Laserfiche WebLink
ATTACHMENT H: DOL PRIVACY AND DATA SECURITY REQUIREMENTS <br />Department of Licensing Page 33 of 36 Contract No: K9319 <br /> <br />5. PRIVACY <br />The Contractor must have a privacy framework. At a minimum, the framework must include principles <br />and methodologies for identifying and managing privacy risks, including the following: <br />a. Privacy Policy <br /> Contractor must have a privacy policy that: <br />1) Declares data is managed as an asset of the organization, and outlines appropriate <br />controls for the protection of data, and <br />2) Sets an expectation that all personnel will secure, use, and dispose of Personal <br />Information in alignment with Contractor’s privacy and security practices, which must <br />collectively align with these Privacy and Data Security Requirements. <br /> <br />b. Privacy Notice <br />Contractor must have a privacy notice available to inform the public how Contractor gathers, <br />shares, uses, discloses, and manages Personal Information. This notice must appear on, and <br />be easily recognizable to persons visiting the Contractor’s website where Applicants register <br />for training or examinations. <br />A copy of this notice must also be posted in their place of business where Applicants provide <br />Personal Information to the Contractor or Subcontractor. <br /> <br />c. Incident Response Plan <br />Contractors are required to have an incident response plan to respond to an Incident or Data <br />Breach. At a minimum, the plan is to include: <br />1) Procedures the Contractor uses to prepare for, detect, respond to, and recover from <br />Incidents or Data Breaches, <br />2) Notification to DOL; and <br />3) Notification in accordance with chapter 19.255 RCW. <br /> <br />d. Training <br />Contractor must provide annual training to all Employees and Subcontractors who have <br />access to Personal Information on its privacy policy and keep a record or log that reflects this <br />annual requirement has been met. Contractor may use the following training video to satisfy <br />the above requirements if they do not have their own equivalent in-house <br />training- https://www.youtube.com/watch?v=uylbgjsVsKs. <br /> <br />6. DATA SECURITY REQUIREMENTS – ELECTRONIC RECORDS <br />All Personal Information in Electronic form, including recorded conversations, must be secured as <br />follows: <br />The Contractor must protect Personal Information with administrative, technical, and physical <br />measures that meet generally recognized cyber security industry standards and best practices, <br />including those established by Washington Technology Solutions (WaTech). Examples of acceptable <br />cyber security industry standards and best practices include: <br /> <br />• ISO 27002. <br />• PCI DSS. <br />• NIST 800 series; and <br />• WaTech IT Security Policies and Standards (SEC series) <br />• DOL will audit to the standards in WaTech IT Security Policies and Standards (SEC series) when <br />Contractor does not have an industry standard acceptable to DOL in place to secure electronic <br />information. <br />Docusign Envelope ID: 4798BD77-1E90-44A1-9098-432C0EDF7393