L&I, Office of Information Technology Procedure
(PDF)
Name: |
Requesting Release of Protected Data |
Effective Date: |
June 2017 |
Category: |
Application |
Version: |
1.2 |
1. Scope:
This procedure applies to all Department of Labor & Industry (L&I) employees and business partners (hereinafter referred to collectively as “L&I Users”).
2. Procedure:
The procedure is implemented by L&I OIT on behalf of the data owner L&I User requesting access to the data.
- Procedure
Step |
Responsibility |
Action |
1. |
L&I User |
Forwards a written request to the system owner with inclusion of the following:
- The nature and type of data requested,
- The intended use(s) of the data,
- Plans for storage, retention and disposal of data, and
- Assurance that the confidentiality and security of the data will be maintained
|
2. |
System Owner |
Uses the following criteria to evaluate the information supplied by the requestor:
- Need for the Requested Data
Does there exist a compelling need or absolute necessity for the requested data; can the data be replaced with non-identifiable data; does the need for this data justify the risk of disclosure or can test be utilized?
- Use of the Data
Will the data be utilized for legitimate purposes; will data use be restricted to the stated purposes; how can the use be verified?
- Confidentiality/Security of the Data
Will the data be safeguarded and protection maintained; does there exist a potential for violation of the confidentiality of the data or the actual physical theft or loss; and will the data be disclosed or re-released to anyone at any time under any circumstances?
- Data owner restrictions
What are the laws, statutes and regulations concerning the sharing of this data; what is the data owner’s approval mechanism to release protected data?
|
3. |
System Owner |
Obtains and evaluates OIT staff recommendations as necessary. |
4. |
System Owner |
Obtains the following assurances from the requestor:
- The requestor will fully protect the confidentiality of the data provided,
- The requestor will not disclose or release the identifiable data,
- The requestor will report immediately the loss or theft of any protected data or related confidential materials to the data owner, and
- The requestor will, by a specified date, either return or destroy all data, as agreed by the data owner and data requestor.
|
5. |
System Owner |
Approves or disapproves the release of the protected data based on information supplied by the data requestor and any OIT staff recommendations. |
6. |
System Owner |
Provides a written notification on the approval or disapproval to release the requested protected data to the data requestor and impacted OIT staff. |
7. |
OIT Staff |
Proceeds with the release of the protected data to the data requestor as approved by the data owner. |
3. References
L&I Policy Definitions Document
ADM-002 - ITIL Compliance
APP-000 – System Development Life Cycle
APP-001 - Release of Protected Data Policy
ITP-PRV001 - Commonwealth of Pennsylvania Electronic Information Privacy Policy
ITP-SEC019 - Policy and Procedures for Protecting Commonwealth Electronic Data
Executive Order 2016-07 - Open Data, Data Development, and Data Governance
IRS Publication 1075
NIST SP 800-53 R4
4. Version Control
Version |
Date |
Purpose |
1.1 |
10/2016 |
Base Document |
1.2 |
06/2017 |
Updates to match policy |