Local Governments Now Required to Have Data-Sharing Agreements

A data-sharing agreement is a formal contract between two or more parties that clearly documents what data is being shared and how the data can be used. Good data can help inform policymaking, program development, and evaluation, as well as help agencies identify areas for improvement. Recent action by the Washington State Legislature now requires local governments to have data-sharing agreements for certain types of data. This blog offers an overview of the bill, with a focus on the data types that are impacted.

Background

ESSB 5432 was enacted during this most recent legislative session and requires certain public agencies to have data-sharing agreements in place when sharing category 3 or category 4 data. The new requirement can be found in RCW 39.26.340 (state agency procurement) and RCW 39.34.240 (interlocal agreements).

Data Categories

The WaTech website contains a checklist for agencies to use when trying to determine category levels, which is based on the sensitivity of the data. The most sensitive data is classified under category 4, while data considered “public information” is classified under category 1. This blog highlights category 3 and category 4 data.

Category 4 data is confidential information that requires special handling and has strict requirements through statute, regulations, or agreements. Examples include data that falls under Health Insurance Portability and Accountability Act of 1996 (HIPAA) or information that would be a threat to health or legal sanctions.

Category 3 data is confidential information that is that is protected from disclosure or release by law. Examples include social security numbers, a driver’s license number or a Washington identification card number, account numbers (e.g., utility account), credit card numbers, security codes, or passwords. Additionally, it includes data held in personnel records, such as residential phone numbers and addresses, personal cell phone numbers, personal addresses, and emergency contact information. Any data that concerns the infrastructure and security of computer and telecommunications networks is also included.

When sharing category 3 and category 4 data, agencies should follow the encryption standards specified by newly created Office of Cybersecurity (OCS) within the Washington State Office of the Chief Information Officer (OCIO). There are several companies that offer encrypted file-sharing services, such as Azure, SolarWinds, and Citrix FileShare, to name a few. If your agency decides to go with a file-sharing service, it should ensure that this service meets the standards set by the OCS once these standards are released.

The OCS has until December 1, 2021, to report on its recommendations for best practices in data sharing and data protection, data-sharing contracts, and adherence to privacy policies.

Data Sharing Agreements

Many local governments have already had to sign data-sharing agreements with the State Auditor’s Office (SAO) as part of their most recent audit. The new statutes on data-sharing agreements do not specify what must be included in the agreements, only that they must conform to the policies for data sharing as specified by the OCS. Local governments should work with their legal counsel to determine what should be included in any data-sharing agreements based on their particular situation.

When crafting data-sharing agreements, local governments may wish to reference their data-sharing agreement with the SAO or one of the online examples listed below:

• OCIO and the Technology Business Management Program
• State of Washington Department of Health
• Washington State Department of Corrections and Office of the Corrections Ombuds
• WA Department of Fish and Wildlife and WA State Parks and Recreation Commission

Audits

Local governments should begin preparing for their audits by the SAO and ensuring they have data-sharing agreements in place if they are sharing category 3 or category 4 data with other agencies. Local governments should begin evaluating their need for data-sharing agreements and ensure that those agreements comply with the policies set by the OCS once these policies have been released.