AB824,8,86
4. Establish and ensure compliance with internal policies and procedures
7related to auditing capabilities that require the data custodian to perform an audit
8of its systems at the request of the data owner.
AB824,8,109
(c) A data steward that uses or facilitates the use of sensitive information shall
10do all of the following:
AB824,8,1211
1. Establish and ensure compliance with internal policies and procedures that
12reflect best practices of data handling on subjects including all of the following:
AB824,8,1413
a. Standards, policies, procedures, and requirements for requesting, accessing,
14interpreting, and using data.
AB824,8,1615
b. Identity and access management controls, including limiting the access to
16any data subject to a data agreement.
AB824,8,1817
c. Verification of data outputs to meet quality, accuracy, and reliability
18specifications.
AB824,8,1919
d. Establishment of data element definitions and lineage.
AB824,8,2120
e. Establishment and maintenance of auditing policies, procedures, and
21reporting.
AB824,8,2222
f. Policies and procedures regarding data retention and destruction.
AB824,8,2423
g. Interpretation of new and changing business and regulatory requirements
24that may impact data solution organization.
AB824,8,2525
h. Any other requirements established in a data agreement.
AB824,9,3
12. Establish and ensure compliance with policies and procedures regarding the
2handling of data agreement breaches, security incidents, in compliance with s.
3134.98, and related disputes.
AB824,9,7
4(3) Agreements between data controllers. Data agreements are required
5when sensitive information controlled by one data controller is to be shared with,
6accessed by, or used by another data controller. A data agreement shall contain all
7of the following provisions:
AB824,9,88
(a) Identification of the parties to the agreement.
AB824,9,99
(b) Identification of the data subject to the agreement.
AB824,9,1310
(c) Identification of the permitted uses and restrictions of the data subject to
11the agreement, including whether the data owner permits the data controller to
12share with another entity any enhanced data that was based on the data owner's
13original data.
AB824,9,1514
(d) Identification of any confidentiality requirements for the data subject to the
15agreement.
AB824,9,2116
(e) Identification of the law governing the data subject to the agreement, such
17as the federal Family Educational Rights and Privacy Act, the federal Health
18Insurance Portability and Accountability Act, the federal Health Information
19Technology for Economic and Clinical Health Act, the federal Criminal Justice
20Information Services Security Policy, or the federal Children's Online Privacy
21Protection Rule.
AB824,9,2322
(f) Identification of the governing law and venue that shall govern the validity,
23construction, enforcement, and interpretation of the agreement.
AB824,9,2524
(g) Provisions governing the response to security incidents, in compliance with
25s. 134.98, including all of the following:
AB824,10,3
11. The name and contact information of one or more individuals who are
2authorized to provide and receive security incident communications pertaining to
3the data subject to the agreement.
AB824,10,54
2. An attestation from a data custodian that it has established and agrees to
5comply with security incident policies and procedures under sub. (2) (b) 3.
AB824,10,96
(h) Definition of the term of the data agreement. A data agreement under this
7section shall remain in effect until a mutually agreed upon termination date or until
8all data subject to the agreement is destroyed or returned to the data owner,
9whichever occurs first.
AB824,10,1110
(i) Provisions regarding the right to terminate the agreement, including all of
11the following:
AB824,10,1212
1. Conditions under which the agreement may be terminated.
AB824,10,1313
2. The method of notification required before termination is effective.
AB824,10,1414
3. The advance notice period required before termination is effective.
AB824,10,1615
4. Any special circumstances under which immediate termination of the
16agreement may be pursued.
AB824,10,1817
(j) Provisions regarding authorization for or prohibition of the collection and
18analysis of metadata.
AB824,10,2519
(k) In a data sharing agreement between a data owner and a data custodian,
20provisions regarding auditing capabilities and the performance of audits. A data
21custodian shall attest that it has enabled appropriate capabilities to support
22compliance with the regulatory statutes identified in the agreement and shall agree,
23at the request of the data owner, to perform an audit of the data owner's data under
24its custodianship. Such an audit shall have a mutually agreed upon scope and shall
25be performed within a mutually agreed upon time frame.
AB824,11,1
1(L) Any other requirements as established by any party to the agreement.
