24-085.00WAStateAuditorsOfficeInteragencyDataSharingAgreementSAO Agency DSA 22-01
INTERAGENCY DATA SHARING AGREEMENT
Between
City of Spokane Valley
And the Office of the Washington State Auditor
This Interagency Data Sharing Agreement(DSA)is entered into by and between City of Spokane Valley,
hereinafter referred to as"Agency",and the Office of the Washington State Auditor, hereinafter referred
to as"SAO", pursuant to the authority granted by Chapter 39.34 RCW,42.40 RCW, 43.101 RCW and
43.09 RCW.
Agency:
Agency Name: City of Spokane VAlley
Contact Name: Daniel Domrese
Title: Accounting Manager
Address: 10210 East Sprague, Spokane Valley,WA 99206
Phone: 509-720-5042
E-mail: ddomrese@spokanevalleywa.gov
SAO
Agency Name: Office of the Washington State Auditor
Contact Name: Brad White
Title: Audit Manager
Address: 316 W Boone Ave, Suite 680 Spokane, WA 99201
Phone: (509)919-0240
E-mail: bradley.d.white@sao.wa.gov
The SAO and Agency agree that they will have the right, at any time with reasonable notice,to monitor,
audit, and review activities and methods in implementing this Agreement in order to assure compliance.
1. PURPOSE OF THE DSA
The purpose of the DSA is to provide the requirements and authorization for the Agency to
exchange confidential information with SAO and SAO to share confidential information with the
Agency. This agreement is entered into between Agency and SAO to ensure compliance with
legal requirements and Executive Directives(Executive Order 16-01, RCW 42.56,and OCIO
policy 141, OCIO standard 141.10)in the handling of information considered confidential.
DSA Agreement between Agency and SAO
Agency DSA: 22-01
Agency DSA 22-01
2. DEFINITIONS
"Agreement"means this Interagency Data Sharing Agreement, including all documents attached
or incorporated by reference.
"Data Access"refers to rights granted to SAO employees to directly connect to Agency systems,
networks and/or applications combined with required information needed to implement these
rights.
"Data Transmission"refers to the methods and technologies to be used to move a copy of the data
between systems,networks and/or employee workstations.
"Data Storage"refers to the place data is in when at rest. Data can be stored on removable or
portable media devices such as a USB drive or SAO managed systems or OCIO/State approved
services.
"Data Encryption" refers to enciphering data with a NIST-approved algorithm or cryptographic
module using a NIST-approved key length. Encryption must be applied in such a way that it
renders data unusable to anyone but the authorized users.
"Personal Information"means information defined in RCW 42.56.590(10).
The State classifies data into categories based on the sensitivity of the data pursuant to the
Security policy and standards promulgated by the Office of the state of Washington Chief
Information Officer. The Data that is the subject of this DSA is classified as indicated below:
Category 1 —Public Information Public information is information that can be or
currently is released to the public. It does not need protection from unauthorized
disclosure, but does need integrity and availability protection controls.
Category 2—Sensitive Information Sensitive information may not be specifically
protected from disclosure by law and is for official use only. Sensitive information is
generally not released to the public unless specifically requested.
Category 3 —Confidential Information Confidential information is information that is
specifically protected from disclosure by law. It may include but is not limited to: a.
Personal Information about individuals,regardless of how that information is obtained; b.
Information concerning employee personnel records; c. Information regarding IT
infrastructure and security of computer and telecommunications systems; d. List of
individuals for commercial purposes.
Category 4—Confidential Information Requiring Special Handling Confidential
information requiring special handling is information that is specifically protected from
disclosure by law and for which: a. Especially strict handling requirements are dictated,
such as by statutes,regulations,agreements, or other compliance mandates; b. Serious
consequences could arise from unauthorized disclosure, such as threats to health and
safety, or legal sanctions.
DSA Agreement between Agency and SAO
Agency DSA: 22-01
Agency DSA 22-01
3. PERIOD OF AGREEMENT
This agreement shall begin on July 1, 2024, or date of execution, whichever is later, and end on
June 30,2027, unless terminated sooner or extended as provided herein.
4. JUSTIFICATION FOR DATA SHARING
SAO is the auditor of all public accounts in Washington State. SAO's authority is broad and
includes both explicit and implicit powers to review records, including confidential records,
during the course of an audit or investigation.
S. DESCRIPTION OF DATA TO BE SHARED
The data to be shared includes information and data related to audit results, financial activity,
operation and compliance with contractual, state and federal programs, security of computer
systems, performance and accountability for agency programs as applicable to the audit(s)
performed. Specific data requests will be limited to information needed for SAO audits,
investigations and related statutory authorities as identified through auditor requests.
6. DATA TRANSMISSION
Transmission of data between Agency and SAO will use a secure method that is commensurate to
the sensitivity of the data being transmitted.
7. DATA STORAGE AND HANDLING REQUIREMENTS
Agency and SAO will notify each other if they are providing confidential data. All confidential
data provided by Agency will be stored using data encryption with access limited to the least
number of SAO staff needed to complete the purpose of the DSA.
8. INTENDED USE OF DATA
The Office of the Washington State Auditor will utilize this data in support of their audits,
investigations,and related statutory responsibilities as described in RCW 43.09 and 42.40.
9. CONSTRAINTS ON USE OF DATA
The Office of the Washington State Auditor agrees to strictly limit use of information obtained
under this Agreement to the purpose of carrying out our audits, investigations and related
statutory responsibilities as described in RCW 43.09 and 42.40.
10. SECURITY OF DATA
SAO shall take due care and take reasonable precautions to protect Agency's data from
unauthorized physical and electronic access. SAO complies with the requirements of the OCIO
141.10 policies and standards for data security and access controls to ensure the confidentiality,
and integrity of all data shared.
11. NON-DISCLOSURE OF DATA
SAO staff shall not disclose, in whole or in part,the confidential data provided by Agency to any
individual or agency, unless this Agreement specifically authorizes the disclosure. Confidential
data may be disclosed only to persons and entities that have the need to use the data to achieve
the stated purposes of this Agreement. In the event of a public disclosure request for the
Agency's Confidential data, SAO will notify the Agency
a. SAO shall not access or use the data for any commercial or personal purpose.
DSA Agreement between Agency and SAO
Agency DSA: 22-01
Agency DSA 22-01
b. Any exceptions to these limitations must be approved in writing by Agency.
c. The SAO shall ensure that all staff with access to the data described in this Agreement
are aware of the use and disclosure requirements of this Agreement and will advise new
staff of the provisions of this Agreement.
Agency staff shall not disclose, in whole or in part,the confidential data provided by SAO to any
individual or agency, unless this Agreement specifically authorizes the disclosure. Confidential
data may be disclosed only to persons and entities that have the need to use the data to achieve
the stated purposes of this Agreement. In the event of a public disclosure request for the SAO's
data, Agency will notify the SAO
a. Agency shall not access or use the data for any commercial or personal purpose.
b. Any exceptions to these limitations must be approved in writing by SAO.
c. The Agency shall ensure that all staff with access to the data described in this Agreement
are aware of the use and disclosure requirements of this Agreement and will advise new
staff of the provisions of this Agreement.
12. DATA DISPOSAL
Upon request by the SAO or Agency, or at the end of the DSA term,or when no longer needed,
Confidential Information/Data must be returned or destroyed,except as required to be maintained
for compliance or accounting purposes.
13. INCIDENT NOTIFICATION AND RESPONSE
The compromise of Confidential Information or reasonable belief that confidential information
has been acquired and/or accessed by an unauthorized person that may be a breach that requires
timely notice to affected individuals under RCW 42.56.590 or any other applicable breach
notification law or rule must be reported to the Agency contact.
If the Receiving Party does not have full details about the incident, it will report what information
it has and provide full details within 15 business days of discovery. To the extent possible, these
initial reports must include at least: A. The nature of the unauthorized use or disclosure, including
a brief description of what happened,the date of the event(s), and the date of discovery; B. A
description of the types of information involved;C. The investigative and remedial actions the
Receiving Party or its Subcontractor took or will take to prevent and mitigate harmful effects and
protect against recurrence; D. Any details necessary for a determination of whether the incident is
a breach that requires notification under RCW 42.56.590, or any other applicable breach
notification law or rule. E. Any other information SAO or Agency reasonably requests.
14. OVERSIGHT
The SAO and Agency agree that they will have the right,at any time with reasonable notice,to
monitor, audit, and review activities and methods in implementing this Agreement in order to
assure compliance.
15. TERMINATION
Either party may terminate this Agreement with 30 days written notice to the other parry's
Agency Contact named on Page 1. However, once data is accessed by the SAO or Agency,this
Agreement is binding as to the confidentiality, use of the data, and disposition of all data received
as a result of access, unless otherwise amended by the mutual agreement of both parties.
DSA Agreement between Agency and SAO
Agency DSA: 22-01
Agency DSA 22-01
16. AWARENESS AND TRAINING
SAO and the agency shall ensure that all staff with access to the data shared through this
Agreement are aware of the use and disclosure requirements of OCIO 141.10 and RCW
42.56.590. SAO will comply with all state requirements and training regarding handling, storage
and transmission of confidential data.
17. DISPUTE RESOLUTION
In the event that a dispute arises under this Agreement, a Dispute Board shall determine
resolution in the following manner. Each party to this Agreement shall appoint one member to the
Dispute Board. The members so appointed shall jointly appoint an additional member to the
Dispute Board. The Dispute Board shall review facts,contract terms,and applicable statutes and
rules and make a determination of the dispute.
18. GOVERNANCE
a. The provisions of this Interagency Data Sharing Agreement are severable. If any
provision of this Agreement is held invalid by any court that invalidity shall not affect the
other provisions of this Interagency Data Sharing Agreement and the invalid provision
shall be considered modified to conform to the existing law.
b. In the event of a lawsuit involving this Interagency Data Sharing Agreement, venue shall
be proper only in Thurston County, Washington.
19. SIGNATURES
The signatures below indicate agreement between the parties.
Agency Office of the Washington State Auditor
17-2 't
Signature Date Signature Date
Title: City Manager Title: Audit Manager 5/172024
DSA Agreement between Agency and SAO
Agency DSA: 22-01