|
i). Survival
<br />The provisions set forth herein shall survive any termination or expiration of this Subgrant agreement or
<br />any project schedule.
<br />20. Confidentiality Requirements
<br />The State of California and the Subgrantee will exchange various kinds of information pursuant to this
<br />subgrant agreement. That information will include data, applications, program files, and databases.
<br />These data and information are confidential when they define an individual or an employing unit.
<br />Confidential information requires special precautions to protect it from unauthorized use, access,
<br />disclosure, modification, and destruction. The sources of information may include, but are not limited
<br />to, the EDD, the California Department of Social Services, the California Department of Education, the
<br />California Department of Corrections and Rehabilitation, the County Welfare Department(s), the County IV -
<br />D Directors Office of Child Support, the Office of the District Attorney, the California Department of
<br />Mental Health, the California Office of Community Colleges and the Department of Alcohol and Drug
<br />Programs.
<br />The "pass-through" entity and Subgrantee agree that:
<br />a). Each party shall keep all information that is exchanged between them in the strictest confidence and
<br />make such information available to their own employees only on a "need -to -know" basis.
<br />b). Each party shall provide security sufficient to ensure protection of confidential information from
<br />improper use and disclosures, including sufficient administrative, physical, and technical safeguards to
<br />protect this information from reasonable unanticipated threats to the security or confidentiality of the
<br />information.
<br />c). The Subgrantee agrees that information obtained under this subgrant agreement will not be reproduced,
<br />published, sold or released in original or in any other form for any purpose other than those
<br />specifically identified in this agreement.
<br />(1) Aggregate Summaries: All reports and/or publications developed by the Subgrantee based on data
<br />obtained under this agreement shall contain confidential data in aggregated or statistical summary form
<br />only. "Aggregated" refers to a data output that does not allow identification of an individual or
<br />employer unit.
<br />(2) Publication: Prior to publication, Subgrantee shall carefully analyze aggregated data outputs to
<br />ensure the identity of individuals and/or employer units cannot. be inferred pursuant to Unemployment
<br />Insurance Code Section 1094(c). Personal identifiers must be removed. Geographic identifiers should be
<br />specified only in large areas and as needed, and variables should be recorded in order to protect
<br />confidentiality.
<br />(3) Minimum Data Cell Size: The minimum data cell size or derivation thereof shall be three participants
<br />for any data table released to outside parties or to the public.
<br />d). Each party agrees that no disaggregate data, identifying individuals or employers, shall be released
<br />to outside parties or the public.
<br />a). The Subgrantee shall notify ^pass-through" entity's Information Security Office of any actual or
<br />attempted information security incidents, within 24 hours of initial detection, by telephone at (916) 654-
<br />6231. Information Security Incidents include, but are not limited to, any event (intentional or
<br />unintentional), that causes the loss, damage, or destruction, or unauthorized access, use, modification,
<br />or disclosure of information assets.
<br />The Subgrantee shall cooperate with the "pass-through" entity in any investigation of security incidents.
<br />The system or device affected by an information security incident and containing confidential. data
<br />obtained in the administration of this program shall he immediately removed from operation upon
<br />confidential data exposure or a known security breach. It shall remain removed from operation until
<br />correction and mitigation measures are applied.
<br />If the Subgrantee learns of a breach in the security of the system which contains confidential data
<br />obtained under this Subgrant, then the Subgrantee must provide notification to individuals pursuant to
<br />Civil Code Section 1798.62.
<br />f). The Subgrantee shall provide for the management and control of physical access to information assets
<br />(including personal computer systems, computer terminals, mobile computing devices, and various
<br />electronic storage media) used in performance of this Subgrant. This shall include, but is not limited
<br />to, security measures to physically protect data, systems, and workstations from unauthorized access and
<br />malicious activity; the prevention, detection, and suppression of fires; and the prevention, detection,
<br />and minimization of water damage.
<br />g). At no time will confidential data obtained pursuant to this agreement be placed on a mobile computing
<br />device, or on any form of removable electronic storage media of any kind unless the data are fully
<br />encrypted.
<br />h). Each party shall provide its employees with access to confidential information with written
<br />instructions fully disclosing and explaining the penalties for unauthorized use or disclosure of
<br />confidential information found in Section 1798.55 of the Civil Code, Section 502 of the Penal Code,
<br />Section 2111 of the Unemployment Insurance Code, Section 10850 of the Welfare and Institutions Code and
<br />other applicable local, state and federal laws.
<br />i). Each party shall (where it is appropriate) store and process information in electronic format, in
<br />such a way that unauthorized persons cannot reasonably retrieve the information by means of a computer.
<br />j). Each party shall promptly return to the other party confidential information when its use ends, or
<br />destroy the confidential information utilizing an approved method of destroying confidential information:
<br />shredding, burning, or certified or witnessed destruction. Magnetic media are to be degaussed or
<br />returned to the other party.
<br />k). If the "pass-through" entity or Subgrantee enters into an agreement with a third party to provide
<br />WIOA services, the "pass-through" entity or Subgrantee agrees to include these data and security and
<br />confidentiality requirements in the agreement with that third party. In no event shall said information
<br />be disclosed to any individual outside of that third party -s authorized staff, subcontractcr(s), service
<br />providers, or employees.
<br />1). The Subgrantee may, in its operation of the America's Job Center of California (AJCC), permit an AJCC
<br />Operator to enter into a subcontract to manage confidential information. This subcontract may allow an
<br />individual to register for resume -distribution services at the same time the individual enrolls in
<br />CalJOES. Subgrantee shall ensure that all such subcontracts comply with the intellectual property
<br />requirements of paragraph 19 of this Subgrant, the confidentiality requirements of paragraph 20 of this
<br />Subgrant and any other terms of this Subgrant that may be applicable. In addition, the following
<br />Page 12 of 13
<br />
|