Iowa INTERIM Data Information Sharing Policy

Office of the Chief Information Officer

June 30, 2017

  1. Purpose - This Policy establishes the terms and conditions pursuant to which State Agencies (“Agency” or “Agencies”) may obtain access to Enterprise Information Technology Productivity Tools that permit Agencies to share or disseminate data and/or information with or to individuals both inside and outside of State government in furtherance of the Agency’s mission.
  2. Overview  -Numerous Agencies have requested that the Office enable various Productivity Tools allowing for the sharing or dissemination of data and/or information with or to individuals both inside and
    outside of State government. The Office intends to make these Productivity Tools available to State Agencies in order to allow them to efficiently share and disseminate data and/or information and therebyreduce administrative costs. However, because these Productivity Tools make it is easy to share data with the world, the Office has determined it is in the best interests of the State to establish procedures and requirements governing Agencies’ use and management of these Productivity Tools.
  3. Scope/Application - This Policy applies to all Agencies that are granted access to and use the various Productivity Tools made available by the Office which allow Agencies to share or disseminate data and/or information with or to individuals both inside and outside of State government. Agencies are encouraged to adopt supplemental standards and policies governing the use of such Productivity Tools consistent with their business needs and applicable laws, rules, and regulations. Such supplemental standards and policies may augment but not diminish this Policy. In the event of a conflict between this Policy and a standard or policy adopted by an Agency, this Policy shall govern.
  4. Definitions - Capitalized terms not defined herein shall have the same meaning given them by Iowa Code section 8B.1 and corresponding administrative rules. Select terms used in this Policy are defined as follows:
    • 4.1 “Enterprise Information Technology Productivity Tool(s)” or “Productivity Tool(s)” means applications, software, programs, modules and components made available by the Office for use by Agencies that facilitate the sharing or dissemination of data and/or information (including but not limited to data or information housed in or on documents, spreadsheets, presentations, or websites) with or to individuals both inside and outside of State government, such as GoogleDocs, GoogleDrive, GoogleSites, or GoogleGroups.
    • 4.2 “Qualified Administrator” means an employee, agent, affiliate, independent contractor, or other third party designated by the applicable Agency to create, manage, and/or administer Productivity Tools on behalf of an Agency.
  5. Data/Information Sharing Policy
    • 5.1. Access to Productivity Tools. In order to obtain access to Productivity Tools, an Agency must:
      • 5.1.1. Designate a Qualified Administrator(s). To do so, an individual within the applicable Agency with the delegated authority to do so must provide the name(s) and other requested information for such Qualified Administrator(s) to the Office at cio@iowa.gov.
      • 5.1.2. An Agency may only designate the minimum number of Qualified Administrators necessary to ensure the effective management of the Productivity Tool(s) used by the Agency. An individual Qualified Administrator may be responsible for overseeing their Agency’s use of all Productivity Tools used by an Agency, or only a subset of the Productivity Tools used by an Agency; provided, however, that each Productivity Tool used by the Agency must have a designated Qualified Administrator who is responsible for managing and overseeing the Agency’s use of each Productivity Tool used by the Agency.
    • 5.2. Qualified Administrator Responsibilities. A Qualified Administrator is responsible for managing and overseeing their Agency’s data and information sharing and dissemination practices through the Productivity Tools for which they have been designated as a Qualified Administrator. To that end, a Qualified Administrator shall:
      • 5.2.1. Possess a thorough understanding of the sharing and access- control features associated with the Productivity Tools they have been assigned to manage and oversee and the potential consequences associated with Agency personnel’s failure to make proper use of such features;
      • 5.2.2. Be responsible for providing training and answering questions of Agency personnel related to the proper use of the sharing and access-control features associated with the Productivity Tools they have been assigned to manage and oversee and the potential consequences associated with failing to make proper use of such features;
      • 5.2.3. Establish and periodically update Agency-specific supplemental standards and policies governing the use of the Productivity Tools they have been assigned to manage and oversee consistent with their Agency's mission and applicable laws, rules, and regulations;
      • 5.2.4. Monitor and oversee the use of the Productivity Tools they have been assigned to manage and oversee by Agency personnel in order to ensure such Productivity Tools are being utilized consistent with applicable standards, policies, laws, rules and regulations related to the sharing and dissemination of data and/or information and take steps to remediate any identified noncompliance.
    • 5.3. Terms and Conditions of Use.
      • 5.3.1. Responsibility of Agency. An Agency that elects to use Productivity Tools made available by the Office is solely responsible for any and all risks associated with the data or information made available to individuals both within and outside of State government, including but not limited to:
        • 5.3.1.1. Any and all data and/or information it uploads, submits, stores, sends, receives, and/or otherwise makes available to individuals both inside and outside of State government through such Productivity Tools, including but not limited to ensuring such data or information is made available consistent with applicable standards, policies, laws, rules and regulations;
        • 5.3.1.2. Moderating any content integrated or otherwise made available through such Productivity Tools, including but not limited to content approval and content removal;
        • 5.3.1.3. Managing and overseeing any social media incorporated or integrated into such Productivity Tools, including but not limited to Twitter, Facebook, LinkedIn, or Google+;
        • 5.3.1.4. Any and all use of and/or risks associated with any third-party applications, software, programs, modules and components incorporated or integrated into the Productivity Tools.
      • 5.3.2. Office Right to Review Content.
        • 5.3.2.1. Except to the extent otherwise provided or required by a Memorandum of Understanding or other intergovernmental agreement between the Office and an Agency, a non-disclosure form executed by the Office or an Agency, or applicable law, rule, or regulation, by electing to use Productivity Tools, an Agency consents to and authorizes the Office to review any and all content uploaded, submitted, stored, sent, received, and/or otherwise made available through such Productivity Tools in order to determine whether such content has been made available to any State personnel or the public in violation of applicable Information Technology Standards and Policies, and/or any laws, rules or regulations. If the Office determines such content has been made available in violation of any applicable Information Technology Standards and Policies, and/or any laws, rules or regulations, or otherwise appears to constitute an unauthorized or unintentional publication or dissemination of sensitive or confidential information, the Office will promptly notify the applicable Agency of the issue and work in tandem with the Agency to remediate the issue. The Office may immediately remove/disable the offending content without prior notice to the applicable Agency; provided the Office will notify the Agency of such action as soon as is reasonably practicable.
        • 5.3.2.2. Notwithstanding the foregoing, an Agency that elects to use the Productivity Tools made available by the Office remains solely responsible for any and all content made available through such Productivity Tools as set forth in Section 5.3.1, above, and Agencies should not assume the Office will review their use of such Productivity Tools or any content made available through the same so as to alleviate the need to independently manage content in a responsible manner and in compliance with applicable standards, policies, laws, rules or regulations.
      • 5.3.3. Additional Information Technology Standards and Policies. Notwithstanding anything in this Policy to the contrary, this Policy is not the sole Information Technology Standard or Policy applicable to an Agency’s management and/or administration of Productivity Tools, and/or any data or information shared or disseminated by or through such Productivity Tools. By way of example only, the following additional Information Technology Standards or Policies may also apply:
        • 5.3.3.1. Data Classification;
        • 5.3.3.2. Data Stewardship;
        • 5.3.3.3. Web Application Security Standard;
        • 5.3.3.4. Web Content Management System;
        • 5.3.3.5. Web Design;
        • 5.3.3.6. Web Page Policy Notes;
        • 5.3.3.7. Website Accessibility.
    • 6. Vendors and contractors. This Policy applies to Agencies’ contractors’ employees, agents, affiliates, subcontractors, and other third parties working on their behalf, to the extent Agencies’ contractors and Agencies’ contractors’ employees, agents, affiliates, subcontractors, and other third parties working on their behalf utilize these Productivity Tools to access, create, manage, share, and/or disseminate data or information on behalf of Agencies.
    • 7. Updates. This Policy shall be reviewed at least every two years and updated as needed.
    • 8. Effective Date. This Policy shall be effective 7/1/2017.
    • 9. Enforcement. This Policy shall be enforced pursuant to Iowa Administrative Code rules 11— 25.11 and 11—117.11 and Iowa Code sections 8B.21(1)(d), (f), and (h), 8B.23(1), and 8B.24(1).
    • 10. Waiver/Variance. Iowa Administrative Code rules 11—25.11(2) and 11—117.11(3) and Iowa Code section 8B.21(5) provide for variances\waivers from standards and policies. Requests for a waiver/variance from any of the requirements of this Policy shall be submitted in writing to the State's Chief Information Officer at cio@iowa.gov.

Printed from the Office of the Chief Information Officer website on November 19, 2017 at 1:37pm.