Begin Main Content Area

 Content Editor

L&I, Office of Information Technology Procedure

(PDF)

Name: Requesting Release of Protected Data
Effective Date: June 2017
Category: Application
Version: 1.2

1. Scope:

This procedure applies to all Department of Labor & Industry (L&I) employees and business partners (hereinafter referred to collectively as “L&I Users”).

2. Procedure:

The procedure is implemented by L&I OIT on behalf of the data owner L&I User requesting access to the data.

  1. Procedure

    Step Responsibility Action
    1. L&I User Forwards a written request to the system owner with inclusion of the following:
    • The nature and type of data requested,
    • The intended use(s) of the data,
    • Plans for storage, retention and disposal of data, and
    • Assurance that the confidentiality and security of the data will be maintained
    2. System Owner Uses the following criteria to evaluate the information supplied by the requestor:
    1. Need for the Requested Data
      Does there exist a compelling need or absolute necessity for the requested data; can the data be replaced with non-identifiable data; does the need for this data justify the risk of disclosure or can test be utilized?
    2. Use of the Data
      Will the data be utilized for legitimate purposes; will data use be restricted to the stated purposes; how can the use be verified?
    3. Confidentiality/Security of the Data
      Will the data be safeguarded and protection maintained; does there exist a potential for violation of the confidentiality of the data or the actual physical theft or loss; and will the data be disclosed or re-released to anyone at any time under any circumstances?
    4. Data owner restrictions
      What are the laws, statutes and regulations concerning the sharing of this data; what is the data owner’s approval mechanism to release protected data?
    3. System Owner Obtains and evaluates OIT staff recommendations as necessary.
    4. System Owner Obtains the following assurances from the requestor:
    1. The requestor will fully protect the confidentiality of the data provided,
    2. The requestor will not disclose or release the identifiable data,
    3. The requestor will report immediately the loss or theft of any protected data or related confidential materials to the data owner, and
    4. The requestor will, by a specified date, either return or destroy all data, as agreed by the data owner and data requestor.
    5. System Owner Approves or disapproves the release of the protected data based on information supplied by the data requestor and any OIT staff recommendations.
    6. System Owner Provides a written notification on the approval or disapproval to release the requested protected data to the data requestor and impacted OIT staff.
    7. OIT Staff Proceeds with the release of the protected data to the data requestor as approved by the data owner.

3. References

L&I Policy Definitions Document

ADM-002 - ITIL Compliance

APP-000 – System Development Life Cycle

APP-001 - Release of Protected Data Policy

ITP-PRV001 - Commonwealth of Pennsylvania Electronic Information Privacy Policy

ITP-SEC019 - Policy and Procedures for Protecting Commonwealth Electronic Data

Executive Order 2016-07 - Open Data, Data Development, and Data Governance

IRS Publication 1075

NIST SP 800-53 R4

4. Version Control

Version Date Purpose
1.1 10/2016 Base Document
1.2 06/2017 Updates to match policy