due diligence to manage third party data handling risks

Office of Privacy and Data Protection

Due Diligence to Manage Third Party Data Handling Risks

Katy Ruckle, State Chief Privacy OfficerOffice of Privacy and Data ProtectionOctober 6, 2021

OCS Hacktober Series


Coordinate Data Protection with the Office of Cybersecurity

2

• Collaboration on data security initiatives that overlap with data

governance and data management

• Security is one of the WA State Agency Privacy Principles


Privacy Principles

❖ Lawful, fair, & responsible use

❖ Data minimization

❖ Purpose Limitation

❖ Transparency & accountability

❖ Due diligence

❖ Individual participation

❖ Security

3


Privacy Principles Creation and Implementation

❖ Lawful, fair, & responsible use

❖ Data minimization

❖ Purpose Limitation

❖ Transparency & accountability

❖ Due diligence

❖ Individual participation

❖ Security

4


DUE DILIGENCE

Taking reasonable steps and exercising care before and after entering into an agreement or arrangement with a third party that includes sharing personal information.

5


Due Diligence -Who do we mean by “third parties?”• Anyone external to the agency

• Contractors/Vendors

• Other state agencies

• Local Government

• Non-profits

• Federal agencies (?)

• Law enforcement (?)


Also consider these threshold issues before sharing with third parties…

•Require research/thoughtfulness before handing over data to third parties (this includes those in authority)

•Be sure of legal authority for the recipient to receive the information

•Evaluating whether sharing is consistent with the original purpose of collecting the information

7


3rd Party Due Diligence Implementation

Exercise due diligence when sharing information with third parties. Appropriate due diligence will vary based on the circumstances, but may include:

• Reputation

• Financial condition

• Information Security

• Employee training

8

• Data Transmission

• Disposal

• Incident Response

• Audits


When exercising 3rd Party Due Diligence consider:

Reputation

• A third party’s reputation with other companies or clients can be an important gauge of the contractor’s appropriate collection and use of confidential data.

• Requesting and contacting references can help determine a contractor’s reputation.

9



Financial condition and insurance

• The third party’s finances should be reviewed to ensure the contractor has sufficient resources to perform contracted work and in the case of a security breach and subsequent litigation.

• A current and sufficient insurance policy can also protect the procuring agency in the event of a breach.

10



Information Security Controls

• A third party should have sufficient security controls in place to ensure data is not lost or stolen.

• Determining which security practices are reasonable includes considering what information is being shared

• Requiring the third party to adhere to the same data use standards as the agency, including agency policies and applicable privacy laws

11



Employee training and user awareness

• The third party should have an established system for training its employees about its responsibilities in managing personal or sensitive information.

• Ensure users accessing your data understand restrictions on use

12



Transmission and Data Exchange Methods

• The method of sharing data between the agency and the third party is a potential security vulnerability.

• Mechanisms of secure transfer should be developed and maintained.

13



Disposal of information

• Third party uses appropriate destruction of confidential information in any form or media (e.g. paper, disks, drives, devices)

• Specify secure methods of disposal of confidential information

• Ensure completed at end of contract/monitoring function.

14



Incident response

• The third party’s incident response plans and ask for a clear explanation in advance its provisions for responding to any suspected security incident or breach

• Requiring cooperation to meet the agency business and legal needs.

15



Audit rights

• Agencies should be able to monitor the third party’s activities to ensure it is complying with contractual obligations.

• Audit needs can sometimes be satisfied through periodic assessments or reports by independent trusted parties regarding the contractor practices.

16


Example of statutory audit rights

SSB 5152 - Enhancing data stewardship and privacy protections for vehicle and driver data - Effective date 7/25/2021

Law provides for

Confidentiality of records

Obligations on data recipients and subrecipients

Contractual requirements

Penalties

Limitations on sharing of contents of driving record abstract

Other additional updates re DOL data sharing

17


Speaking of legislation…

ESSB 5432 – Concerning cybersecurity and data sharing in Washington state government• OCS creation in statute

• Data governance report

• Data sharing agreements

• Catalog of services

• Incident response

• Independent security assessment

18


Speaking of legislation…

ESSB 5432 – Concerning cybersecurity and data sharing in Washington state government• OCS creation in statute

• Data governance report

• Data sharing agreements

• Catalog of services

• Incident response

• Independent security assessment

19

Office of Privacy and Data Protection 20

Agencies must enter data share agreements with contractors prior to sharing Category 3 or 4 data

Agencies requesting Category 3 or 4 data from another agency must provide for a data share agreement

ESSB 5432


More due diligence - Good contracts!

Confidentiality provision – contractors and vendors involved in personal information collection for an agency – or with whom an agency shares data – should be required to sign a contract containing a confidentiality provision before engaging in business that uses the information.

No further use of shared information – the contract with the third party managing personal information on the agency’s behalf should specify the data be used only for the purposes contracted

21



Requirement to notify and to disclose breach – An agency should require prompt notification from the third party in the event of a data breach, security incident, or breach of contract.

• Details of the breach should be disclosed promptly and in detail.

• Determine responsibility for notification in case of breach

• Review of communications

22



Information security provisions – contracts may include provisions concerning specific security controls:

• encryption of data in transit, on media, and on portable devices

• network security

• access controls

• segregation of data

• employee background checks

• audit rights

23



Use of subcontractors (“pass through requirements”)

• If the third party intends to use subcontractors in the collection, use or processing of confidential information the agency should require all subcontractors to follow the privacy and security protection terms in the contractor’s contract (which in turn should be consistent with the agency’s own privacy protection terms)

• Contracts should also address whether the data can flow across borders to ensure the agency’s policy or compliance requirements on this issue is not violated.

24

Office of Privacy and Data Protection 25

OCIO Policy #141.10

The agreement (such as a contract, a service level agreement, or a dedicated data sharing agreement) must address the following:

(1) The data that will be shared.

(2) The specific authority for sharing the data.

(3) The classification of the data shared

(4) Access methods for the shared data.

(5) Authorized users and operations permitted

(6) Protection of the data in transport and at rest.

(7) Backup requirements for the data if applicable

(8) Other applicable data handling requirements.


Other important contract terms for consideration• Indemnification

• Cyber liability insurance

• Governing law

• Warranty

• Description of Data

• Constraints on use of data

• Secure destruction of data

• Public records

• Dispute resolution

26


What about third-party data requests?

Data Share Request Forms - form can be used to gather the information your agency thinks is important and can help you make good, consistent decisions. It also helps implement other privacy principles, like data minimization and purpose limitation. Can also help develop an inventory of where agency data is going.

https://watech.wa.gov/privacy/gov-agency-resources

27

https://watech.wa.gov/privacy/gov-agency-resources


Data Share Request Forms

28

Allows agencies to gather information from data requestors about:

• Requested data

• Intended use

• Authority to share

• Security and privacy controls


Implementation Considerations - Customization

29

• The template is just a template!

• Research requests?

• Internal sponsorship?

• Frequently requested datasets?

• Particularly sensitive agency data?

• Alignment with agency mission and values?

• Links to other documents (agency DSA)

• Maturity/capacity to require documentation?


Keep in mind

De-identification standards and use of data

GDPR – not because it is applicable but because it sets standards that many third part contractors are already used to complying with:

GDPR requires

- Notification for security breaches

- New requirements for data processors – contractors that act on behalf of data controllers (subcontractor example)

- Designation of data protection officers – for data controllers

- Accountability obligations - rules for international transfer of data

- Penalties - Sanction up to 4 percent of global revenues for failure to comply

30


Other Resources

• Washington State Data Breach Notification Law for Government Agencies (The State Learning Center August 2021)

• Data Classification Webinar 4/29/21

• SB 5432 webinar 6/24/21

• Security Framework webinar 9/30/21

• In development: Privacy 101 Training for Washington State Employees

31


Questions?

Thank you!

32

due diligence to manage third party data handling risks

Documents