With the passage of SB 5432, effective date July 25, cities are required to implement data sharing agreements with
other public agencies when sharing data classified as category 3 or higher.
The newly required data sharing agreements (DSAs) are similar to the DSAs sent out by the State Auditor’s Office in late May.
Cities will need to enter into DSAs only when sharing data classified as category 3 or higher with other public agencies.
According to the state Office of the Chief Information Officer (OCIO), category 3 data includes confidential information such as personal information, information
about public employees, and information about network infrastructure and security. Category 4 data includes confidential information that requires special handling. This would include information that is specifically protected from disclosure by law.
DSAs must include the following elements:
- The data that will be shared.
- The specific authority for sharing the data.
- The classification of the data shared.
- Access methods for the shared data.
- Authorized users and operations permitted.
- Protection of the data in transport and at rest.
- Storage and disposal of data no longer required.
- Backup requirements for the data, if applicable.
- Other applicable data handling requirements.
A key reminder about this new requirement is that cities are only required to enter into DSAs with other public agencies, such as county governments or state agencies. We encourage those cities that share data classified as category 3 or higher with outside
public agencies to work with their legal counsel to develop a model DSA that can be used with outside organizations.