(a)  Except as provided in Paragraph (b) of this Rule, all Requestors shall enter into a data sharing agreement with the Contributors that are the custodians of the Data that may be needed to generate a requested report. The requestor data sharing agreement shall be separate and distinct from the Memorandum of Understanding between the Contributors and GDAC.

(b)  Requestors who are also Contributors and parties to the Contributor Memorandum of Understanding shall not be required to enter into a Requestor data sharing agreement unless one or more of the Contributors responding to the party's Request notifies the Requestor that a data sharing agreement must be entered into before Data is disclosed in order to comply with Applicable Law. An example of when a Requestor data sharing agreement may be required is an instance where a Contributor is making a Request of the NC Department of Commerce for Data that has not been Aggregated.

(c)  The Requestor data sharing agreements shall contain the following:

(1)           limitations on Report access to authorized persons;

(2)           prohibition on the re-identification of persons included in Reports in accordance with G.S. 116E-5(e);

(3)           information technology system and data security standards required by the Contributor who will be providing Data for the Report;

(4)           privacy compliance standards;

(5)           data breach procedures, including notification of DIT of any cybersecurity incidents as described by G.S. 143B-1320(a)(4a) or G.S. 143b-1320(a)(16a) using the incident report form available at: https://it.nc.gov/resources/cybersecurity-risk-management/statewide-cybersecurity-incident-report-form;

(6)           terms regarding the disclaimer of liability as applied to Contributors pursuant to the doctrine of sovereign immunity and statutory immunity; and

(7)           data retention and data removal standards.


History Note:        Authority G.S. 143B-1321(a)(16); 116E-4(b);

Eff. January 1, 2021.