Laserfiche WebLink
ATTACHMENT H: DOL PRIVACY AND DATA SECURITY REQUIREMENTS <br />Department of Licensing Page 35 of 36 Contract No: K9319 <br /> <br />g. DATA AT REST <br /> <br />Contractor must encrypt Personal Information while at rest with strong encryption as defined <br />at https://www.pcmag.com/encyclopedia/term/strong-encryption. <br /> <br />h. DATA MINIMIZATION <br />Contractor must have a policy for the retention of Personal Information. Contractor must only <br />retain Personal Information for the duration of time needed to fulfill the use for which it was <br />obtained, as well as any legal requirements to retain the record f or the minimum required <br />retention period in General Terms and Conditions- Section 8 Records Maintenance. <br /> <br />i. DATA AND MEDIA SANITIZATION <br />Contractor must have a data and media sanitization policy that aligns with current guidelines <br />and definitions in NIST SP 800-88, to include: <br />1) “Clear” or “clearing” applies when removing Personal Information from media once the <br />Personal Information has met the retention policy required in Section 6.h, Data <br />Minimization, of this attachment, or as directed by DOL. <br />2) “Purge” or “purging” applies when removing Personal Information from media when <br />media are reused for purposes within the organization but will not store Personal <br />Information. <br />3) “Destroy” or “destroying” applies when removing media that stored Personal Information <br />when the media is not going to be reused by the organization. <br />4) Unless explicitly required by law, Contractor must provide one or more certificates of <br />Clearing Personal Information, Purging Personal Information from media, or Destroying <br />media storing Personal Information, within thirty (30) days of: <br />I. Written request by DOL, or <br />II. Termination of this Contract. <br /> <br />7. DATA SECURITY REQUIREMENTS – HARD COPY RECORDS <br />The Contractor must secure all Personal Information in hard copy form as follows: <br />a. HARD COPY STORAGE <br />Printed copies must be stored in locked containers or storage areas when not in use by <br />authorized persons. Examples include a physically secure workspace, locked cabinets, or <br />vaults. Hard copy documents must never be unattended or in areas accessible to the public. <br />b. HARD COPY TRANSPORTATION <br />1) Hard copy documents containing Personal Information taken outside a secure area must <br />be in the possession of an authorized person, or a trusted courier providing tracking <br />services. <br />2) Records must be maintained for all transported hard copies showing the <br />person(s)/courier(s) responsible for such transportation, including the receiving party. <br /> <br />8. DATA SECURITY REQUIREMENTS – OFFSHORING <br />a. OFFSHORING – ELECTRONIC RECORDS <br />Contractor must maintain the primary, backup, disaster recovery and other sites for <br />processing or storage of Personal Information only from locations in the United States. <br />1) Contractor may not, without advance written approval from DOL: <br />i. Directly or indirectly (including through subcontactors) transmit Personal <br />Information outside the United States, or <br />ii. Allow access to Personal Information from outside the United States. <br /> <br />Docusign Envelope ID: 4798BD77-1E90-44A1-9098-432C0EDF7393