L&I, Office of Information Technology Procedure
||Requesting Release of Protected Data
This procedure applies to all Department of Labor & Industry (L&I) employees and business partners (hereinafter referred to collectively as “L&I Users”).
The procedure is implemented by L&I OIT on behalf of the data owner L&I User requesting access to the data.
|| L&I User
||Forwards a written request to the system owner with inclusion of the following:
- The nature and type of data requested,
- The intended use(s) of the data,
- Plans for storage, retention and disposal of data, and
- Assurance that the confidentiality and security of the data will be maintained
|| System Owner
|| Uses the following criteria to evaluate the information supplied by the requestor:
- Need for the Requested Data
Does there exist a compelling need or absolute necessity for the requested data; can the data be replaced with non-identifiable data; does the need for this data justify the risk of disclosure or can test be utilized?
- Use of the Data
Will the data be utilized for legitimate purposes; will data use be restricted to the stated purposes; how can the use be verified?
- Confidentiality/Security of the Data
Will the data be safeguarded and protection maintained; does there exist a potential for violation of the confidentiality of the data or the actual physical theft or loss; and will the data be disclosed or re-released to anyone at any time under any circumstances?
- Data owner restrictions
What are the laws, statutes and regulations concerning the sharing of this data; what is the data owner’s approval mechanism to release protected data?
||Obtains and evaluates OIT staff recommendations as necessary.
||Obtains the following assurances from the requestor:
- The requestor will fully protect the confidentiality of the data provided,
- The requestor will not disclose or release the identifiable data,
- The requestor will report immediately the loss or theft of any protected data or related confidential materials to the data owner, and
- The requestor will, by a specified date, either return or destroy all data, as agreed by the data owner and data requestor.
||Approves or disapproves the release of the protected data based on information supplied by the data requestor and any OIT staff recommendations.
||Provides a written notification on the approval or disapproval to release the requested protected data to the data requestor and impacted OIT staff.
|| Proceeds with the release of the protected data to the data requestor as approved by the data owner.
L&I Policy Definitions Document
ADM-002 - ITIL Compliance
APP-000 – System Development Life Cycle
APP-001 - Release of Protected Data Policy
ITP-SEC019 - Policy and Procedures for Protecting Commonwealth Electronic Data
Executive Order 2016-07 - Open Data, Data Development, and Data Governance
IRS Publication 1075
NIST SP 800-53 R4
4. Version Control
||Updates to match policy