(1) When sharing Category 3 or 4 town electronic data with any agency, business partner, contractor, or other non-town public entity, a data sharing agreement (DSA) must be in place unless otherwise prescribed by law. DSAs must be initiated and approved through the PIO if on the council approved standard-use DSA form (Exhibit B to the resolution codified in this chapter). The standardized form may be revised to include more restrictive conditions if requested by agencies but shall never be revised to include less restrictive conditions without first obtaining council approval.
(2) Data sharing agreements must address the following:
(a) Purpose of agreement.
(b) Period and term of agreement.
(c) The specific authority for sharing the data.
(d) The data that will be shared and its classifications.
(e) Access methods for the shared data.
(f) Authorized users and operations permitted.
(g) Protection of the data in transport and at rest.
(h) Storage and disposal of data no longer required.
(i) Backup requirements for the data if applicable.
(j) Other applicable data handling requirements (i.e., a copy of this policy).
(k) When a data sharing agreement exists with more strict requirements than town policy, staff should follow the electronic data handling requirements outlined in the data sharing agreement. (Res. 413 § 1 (Exh. A), 2021)