Loading...
HomeMy WebLinkAboutAgreements/Contracts - Sheriff & JailDocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A IN'.21 3 .0 0 2 STA Washington StateContract No. K9412 J, �<< Department of Corrections Amendment No. 7 Th l"Le A innlendhnnlentr is made by the state of Washington, Department of Corrections, hereinafter referred to as Department, and Grant County, hereinafter referred to as the County, for the purpose of amending the above -referenced Contract, heretofore entered into between the Department and the County. WHEREAS the purpose of this Contract Amendment is to extend the period of performance, increase the per diem rate of compensation, and add data sharing terms and conditions. NOW THEREFORE, in consideration of the terms and conditions contained herein, or attached and incorporated and made a part hereof, the Department and County agree as follows: The following sections are amended, in part, as follows: ARTICLE II, SECTION 2.1 TERM is hereby amended, in part, as follows: Section 2.1 Term. This Agreement supersedes all previous oral and written contracts and agreements between the parties relating to the confinement, care, and treatment of Department offenders. This Contract commences on January 1, 2016 and continues through ((DeeeRbor 2June 30, 2023, unless terminated by either party pursuant to this Contract. ARTICLE II, SECTION 2.4 PER DIEM PILLING is hereby amended, in part, as follows: Section 2.4 Per Diem Billing. The per diem rate is $76.49 per Department offender, for January 1, 2019 to June 30, 2019. The per diem rate is $78.79 per Department offender for January 1, 2020 through December 31, 2020. Beginning January 1, 2021 through December 31, 2021, the per diem rate is $82.73 per Department offender. Be„giE ing, Tanuary 1, 2022 through December 31, 2022, the -per diem rate is $86.86 per De-aartment offender. Beginning_Ta� 1, 2023 through Tune 30, 2023, the per diem rate is $91.20. 1...I The DATA SHARING AND ACCESS TO INFORMATION TECHNOLOGY RESOURCES TERMS AND CONDITIONS, which is attached hereto and incorporated herein, is added to the Agreement as ATTACHMENT D and incorporated into the Contract as though fully set forth therein. Additions to this text are shown by underline and deletions by ((str-i ^^)) All other terms and conditions remain in full force and effect. The effective date of this amendment is January 1, 2022. THIS CONTRACT AMENDMENT, consisting of two (2) pages and one (1) attachment, is executed by the persons signing below who warrant that they have the authority to execute the contract. Washington State K9412(7) Page 1 of 2 Department of Corrections 22MVP DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A GRANT COUNTY SHERIFF'S OFFICE Kriete Date heriff BOARD OF COMMISSIONERS GRANT COUNTY r/3 IcV2,3 Danny one A6at/ c Rob Jones Date �3A �3 Cindy CarAer Date Jr A -"rba�-a Vasquez Dat B e 11 C f the Board DEPARTMENT OF CORRECTIONS Daryl A. Huntsinger Date Contracts Administrator Approved as to Form: This amendment format was approved by the office of the Attorney General. Approval on file. Washington State K9412(7) Page 2 of 2 Department of Corrections 22MVP DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A DATA SHARING AND ACCESS TO INFORMATION TECHNOLOGY RESOURCES TERMS AND CONDITIONS 1. GENERAL ATTACHMENT D 1.1 The purpose of the Data Sharing and Access to Information Technology Resources Terms and Conditions is to set forth the terms and conditions under which the Department of Corrections ("DOC") will allow the restricted use of its confidential information to Grant County ("Requestor"), and under which Requestor may receive and use the confidential information. This Agreement further sets forth the terms and conditions under which DOC will allow the restricted use of and access to its information technology (IT) resources ("IT Resources") and under which Requestor may access and use those IT Resources. This Agreement ensures that confidential information and access to IT resources are provided, protected, and used only for purposes authorized by this Agreement and in accordance with state and federal law. 1.2 DOC may provide Requestor with confidential information necessary for Requestor to perform the Agreement, including Protected Health Information of individuals under the jurisdiction of the Department. 1.3 The data to be shared under this Agreement may include Category 3 — Confidential Information and Category 4 — Confidential Information Requiring Special Handling, based upon classification categories developed by the Washington State Office of the Chief Information Officer (hereinafter referred to as "OLIO"). Data will be on an individual -level and non -aggregated, with personal identifiers. All data and information provided to Requestor by Department pursuant to this Agreement is hereinafter referred to as "DOC Data." 2. USE OF DATA AND IT RESOURCES 2.1 Requestor and its employees, agents, volunteers, contractors, and subcontractors (collectively referred to herein as "Requestor") with access to DOC Data and/or IT Resources shall access and use such data and/or resources only for the purposes set forth in this Agreement. This Agreement does not constitute a release of DOC Data and/or IT Resources for Requestor's discretionary use. DOC Data and IT Resources may be accessed only to carry out the responsibilities specified herein. Any ad hoc analyses or other use of DOC Data or IT Resources not specified in this Agreement is not permitted without the prior written agreement of DOC. 2.2 Requestor shall comply with the policies, standards, and guidelines of the OCIO, including OCIO Standard 141.10; DOC Policy 280.310 — Information Technology Security; DOC Policy 280.515 — Data Classification and Sharing; the terms and conditions set forth in this Agreement; and all applicable state and federal laws in its treatment of DOC Data and IT Resources. 2.3 Neither the state of Washington nor DOC guarantee or warrant the accuracy, timeliness, or completeness of DOC Data. Requestor understands and assumes all risks and liabilities of use and misuse of DOC Data or IT Resources by Requestor. 2.4 Requestor shall not use, transfer, sell, or otherwise disclose DOC Data gained by reason of this Agreement for any purpose that is not directly connected with the purpose, justification, and permitted uses of this Agreement, except as provided by law or with the prior written consent of DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A DOC and the individual or personal representative of the individual who is the subject of the DOC Data, if any. 2.5 (Omitted.) 2.5.1 (Omitted.) 2.5.2 (Omitted.) 2.5.3 (Omitted.) 2.6 Requestor is not authorized to update or change any DOC Data, and any updates or changes to DOC Data shall be cause for immediate termination of this Agreement. 2.7 PUBLICATION OF DOC DATA. 2.7.1 Any and all reports utilizing or derived from DOC Data shall be subject to review by DOC prior to publication or presentation. Requestor shall provide all draft materials to DOC for review of usability, data sensitivity, data accuracy, completeness, and consistency with DOC standards at least twenty (20) working days prior to the presentation or publication of any report utilizing or derived from DOC Data. 2.7.2 Requestor shall include the following statement with any publication utilizing or derived from DOC Data: "This material utilizes confidential information from the Washington State Department of Corrections (DOC). Any views expressed here are those of the author(s) and do not necessarily represent those of the DOC or other data contributors. Any errors are attributable to the author(s)." 2.8 Any data that is derived from DOC Data or which could not have been produced but for the use of DOC Data shall be considered DOC Data and is subject to the terms and conditions set forth in this Agreement. 2.9 The requirements in this section shall survive the termination or expiration of this Agreement or any subsequent agreement intended to supersede this Agreement. 3. DATA SECURITY 3.1 PROTECTION OF DATA. All electronic data provided by DOC shall be stored on an encrypted hard drive in a secure environment with access limited to the fewest number of staff needed to complete the purpose of this Agreement. 3.1.1 Workstation hard disk drives. Data stored on local workstation hard disks shall be encrypted with a FIPS approved cryptographic algorithm. Access will be restricted to authorized users by requiring logon to the local workstation using a unique user ID and complex password or other authentication mechanisms that provide equal or greater security, such as biometrics or smart cards. Washington State K9412(7) Page 2 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A 3.1.2 Network server disks. Data stored on hard disks mounted on network servers and made available through shared folders shall be encrypted with a FIPS approved cryptographic algorithm. Access to the data will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Data on disks mounted to such servers must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. Backup copies must be encrypted if recorded to removable media. 3.1.3 Optical discs (e.g., CDs, DVDs, Blu-Rays) in local workstation optical disc drives. Data provided by DOC on optical discs that will be used in local workstation optical disc drives and will not be transported out of a secure area shall be encrypted with a FIPS approved cryptographic algorithm. When not in use, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key combination, or mechanism required to access the contents of the container. Workstations which access DOC Data on optical discs must be located in an area accessible only to authorized individuals, with access controlled though use of key, card key, combination lock, or comparable mechanism. 3.1.4 Optical discs (e.g., CDs, DVDs, Btu -Rays) in drives or other devices attached to a network. Data provided by DOC on optical discs that will be used in drives or other devices attached to a network shall be encrypted with a FIPS approved cryptographic algorithm. Access to data on these discs will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. The optical discs must be located in an area accessible only to authorized individuals, with access controlled through use of a key, card key, combination lock, or comparable mechanism. 3.1.5 Paper documents. Any paper records must be protected by storing the records in a secure area accessible only to authorized individuals. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. 3.1.6 Portable Devices. Within this Agreement, portable devices include, but are not limited to handhelds/PDAs, Ultramobile PCs, flash memory devices (e.g., USB flash drives, personal media players), portable hard disks, and laptop/notebook computers. Portable media includes, but is not limited to optical media (e.g., CD's, DVD's, Blu-Rays), magnetic media (e.g., floppy disks, Zip or Jaz disks or drives), and flash media (e.g., Compact Flash, SD Card, MMC). ■ Requestor shall not store DOC Data on portable devices or portable media unless specifically authorized within this Agreement. If so authorized, the Requestor shall: ■ Encrypt the data with a FIDS approved cryptographic algorithm. Washington State K9412(7) Page 3 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A ■ Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. ■ Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is twenty (20) minutes. ■ Physically protect the portable device(s) and/or media by keeping them in locked storage when unused; using check-in/check-out procedures when device or other media is being shared; taking frequent inventories of media, and access to media by users. ■ When being transported outside of a secure area, portable devices and media with confidential DOC Data must be under the physical control of Requestor's staff with authorization to access the data. 3.1.7 Backup Data Storage 3.1.7.1 DOC Data may be stored on Portable Devices that meet the requirements for such storage as part of Requestor's existing, documented backup process for business continuity or disaster recovery purposes. Such storage is authorized until such time as that media would be reused during normal backup operations. If backup media is retired while DOC Data still exists upon it, such media will be destroyed at that time in accordance with the disposition requirements of this Agreement. 3.1.7.2 Data may be stored on non-portable media (e.g., Storage Area Network drives, virtual media, etc.) that meet the requirements for such storage as part of a Requestor's existing, documented backup process for business continuity or disaster recovery purposes. If so, such media will be protected as otherwise described in this Agreement. If this media is retired while DOC Data still exists upon it, the DOC Data will be destroyed at that time in accordance with the disposition requirements of this Agreement. 3.1.8 Cloud Storage. DOC Data requires protections equal to or greater than those specified in this agreement. Cloud storage of DOC Data is problematic as neither DOC nor the Requestor has control of the environment in which the DOC Data is stored. For this reason: 3.1.8.1 DOC Data will not be stored in any consumer grade Cloud solution, unless all of the following conditions are met: (1) Requestor has written procedures in place and governing the use of Cloud storage and Requestor attests in writing that all such procedures will be uniformly followed. (2) DOC Data will be Encrypted while within the Requestor's network. (3) DOC Data will remain Encrypted during transmission to the Cloud. Washington State K9412(7) Page 4 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A (4) DOC Data will remain Encrypted at all times while residing within the Cloud storage solution. (5) Requestor will possess a decryption key for the DOC Data and the decryption key will be possessed only by Requestor and/or DOC. (6) DOC Data will not be downloaded to non -authorized systems, meaning systems that are not on either the DOC network or Requestor's network. (7) DOC Data will not be decrypted until downloaded onto a computer within the control of an Authorized User and within either the DOC's network or Requestor's network. 3.1.8.2 DOC Data will not be stored on an Enterprise Cloud storage solution unless either: (1) The Cloud storage provider is treated as any other subcontractor and agrees in writing to all the requirements within this Attachment; or (2) The cloud storage solution used is FedRAMP certified. 3.1.8.3 If DOC Data includes protected health information covered by the Health Insurance Portability and Accountability Act (HIPAA), the Cloud provider must sign a Business Associate Agreement prior to storing DOC Data in their Cloud solution. 3.1.8.4 Definitions. The words and phrases used in this provision shall have the following definitions: (1) "Business Associate Agreement" means an agreement between DOC and a contractor who is receiving Data covered under the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996. The agreement establishes permitted and required uses and disclosures of protected health information (PHI) in accordance with HIPAA requirements and provides obligations for business associates to safeguard the information. (2) "Cloud" means data storage on servers hosted by an entity other than the Contractor and on a network outside the control of the Contractor. Physical storage of data in the cloud typically spans multiple servers and often multiple locations. Cloud storage can be divided between consumer grade storage for personal files and enterprise grade for companies and governmental entities. Examples of consumer grade storage would include iTunes, Dropbox, Box.com, and many other entities. Enterprise cloud vendors include Microsoft Azure, Amazon Web Services, and Rackspace. (3) "Encrypt" means to encode Confidential Information into a format that can only be read by those possessing a "key"; a password, digital certificate or other mechanism available only to authorized users. Washington State K9412(7) Page 5 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A Encryption must use a key length of at least 256 bits for symmetric keys, or 2048 bits for asymmetric keys. When a symmetric key is used, the Advanced Encryption Standard (AES) must be used if available. (4) "FedRAMP" means the Federal Risk and Authorization Management Program (see www.fedramp.gov), which is an assessment and authorization process that federal government agencies have been directed to use to ensure security is in place when accessing Cloud computing products and services. 3.2 SYSTEM PROTECTION. To prevent the compromise of systems that contain DOC Data or through which DOC passes: 3.2.1 Systems containing DOC Data must have all security patches or hotfixes applied within three (3) months after such patches or hotfixes are made available. 3.2.2 Requestor must have a process to ensure that the requisite patches and hotfixes have been identified and applied within the required timeframe. 3.2.3 Systems containing DOC Data shall have anti-malware application installed, if such an application is available. 3.2.4 Anti-malware software shall be kept up to date. The product, anti-virus engine, and any malware database used will be no more than one (1) update behind the most current version. 3.2.5 Requestor's patch management process must meet or exceed the then -current standards promulgated by the National Institute of Standards and Technology (NIST), which may be found at the time of drafting in NIST Special Publication 800-40. 3.2.6 The system architecture must provide continuous monitoring of both internal and external activity for anomalies and identify, report, and defend against security intrusions before data is compromised. 3.2.7 Requestor shall conduct penetration tests at least once every twenty-four (24) months, system vulnerability assessments at least monthly, and application vulnerability assessments prior to the production release of any changes to source code. 3.2.8 Requester's application/system development practices must be consistent with those promulgated by NIST for low to moderate impact systems, which may be found in NIST SP 800.64 at the time of drafting. 3.2.9 Requestor warrants that its application/system does not contain any of the Open Web Application Security Project's top ten (10) vulnerabilities. 3.2.10 Requestor has a practice of systematic collection, monitoring, alerting, maintenance, retention, and disposal of security event logs and application audit trails. Logs and audit trails are written to an area inaccessible to system users and are protected from editing. At a minimum, the logs and audit trails must provide historical details on all transactions Washington State K9412(7) Page 6 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A within the system that are necessary to reconstruct activities, including, but not limited to, recording the type of event, date, time, account identification, and machine identifiers for each logged transaction. Audit and log files can be analyzed by type in order to find emerging issues or trends. Requestor's system must trigger immediate notification to appropriate system administrators for severe incidents. Logs must be secured against unauthorized changes. Logs must be retained for at least six (6) months. 3.3 SAFEGUARDS AGAINST UNAUTHORIZED USE AND RE -DISCLOSURE OF DATA. Requestor shall exercise due care to protect all data from unauthorized physical and electronic access. Both parties shall establish and implement the following minimum physical, electronic, and managerial safeguards for maintaining the confidentiality of information provided by either party pursuant to this Agreement: 3.3.1 Access to information provided by DOC will be restricted to only those authorized staff, officials, and agents of the parties who need it to perform their official duties in the performance of the work requiring access to the information as detailed in this Agreement and/or contract which this Agreement concerns. 3.3.2 Requestor will store the information in an area that is safe from access by unauthorized persons during work hours as well as non -work hours, or when otherwise not in use. 3.3.3 Requestor will design, implement and maintain an information security program designed to meet at least an industry standard ability to protect the information in a manner that prevents unauthorized persons from retrieving the information by means of computer, remote terminal, or other means. 3.3.4 Requestor shall take precautions to ensure that only authorized personnel and agents are given access to files containing confidential or sensitive data. 3.3.5 Requestor shall take due care and reasonable precautions to protect DOC Data from unauthorized physical and electronic access. 3.3.6 Both parties shall meet or exceed the requirements set forth in the OCIO's policies and standards for data security and access controls to ensure the confidentiality, availability, and integrity of all data accessed. 4. DATA SEGREGATION 4.1. DOC Data provided pursuant to this Agreement must be segregated or otherwise distinguishable from non -DOC Data. This requirement ensures that all DOC Data can be identified for return or destruction upon expiration, termination, or completion of work under this Agreement. It also aids in determining whether DOC Data has or may have been compromised in the event of a security breach. 4.2. METHODS OF DATA SEGREGATION. 4.2.1 Electronic Media. If DOC Data is stored on electronic media (e.g., hard disk, optical disc, magnetic tape) : Washington State K9412(7) Page 7 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A 4.2.1.1 Such electronic media shall contain only DOC Data; or 4.2.1.2 DOC Data shall be stored in a partition or folder or other logical container dedicated to DOC Data; 4.2.2 Database. If DOC Data is stored in a database: 4.2.2.1 Such database shall contain only DOC Data; or 4.2.2.2 DOC Data shall be distinguishable from non -DOC Data by the value of a specified field or fields within database records. 4.3 Paper Documents. If DOC Data is stored as physical paper documents, such documents shall be physically segregated from non -DOC Data and secured in a drawer, folder, or other container, with access limited to only authorized individuals. 4.3 When it is not feasible or practical to segregate DOC Data from non -DOC Data using the methods set forth above, then both the DOC Data and the non -DOC Data with which it is commingled must be protected as described for DOC Data in this Agreement. 5. DATA CONFIDENTIALITY 5.1 Requestor acknowledges the personal or confidential nature of the information and agrees that all employees, agents, volunteers, contractors, and subcontractors with access to DOC Data, and third parties with whom DOC Data is shared, shall comply with all laws, regulations, and policies that apply to protection of the confidentiality of the DOC Data. Requestor is responsible for ensuring all such employees, agents, volunteers, contractors, subcontractors, and third parties are aware of and abide by the data use and security provisions set forth in this Agreement and any amendments, attachments, or exhibits hereto. Requestor is responsible for timely providing the Department with duly executed Statements of Confidentiality and Non -Disclosure and Certifications of Data Disposition for all such employees, agents, volunteers, contractors, subcontractors, and third parties. Requestor acknowledges that the failure to meet the requirements set forth in this section is, at DOC's discretion, cause for termination. 5.2 (Omitted.) 5.2.1 (Omitted.) 5.2.2 (Omitted.) 5.3 PENALTIES FOR UNAUTHORIZED DISCLOSURE OF INFORMATION. In the event Requestor fails to comply with any material term of this Agreement, DOC shall have the right to take any and all actions to remedy such failure and its effects that DOC, in its sole discretion, deems reasonable under the circumstances. Any costs, fees, or expenses, including legal costs, incurred by DOC as a result of Requestor's failure to comply with the terms of this Agreement shall be recoverable from Requestor. The exercise of remedies pursuant to this paragraph shall be in addition to all sanctions provided by law and to legal remedies available to parties injured by unauthorized disclosure. Washington State K9412(7) Page 8 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A 6. INCIDENT NOTIFICATION AND RESPONSE 6.1 The compromise or potential compromise of DOC Data that may be a breach that requires notice to affected individuals under RCW 42.56.590, RCW 19.255.010, or any other applicable breach notification law or rule must be reported to the DOC Contract Manager and DOC Chief Information Security Officer in writing within one (1) business day of discovery. 6.2 If Requestor does not have full details about the incident, it will report what information it has and provide full details as soon as possible but no later than ten (10) business days after the date of discovery. To the extent possible, these initial reports must include at least: 6.2.1 The nature of the unauthorized use or disclosure, including a brief description of the event of unauthorized use or disclosure, the date of the event, and the date of discovery. 6.2.2 A description of the types of information involved. 6.2.3 The investigative and remedial actions Requestor or its subcontractor took or will take to prevent and mitigate harmful effects and protect against recurrence. 6.2.4 Any details necessary for a determination of whether the incident is a breach that requires notification under RCW 19.255.010, RCW 42.56.590, or any other applicable breach notification law or rule. 6.2.5 Any other information DOC reasonably requests. 6.3 As soon as reasonably practicable, Requestor must also take actions to mitigate the risk of loss and comply with any notification or other requirements imposed by law or DOC. 6.4 If, in the sole judgment of DOC, notifications to individuals must be made, Requestor will further cooperate and facilitate notification to required parties, which may include notification to affected individuals, the media, the Attorney General's Office, or other authorities based on applicable law. At DOC's discretion, Requestor may be required to directly fulfill notification requirements, or if DOC elects to perform the notifications, Requestor must reimburse DOC for all associated costs. 6.5 Requestor is responsible for all costs incurred in connection with a security incident, privacy breach, or potential compromise of DOC Data, including, but not limited to: 6.5.1 Computer forensics assistance to assess the impact of a data breach, determine root cause, and help determine whether and the extent to which notification must be provided to comply with breach notification laws. 6.5.2 Notification and call center services for individuals affected by a security incident or privacy breach, including fraud prevention, credit monitoring, and identity theft assistance. 6.5.3 Regulatory defense, fines, and penalties from any claim in the form of a regulatory proceeding resulting from a violation of any applicable privacy or security laws or regulations. Washington State K9412(7) Page 9 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A 6.6 Requestor's obligations regarding incident notification survive the termination of this Agreement and continue for as long as Requestor maintains DOC Data and for any breach or potential breach, at any time. 7. DISPOSITION OF DATA 7.1 TIME OF DISPOSAL. Requestor shall immediately dispose of DOC Data upon: (a) the expiration of the Agreement; (b) the termination of the Agreement; (c) the completion of work that required the data; and (d) one (1) year from the date the DOC Data was made available to Requestor. 7.2 METHOD OF DISPOSAL. At DOC's option, the disposal required in this section may be accomplished by the destruction of DOC Data, the return of DOC Data to DOC, or a combination of both. Requestor shall perform all other actions DOC determines necessary to protect DOC Data. If DOC does not specify a preferred method of disposal, Requestor shall destroy the DOC Data. 7.3 (Omitted.) 7.4 METHODS OF DESTRUCTION. 7.4.1 Paper Documents. 7.4.1.1 Paper documents containing Category 3 data may be recycled by a contracted recycling firm, provided that the contract ensures the confidentiality of the data will be protected. Such documents may also be destroyed by on-site shredding, pulping, or incineration. 7.4.1.2 Paper documents containing Category 4 data shall be destroyed by on-site shredding, pulping, or incineration. 7.4.2 Optical Discs. Optical discs containing Category 3 or Category 4 data shall be destroyed by on-site incineration, shredding, or complete defacement of the readable surface with a coarse abrasive. 7.4.3 Magnetic Tapes. Magnetic tapes containing Category 3 or Category 4 data shall be destroyed by incineration, crosscut shredding, or degaussing. 7.4.4 Server and Workstation Hard Drives. Category 3 and Category 4 data stored on server and workstation hard drives, and other similar media, shall be destroyed by a data erasure or sanitation utility that overwrites the data at least three (3) times using either random or single character data, the degaussing of the hard drive or media sufficient to ensure that the data cannot be retrieved or reconstructed, or the complete physical destruction of the hard drive or media such that the content cannot be retrieved or reconstructed. 7.4.5 Portable Media. Category 3 and Category 4 data stored on portable media shall be destroyed by a data erasure or sanitation utility that overwrites the data at least three (3) times using either random or single character data, the complete degaussing of the portable media sufficient to ensure that the data cannot be retrieved or reconstructed, or the complete physical destruction of the portable media such that the content cannot be retrieved or reconstructed. Washington State K9412(7) Page 10 of 11 Department of Corrections Attachment D DocuSign Envelope ID: 25009681-B196-4A51-BCB8-FEODB9BB526A 7.4.6 The requirements of this section shall survive the termination or expiration of this Agreement and any subsequent agreement intended to supersede this Agreement. 8. OFF -SHORE PROHIBITION 8.1 Requestor must maintain all hardcopies containing DOC Data in the United States. 8.2 Requestor may not directly or indirectly (including through subcontractors) transport or maintain any DOC Data, hardcopy or electronic, outside the United States unless it has advance written approval from the Department. 9. ON-SITE OVERSIGHT .AND RECORDS MAINTENANCE During the term of this Agreement, DOC may, during normal business hours and upon reasonable written notice, audit, monitor, and review Requestor's activities and processes relevant to its obligations under this Agreement to ensure compliance therewith, within the limits of Requestor's technical capabilities. Requestor agrees to provide DOC access to information, materials, and equipment necessary to audit, monitor, and review Requestor's activities and processes. Requestor shall cooperate with DOC in the performance of any such. audit, monitor, or review of Requestor's activities and processes. Both parties hereto shall retain all records, books, and documents related to this Agreement for six (6) years, except for data disposed of in accordance with this Agreement. The Office of the State Auditor, federal auditors, and any persons duly authorized by the parties shall have full access to and the right to examine any of these materials during the term of this Agreement. 10. RIGHTS IN .DATA Unless otherwise provided herein, this Agreement will not be construed to effect any transfer of right or license to the embodiments of the DOC's Data, except to the limited extent necessary to carry out the responsibilities specified in the Agreement. Washington State K9412(7) Page 11 of 11 Department of Corrections Attachment D