 -Sensitive Information Sensitive information may not be specifically
protected from disclosure by law and is for official use only. Sensitive information is
generally not released to the public unless specifically requested.
Category 3 -Confidential Information Confidential information is information that is
specifically protected from disclosure by law. It may include but is not limited to: a.
Personal Information about individuals, regardless of how that information is obtained; b.
Information concerning employee personnel records; c. Information regarding IT
infrastructure and security of computer and telecommunications systems;
Category 4 -Confidential Information Requiring Special Handling Confidential
information requiring special handling is information that is specifically protected from
disclosure by law and for which: a. Especially strict handling requirements are dictated,
such as by statutes, regulations, or agreements; b. Serious consequences could arise from
unauthorized disclosure, such as threats to health and safety, or legal sanctions.
3. PERIOD OF AGREEMENT
This agreement shall begin on July I, 2022, or date of execution, whichever is later, and end on
June 30, 2025, unless terminated sooner or extended as provided herein.
4. JUSTIFICATION FOR DAT A SHARING
SAO is the auditor of all public accounts in Washington State. SAO's authority is broad and
includes both explicit and implicit powers to review records, including confidential records,
during the course of an audit or investigation.
DSA Agreement between Agency and SAO
Agency DSA: 22-01
Agency DSA 22-01
5. DESCRIPTION OF DATA TO BE SHARED
The data to be shared includes information and data related to audit results, financial activity,
operation and compliance with contractual, state and federal programs, security of computer
systems, performance and accountability for agency programs as applicable to the audit(s)
performed. Specific data requests will be limited to information needed for SAO audits,
investigations and related statutory authorities as identified through auditor requests.
6. DATA TRANSMISSION
Transmission of data between Agency and SAO will use a secure method that is commensurate to
the sensitivity of the data being transmitted.
7. DA TA STORAGE AND HANDLING REQUIREMENTS
Agency and SAO will notify each other if they are providing confidential data. All confidential
data provided by Agency will be stored with access limited to the least number of SAO staff
needed to complete the purpose of the DSA.
8. INTENDED USE OF DATA
The Office of the Washington State Auditor will utilize this data in support of their audits,
investigations, and related statutory responsibilities as described in RCW 43.09.
9. CONSTRAINTS ON USE OF DATA
The Office of the Washington State Auditor agrees to strictly limit use of information obtained
under this Agreement to the purpose of carrying out our audits, investigations and related
statutory responsibilities as described in RCW 43.09.
10. SECURITY OF DAT A
SAO shall take due care and take reasonable precautions to protect Agency's data from
unauthorized physical and electronic access. SAO complies with the requirements of the OCIO
141.10 policies and standards for data security and access controls to ensure the confidentiality,
and integrity of all data shared.
11. NON-DISCLOSURE OF DAT A
SAO staff shall not disclose, in whole or in part, the confidential data provided by Agency to any
individual or agency, unless this Agreement specifically authorizes the disclosure. Confidential
data may be disclosed only to persons and entities that have the need to use the data to achieve
the stated purposes of this Agreement. In the event of a public disclosure request for the
Agency's confidential data, SAO will notify the Agency and give fifteen days' notice so the Agency
can seek a protection order in court
a. SAO shall not access or use the data for any commercial or personal purpose.
b. Any exceptions to these limitations must be approved in writing by Agency.
c. The SAO shall ensure that all staff with access to the data described in this Agreement
are aware of the use and disclosure requirements of this Agreement and will advise new
staff of the provisions of this Agreement.
Agency staff shall not disclose, in whole or in part, the confidential data provided by SAO to any
individual or agency, unless this Agreement specifically authorizes the disclosure. Confidential
data may be disclosed only to persons and entities that have the need to use the data to achieve
DSA Agreement between Agency and SAO
Agency DSA: 22-01
Agency DSA 22-01
the stated purposes of this Agreement. In the event of a public disclosure request for the SAO's
data, Agency shall not disclose SAO's data unless it has provided at least ten business days'
notice to SAO that it disagrees with SA'O's determination that the information is exempt from the
public records act. The Agency will notify the SAO
a. Agency shall not access or use the data for any commercial or personal purpose.
b. Any exceptions to these limitations must be approved in writing by SAO.
c. The Agency shall ensure that all staff with access to the data described in this Agreement
are aware of the use and disclosure requirements of this Agreement and will advise new
staff of the provisions of this Agreement.
12. DATA DISPOSAL
Upon request by the SAO or Agency, or at the end of the DSA term, or when no longer needed,
Confidential Information/Data must be returned or destroyed, except as required to be maintained
for compliance or accounting purposes.
13. INCIDENT NOTIFICATION AND RESPONSE
The compromise of Confidential Information or reasonable belief that confidential information
has been acquired and/or accessed by an unauthorized person that may be a breach that requires
timely notice to affected individuals under RCW 42.56.590 or any other applicable breach
notification law or rule must be reported to Gloria Hirashima, Chief Administrative Officer.
If the Receiving Party does not have full details about the incident, it will report what information
it has and provide full details within 15 business days of discovery. To the extent possible, these
initial reports must include at least: A. The nature of the unauthorized use or disclosure, including
a brief description of what happened, the date of the event(s), and the date of discovery; B. A
description of the types of information involved; C. The investigative and remedial actions the
Receiving Party or its Subcontractor took or will take to prevent and mitigate harmful effects and
protect against recurrence; D. Any details necessary for a determination of whether the incident is
a breach that requires notification under RCW 42.56.590, Qr any other applicable breach
notification law or rule. E. Any other information SAO or Agency reasonably requests.
14. OVERSIGHT
The SAO and Agency agree that they will have the right, at any time with reasonable notice, to
monitor, audit, and review activities and methods in implementing this Agreement in order to
assure compliance.
15. TERMINATION
Either party may terminate this Agreement with 30 days written notice to the other party's
Agency Contact named on Page 1. However, once data is accessed by the SAO or Agency, this
Agreement is binding as to the confidentiality, use of the data, and disposition of all data received
as a result of access, unless otherwise amended by the mutual agreement of both parties.
DSA Agreement between Agency and SAO
Agency DSA: 22-01
Agency DSA 22-01
16. AWARENESS AND TRAINING
SAO and Agency shall ensure that all staff with access to the data shared through this Agreement
are aware of the use and disclosure requirements of OCIO 141.10 and RCW 42.56.590. SAO
will comply with all state requirements and training regarding handling, storage and transmission
of confidential data.
17. DI SPUTE RESOLUTION
In the event that a dispute arises under this Agreement, a Dispute Board shall determine
resolution in the following manner. Each party to this Agreement shall appoint one member to the
Dispute Board. The members so appointed shall jointly appoint an additional member to the
Dispute Board. The Dispute Board shall review facts, contract terms, and applicable statutes and
rul es and make a determination of the dispute.
18. GOVERNANCE
a. The provisions of this lnteragency Data Sharing Agreement are severable. If any
provision of this Agreement is held invalid by any court that invalidity shall not affect the
other provisions of this lnteragency Data Sharing Agreement and th e invalid provision
shall be considered modified to conform to the existing law.
b. In the event of a lawsuit involving th is lnteragency Data Sharing Agreement, venue shall
be proper only in Thurston County, Washington.
19. SIGNATURES
The signatures below indicate agreement between th e parties.
Agency
Title: Mayor
Office of the Washington State Auditor
Kristina Baylor June 13, 2022
Signature Date
Title: Program Manager
DSA Agreement between Agency and SAO
Agency DSA: 22-0 I