|
DocuSign Envelope ID: 02CA927F-178D-4C50-A5D8-D8ED34B85215
<br />OLA #: 331002887
<br />Routing #: 23-HA4-XC-00156
<br />by Local Agency or a third party. Additionally, if Local Agency is required to perform a single audit under
<br />2 CFR 200.501, et seq., then Local Agency shall submit a copy of the results of that audit to the State within
<br />the same timelines as the submission to the federal government.
<br />10. CONFIDENTIAL INFORMATION -STATE RECORDS
<br />A. Confidentiality
<br />Local Agency shall hold and maintain, and cause all Subcontractors to hold and maintain, any and all State
<br />Records that the State provides or makes available to Local Agency for the sole and exclusive benefit of the
<br />State, unless those State Records are otherwise publicly available at the time of disclosure or are subject to
<br />disclosure by Local Agency under CORA. Local Agency shall not, without prior written approval of the
<br />State, use for Local Agency's own benefit, publish, copy, or otherwise disclose to any third party, or permit
<br />the use by any third party for its benefit or to the detriment of the State, any State Records, except as otherwise
<br />stated in this Agreement. Local Agency shall provide for the security of all State Confidential Information
<br />in accordance with all policies promulgated by the Colorado Office of Information Security and all applicable
<br />laws, rules, policies, publications, and guidelines. Local Agency shall immediately forward any request or
<br />demand for State Records to the State's principal representative. If Local Agency or any of its Subcontractors
<br />will or may receive the following types of data, Local Agency or its Subcontractors shall provide for the
<br />security of such data according to the following: (i) the most recently promulgated IRS Publication 1075 for
<br />all Tax Information and in accordance with the Safeguarding Requirements for Federal Tax Information
<br />attached to this Award as an Exhibit, if applicable, (ii) the most recently updated PCI Data Security Standard
<br />from the PCI Security Standards Council for all PCI, (iii) the most recently issued version of the U.S.
<br />Department of Justice, Federal Bureau of Investigation, Criminal Justice Information Services Security
<br />Policy for all CJI, and (iv) the federal Health Insurance Portability and Accountability Act for all PHI and
<br />the HIPAA Business Associate Agreement attached to this Award, if applicable. Local Agency shall
<br />immediately forward any request or demand for State Records to the State's principal representative.
<br />B. Other Entity Access and Nondisclosure Agreements
<br />Local Agency may provide State Records to its agents, employees, assigns and Subcontractors as necessary
<br />to perform the Work, but shall restrict access to State Confidential Information to those agents, employees,
<br />assigns and Subcontractors who require access to perform their obligations under this Agreement. Local
<br />Agency shall ensure all such agents, employees, assigns, and Subcontractors sign nondisclosure agreements
<br />with provisions at least as protective as those in this Agreement, and that the nondisclosure agreements are
<br />in force at all times the agent, employee, assign or Subcontractor has access to any State Confidential
<br />Information. Local Agency shall provide copies of those signed nondisclosure agreements to the State upon
<br />request.
<br />C. Use, Security, and Retention
<br />Local Agency shall use, hold and maintain State Confidential Information in compliance with any and all
<br />applicable laws and regulations in facilities located within the United States, and shall maintain a secure
<br />environment that ensures confidentiality of all State Confidential Information wherever located. Local
<br />Agency shall provide the State with access, subject to Local Agency's reasonable security requirements, for
<br />purposes of inspecting and monitoring access and use of State Confidential Information and evaluating
<br />security control effectiveness. Upon the expiration or termination of this Agreement, Local Agency shall
<br />return State Records provided to Local Agency or destroy such State Records and certify to the State that it
<br />has done so, as directed by the State. If Local Agency is prevented by law or regulation from returning or
<br />destroying State Confidential Information, Local Agency warrants it will guarantee the confidentiality of,
<br />and cease to use, such State Confidential Information.
<br />D. Incident Notice and Remediation
<br />If Local Agency becomes aware of any Incident, it shall notify the State immediately and cooperate with the
<br />State regarding recovery, remediation, and the necessity to involve law enforcement, as determined by the
<br />State. Unless Local Agency can establish that none of Local Agency or any of its agents, employees, assigns,
<br />or Subcontractors are the cause or source of the Incident, Local Agency shall be responsible for the cost of
<br />notifying each person who may have been impacted by the Incident. After an Incident, Local Agency shall
<br />take steps to reduce the risk of incurring a similar type of Incident in the future as directed by the State, which
<br />Document Builder Generated Page 17 of 29
<br />Rev. 05/24/2022
<br />
|