- (a) Except as provided in Paragraph (b) of this Rule, all Requestors shall enter into a data sharing agreement with the Contributors that are the custodians of the Data that may be needed to generate a requested report. The requestor data sharing agreement shall be separate and distinct from the Memorandum of Understanding between the Contributors and GDAC.
- (b) Requestors who are also Contributors and parties to the Contributor Memorandum of Understanding shall not be required to enter into a Requestor data sharing agreement unless one or more of the Contributors responding to the party's Request notifies the Requestor that a data sharing agreement must be entered into before Data is disclosed in order to comply with Applicable Law. An example of when a Requestor data sharing agreement may be required is an instance where a Contributor is making a Request of the NC Department of Commerce for Data that has not been Aggregated.
(c) The Requestor data sharing agreements shall contain the following:
- (1) limitations on Report access to authorized persons;
- (2) prohibition on the re-identification of persons included in Reports in accordance with G.S. 116E-5(e);
- (3) information technology system and data security standards required by the Contributor who will be providing Data for the Report;
- (4) privacy compliance standards;
- (5) data breach procedures, including notification of DIT of any cybersecurity incidents as described by G.S. 143B-1320(a)(4a) or G.S. 143b-1320(a)(16a) using the incident report form available at: https://it.nc.gov/resources/cybersecurity-risk-management/statewide-cybersecurity-incident-report-form;
- (6) terms regarding the disclaimer of liability as applied to Contributors pursuant to the doctrine of sovereign immunity and statutory immunity; and
- (7) data retention and data removal standards.
History Note: Authority G.S. 143B-1321(a)(16); 116E-4(b);
Eff. January 1, 2021.