|
the Subrecipient shall immediately report report the loss or breach to the Pass-
<br /> through Entity, If the Pass-through Entity determines that notice to the
<br /> Individuals whose data has been lout,or breached is appropriate,the Subrecipient
<br /> r will bear any end all costs associated with the notice or en mitigation selected
<br /> by the Pass-through Entity. These costs include,but are not limited to,staff
<br /> time, material costs, postage,media announcements,and other identifiable costs.
<br /> associated with the breach or loss of data.
<br /> •
<br /> f.The Subrecipient shall provide for the management and control of physical access to
<br /> information assets(Including personal computer systems,computer terminals,mobile
<br /> computing devices,and various electronic storage media)used in performance of this
<br /> .Subgrant, This shall include,but is,not limited to,security measures to physically
<br /> protect data,systems,and workstations from unauthorized access and malicious •
<br /> activity;the prevention,detection,and suppression of fires;and the prevention,
<br /> detection,and minimization of water damage,
<br /> g.At no time will confidential data obtained pursuant to this agreement be placed en a
<br /> rnebfie-oernputing-dovioe,yr on any form of removal e�'Cleattonic storage media of any
<br /> kind unless the data are fully encrypted.
<br /> h. Each party shall provide Its employees with access to confidential Information with
<br /> written instructions fully disclosing and explaining the penalties for unauthorized
<br /> use or disclosure of confidential Information found in Section 1798,55 of the • 1
<br /> California Civil Code, Section$02 of the California Penal Code,Section 2111 of the
<br /> California Unemployment Insurance Code, Section 10850 of the California Welfare and
<br /> Institutions Code and other applicable local,state and federal Iowa.
<br /> i.Each party shall (where it is appropriate)store and process Information in
<br /> electronic format,in such a way that unauthorized persons cannot.reasonably retrieve
<br /> the information by means of a computer.
<br /> J.All Subrecipient staff and subcontractors that are.provided access to any data
<br /> systems of the Pass-through.Entity,excluding CaiJOBS, are required to complete
<br /> and sign an Employee Confidentiality Statement(DE 7410).
<br /> k, Each party shall promptly return to the other party confidential information when
<br /> w. Its use ends,or destroy the confidential information utilizing an approved method of
<br /> destroying confidential information:shredding,burning,or'certified or witnessed
<br /> destruction, .Magnetic media are to be degaussed or returned to the Other party.
<br /> I. If the Pass-through Entity or Subrecipient enters Into an agreement with a third
<br /> party to provide WIOA services,the Pass-through Entity or Subrecipient agrees to
<br /> Include these data and security and confidentiality requirements in the agreement
<br /> with thatthird party.in no event shall said information be disclosed to any'
<br /> individual outside of that third party's.authorized staff, subcontractor(s),.service
<br /> providers,or employees.
<br /> m.The Subreclplent may,in
<br /> its operation of the America's Job Center of California
<br /> (AJCC),permit an AJCC Operator to enter Into a subcontract to manage confidential
<br /> information.This subcontract may allow an individual to register for resume
<br /> distribution services at the same time the individual enrolls In CaIJOBS.
<br /> Subrecipient shall ensure that all such subcontracts comply with the intellectual
<br /> property requirements of this subgrant agreement,the,confidentiality requirements of
<br /> this subgrant agreement and any other terms of this subgrant agreement that may be
<br /> applicable. In addition,the following requirements must.be Included in the
<br /> subcontracts:
<br /> 1. All client information submitted over the Internet to t the subcontractor's
<br /> databases must,be protected,at a minimum, by 128-bit Secure Socket Layer(S.51.)
<br /> encryption.Clients'social security numbers must be stored in a separate
<br /> database within the subcontractor's network of servers,and protected by a
<br /> flrewall and a secondary database server flrewall or AES data encryption. If a
<br /> subcontractor receives client social security numbers or other confidential
<br /> information in the course of business,for example a resume-distribution service
<br /> that provides enrollment in CaIJOBS, social security numbers must be destroyed
<br /> within two days after the client registers for CaIJOBS. if a subcontractor
<br /> obtains confidential Information as an agent of the Subrecipient,the subcontract
<br /> must speoiflcally state the purpose for the data collection and the term of
<br /> records retention must be stated,and directly related,to the purpose and use of
<br /> the Information. Social security numbers and other client specific information
<br /> Page tent 16
<br />
|