The URL can be used to link to this page

Home My WebLink AboutInteragency WA State Auditor Consent Agenda JEFFERSON COUNTY BOARD OF COUNTY COMMISSIONERS AGENDA REQUEST TO: Board of Commissioners FROM: Judy Shepherd,Finance Manager DATE: November 2-0,2023 SUBJECT: INTERAGENCY DATA SHARING AGREEMENT Between Jefferson County and the Office of the Washington State Auditor STATEMENT OF ISSUE: Under a bill passed by the Legislature in 2021, data sharing agreements(DSAs)are required for all state and local governments sharing data. This includes the data the State Auditor's Office(SAO) exchange for our audits. For reference, the legislation requiring DSAs is ESS135432, "Concerning cybersecurity and data sharing in Washington state government." ANALYSIS• Our original DSA agreement with will be expiring at the end of 2023. Our current agreement will remain in effect until its expiration date when this agreement will begin. The following changes have been made to the previous agreement: • References to state law(42.40 RCW and 43.101 RCW) in the introductory, sections describing intended use and constraints • Language that enables SAO to share confidential information with you. • `Audit results' to description of data • `Using encryption' to data storage and handling • Non-disclosure' now indicates `confidential' • Three new sections, covering Data Disposal, Incident notification and response, and Awareness and Training FISCAL IMPACT• None RECOMMENDATION• Recommend approval of the agreement. REVIEWED BY: Mark McCaul County Administrator Date CONTRACT REVIEW FORM Clear Form (INSTRUCTIONS ARE ON THE NEXT PAGE) CONTRACT WITH: Office of the Washington State Auditor Contract No: DSA 22-01 Contract For: Interagency Data Sharing Term: ONGOING COUNTY DEPARTMENT: Auditors Office Contact Person: Judy Shepherd Contact Phone: 231 Contact email: JFShepherd@co.jefferson.wa.us AMOUNT: NONE PROCESS: Exempt from Bid Process Revenue: Cooperative Purchase Expenditure: Competitive Sealed Bid Matching Funds Required: Small Works Roster Sources(s)of Matching Funds Vendor List Bid Fund# RFP or RFQ Munis Org/Obj �/ Other: APPROVAL STEPS: STEP 1: DEPARTMENT CERTIFIES C PLIA I H J 3.55.080 AND CHAPTER 42.23 RCW. CERTIFIED: ❑ N/A: ■❑ Signature7 Date STEP 2: DEPARTMENT CERTIFIES E PE O PROPOSED FOR CONTRACTING WITH THE COUNTY (CONTRACTOR) HAS NO BEEN E ARRED BY ANY FEDERAL, STATE, OR LOCAL AGENCY. CERTIFIED: ❑ N/A: Signature Date STEP 3: RISK MANAGEMENT REVIEW(will be added electronically through Laserfiche): Electronically approved by Risk Management on 11/16/2023. STEP 4: PROSECUTING ATTORNEY REVIEW(will be added electronically through Lasertiche): Electronically approved as to form by PAO on 11/16/2023. State language - cannot change. STEP 5: DEPARTMENT MAKES REVISIONS & RESUBMITS TO RISK MANAGEMENT AND PROSECUTING ATTORNEV(IF REQUIRED). STEP 6: CONTRACTOR SIGNS STEP 7: SUBMIT TO BOCC FOR APPROVAL I Agency DSA 22-01 INTERAGENCY DATA SHARING AGREEMENT Between Jefferson County And the Office of the Washington State Auditor This Interagency Data Sharing Agreement(DSA)is entered into by and between Jefferson County hereinafter referred to as"Agency",and the Office of the Washington State Auditor,hereinafter referred to as"SAO",pursuant to the authority granted by Chapter 39.34 RCW,42.40 RCW,43.101 RCW and 43.09 RCW. Agency Agency Name: Jefferson County Contact Name: Judy Shepherd Title: Finance Manager Address: PO Box 563 Port Townsend, WA 98368 Phone: (360)385-9231 E-mail: jfshepherd@co.jefferson.wa.us SAO Agency Name: Office of the Washington State Auditor Contact Name: Amy Strzalka,CPA Title: Program Manager Address: 451 SW Sedgwick Rd, Suite 200 Port Orchard,WA 98367 Phone: (360)845-1476 E-mail: amy.strzalka@sao.wa.gov The SAO and Agency agree that they will have the right,at any time with reasonable notice,to monitor, audit,and review activities and methods in implementing this Agreement in order to assure compliance. 1. PURPOSE OF THE DSA The purpose of the DSA is to provide the requirements and authorization for the Agency to exchange confidential information with SAO and SAO to share confidential information with the Agency.This agreement is entered into between Agency and SAO to ensure compliance with legal requirements and Executive Directives(Executive Order 16-01,RCW 42.56,and OCIO policy 141,OCIO standard 141.10)in the handling of information considered confidential. DSA Agreement between Agency and SAO Agency DSA:22-01 Agency DSA 22-01 2. DEFINITIONS "Agreement"means this Interagency Data Sharing Agreement, including all documents attached or incorporated by reference. "Data Access"refers to rights granted to SAO employees to directly connect to Agency systems, networks and/or applications combined with required information needed to implement these rights. "Data Transmission"refers to the methods and technologies to be used to move a copy of the data between systems,networks and/or employee workstations. "Data Storage"refers to the place data is in when at rest.Data can be stored on removable or portable media devices such as a USB drive or SAO managed systems or OCIO/State approved services. "Data Encryption"refers to enciphering data with a NIST-approved algorithm or cryptographic module using a NIST-approved key length. Encryption must be applied in such a way that it renders data unusable to anyone but the authorized users. "Personal Information"means information defined in RCW 42.56.590(10). The State classifies data into categories based on the sensitivity of the data pursuant to the Security policy and standards promulgated by the Office of the state of Washington Chief Information Officer.The Data that is the subject of this DSA is classified as indicated below: Category 1 —Public Information Public information is information that can be or currently is released to the public. It does not need protection from unauthorized disclosure,but does need integrity and availability protection controls. Category 2—Sensitive Information Sensitive information may not be specifically protected from disclosure by law and is for official use only. Sensitive information is generally not released to the public unless specifically requested. Category 3—Confidential Information Confidential information is information that is specifically protected from disclosure by law. It may include but is not limited to: a. Personal Information about individuals,regardless of how that information is obtained;b. Information concerning employee personnel records;c. Information regarding IT infrastructure and security of computer and telecommunications systems;d. List of individuals for commercial purposes. Category 4—Confidential Information Requiring Special Handling Confidential information requiring special handling is information that is specifically protected from disclosure by law and for which:a. Especially strict handling requirements are dictated, such as by statutes,regulations,agreements,or other compliance mandates;b. Serious consequences could arise from unauthorized disclosure,such as threats to health and safety,or legal sanctions. DSA Agreement between Agency and SAO Agency DSA:22-01 Agency DSA 22-01 3. PERIOD OF AGREEMENT This agreement shall begin on May 24,2024,or date of execution,whichever is later,and end on May 23,2027,unless terminated sooner or extended as provided herein. 4. JUSTIFICATION FOR DATA SHARING SAO is the auditor of all public accounts in Washington State. SAO's authority is broad and includes both explicit and implicit powers to review records, including confidential records, during the course of an audit or investigation. 5. DESCRIPTION OF DATA TO BE SHARED The data to be shared includes information and data related to audit results,financial activity, operation and compliance with contractual,state and federal programs,security of computer systems,performance and accountability for agency programs as applicable to the audit(s) performed. Specific data requests will be limited to information needed for SAO audits, investigations and related statutory authorities as identified through auditor requests. 6. DATA TRANSMISSION Transmission of data between Agency and SAO will use a secure method that is commensurate to the sensitivity of the data being transmitted. 7. DATA STORAGE AND HANDLING REQUIREMENTS Agency and SAO will notify each other if they are providing confidential data.All confidential data provided by Agency will be stored using data encryption with access limited to the least number of SAO staff needed to complete the purpose of the DSA. 8. INTENDED USE OF DATA The Office of the Washington State Auditor will utilize this data in support of their audits, investigations,and related statutory responsibilities as described in RCW 43.09 and 42.40. 9. CONSTRAINTS ON USE OF DATA The Office of the Washington State Auditor agrees to strictly limit use of information obtained under this Agreement to the purpose of carrying out our audits,investigations and related statutory responsibilities as described in RCW 43.09 and 42.40. 10. SECURITY OF DATA SAO shall take due care and take reasonable precautions to protect Agency's data from unauthorized physical and electronic access. SAO complies with the requirements of the OCIO 141.10 policies and standards for data security and access controls to ensure the confidentiality, and integrity of all data shared. 11. NON-DISCLOSURE OF DATA SAO staff shall not disclose, in whole or in part,the confidential data provided by Agency to any individual or agency,unless this Agreement specifically authorizes the disclosure.Confidential data may be disclosed only to persons and entities that have the need to use the data to achieve the stated purposes of this Agreement. In the event of a public disclosure request for the Agency's Confidential data,SAO will notify the Agency a. SAO shall not access or use the data for any commercial or personal purpose. DSA Agreement between Agency and SAO Agency DSA:22-01 Agency DSA 22-01 b. Any exceptions to these limitations must be approved in writing by Agency. c. The SAO shall ensure that all staff with access to the data described in this Agreement are aware of the use and disclosure requirements of this Agreement and will advise new staff of the provisions of this Agreement. Agency staff shall not disclose,in whole or in part,the confidential data provided by SAO to any individual or agency,unless this Agreement specifically authorizes the disclosure.Confidential data may be disclosed only to persons and entities that have the need to use the data to achieve the stated purposes of this Agreement. In the event of a public disclosure request for the SAO's data,Agency will notify the SAO a. Agency shall not access or use the data for any commercial or personal purpose. b. Any exceptions to these limitations must be approved in writing by SAO. c. The Agency shall ensure that all staff with access to the data described in this Agreement are aware of the use and disclosure requirements of this Agreement and will advise new staff of the provisions of this Agreement. 12. DATA DISPOSAL Upon request by the SAO or Agency,or at the end of the DSA term,or when no longer needed, Confidential Information/Data must be returned or destroyed,except as required to be maintained for compliance or accounting purposes. 13. INCIDENT NOTIFICATION AND RESPONSE The compromise of Confidential Information or reasonable belief that confidential information has been acquired and/or accessed by an unauthorized person that may be a breach that requires timely notice to affected individuals under RCW 42.56.590 or any other applicable breach notification law or rule must be reported to the[Agency contact]. If the Receiving Party does not have full details about the incident,it will report what information it has and provide full details within 15 business days of discovery.To the extent possible,these initial reports must include at least:A.The nature of the unauthorized use or disclosure, including a brief description of what happened,the date of the event(s),and the date of discovery;B.A description of the types of information involved;C.The investigative and remedial actions the Receiving Party or its Subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence;D.Any details necessary for a determination of whether the incident is a breach that requires notification under RCW 42.56.590,or any other applicable breach notification law or rule. E.Any other information SAO or Agency reasonably requests. 14. OVERSIGHT The SAO and Agency agree that they will have the right,at any time with reasonable notice,to monitor,audit,and review activities and methods in implementing this Agreement in order to assure compliance. 15. TERMINATION Either party may terminate this Agreement with 30 days written notice to the other party's Agency Contact named on Page 1. However,once data is accessed by the SAO or Agency,this Agreement is binding as to the confidentiality,use of the data,and disposition of all data received as a result of access,unless otherwise amended by the mutual agreement of both parties. DSA Agreement between Agency and SAO Agency DSA:22-01 Agency DSA 22-01 16. AWARENESS AND TRAINING SAO and the agency shall ensure that all staff with access to the data shared through this Agreement are aware of the use and disclosure requirements of OCIO 141.10 and RCW 42.56.590. SAO will comply with all state requirements and training regarding handling,storage and transmission of confidential data. 17. DISPUTE RESOLUTION In the event that a dispute arises under this Agreement,a Dispute Board shall determine resolution in the following manner. Each party to this Agreement shall appoint one member to the Dispute Board.The members so appointed shall jointly appoint an additional member to the Dispute Board.The Dispute Board shall review facts,contract terms,and applicable statutes and rules and make a determination of the dispute. 18. GOVERNANCE a. The provisions of this Interagency Data Sharing Agreement are severable. If any provision of this Agreement is held invalid by any court that invalidity shall not affect the other provisions of this Interagency Data Sharing Agreement and the invalid provision shall be considered modified to conform to the existing law. b. In the event of a lawsuit involving this Interagency Data Sharing Agreement,venue shall be proper only in Thurston County, Washington. 19. SIGNATURES The signatures below indicate agreement between the parties. Jefferson County Office of the Washington State Auditor Signature Date Signature Date Name: Greg Brotherton Name: Amy Strzalka Title: Chair Title: Approved as to form o ly: 0. C. November 16,2023 Philip C. Hunsucker Date Chief Civil Deputy Prosecuting Attorney DSA Agreement between Agency and SAO Agency DSA:22-01 i