Physical Security Contractor shall ensure that Medi-Cal PII is used and stored in an area that is physically safe from access by unauthorized persons during working hours and non- working hours. Contractor agrees to safeguard Medi-Cal PII from loss, theft or inadvertent disclosure and, therefore, agrees to:
A. Secure all areas of Contractor facilities where personnel assist in the administration of the Medi-Cal program and use or disclose Medi-Cal PII. The Contractor shall ensure that these secure areas are only accessed by authorized individuals with properly coded key cards, authorized door keys or access authorization; and access to premises is by official identification.
B. Ensure that there are security guards or a monitored alarm system with or without security cameras 24 hours a day, 7 days a week at Contractor facilities and leased facilities where a large volume of Medi-Cal PII is stored.
C. Issue Contractor personnel who assist in the administration of the Medi-Cal program identification badges and require County Workers to wear the identification badges at facilities where Medi-Cal PII is stored or used.
D. Store paper records with Medi-Cal PII in locked spaces, such as locked file cabinets, locked file rooms, locked desks or locked offices in facilities which are multi-use (meaning that there are personnel other than contractor personnel using common areas that are not securely segregated from each other.) The contractor shall have policies which indicate that Contractor and their personnel are not to leave records with Medi-Cal PII unattended at any time in vehicles or airplanes and not to check such records in baggage on commercial airlines.
E. Use all reasonable measures to prevent non-authorized personnel and visitors from having access to, control of, or viewing Medi-Cal PII.
Security and Data Transfers Party shall comply with all applicable State and Agency of Human Services' policies and standards, especially those related to privacy and security. The State will advise the Party of any new policies, procedures, or protocols developed during the term of this agreement as they are issued and will work with the Party to implement any required. Party will ensure the physical and data security associated with computer equipment, including desktops, notebooks, and other portable devices, used in connection with this Agreement. Party will also assure that any media or mechanism used to store or transfer data to or from the State includes industry standard security mechanisms such as continually up-to-date malware protection and encryption. Party will make every reasonable effort to ensure media or data files transferred to the State are virus and spyware free. At the conclusion of this agreement and after successful delivery of the data to the State, Party shall securely delete data (including archival backups) from Party’s equipment that contains individually identifiable records, in accordance with standards adopted by the Agency of Human Services. Party, in the event of a data breach, shall comply with the terms of Section 7 above.
Physical Security of Media DST shall implement controls, consistent with applicable prevailing industry practices and standards, that are designed to deter the unauthorized viewing, copying, alteration or removal of any media containing Fund Data. Removable media on which Fund Data is Schedule 10.2 p.3 stored by DST (including thumb drives, CDs, and DVDs, and PDAS) will be encrypted based on DST encryption policies.
Data Destruction When no longer needed, all County PHI or PI must be cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that the PHI or PI cannot be retrieved.
Termination and Data Destruction Upon Project Close-out, the Requester and Approved Users agree to destroy all copies, versions, and Data Derivatives of the dataset(s) retrieved from NIH-designated controlled-access databases, on both local servers and hardware, and if cloud computing was used, delete the data and cloud images from cloud computing provider storage, virtual and physical machines, databases, and random access archives, in accord with the NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy. However, the Requester may retain these data as necessary to comply with any institutional policies (e.g., scientific data retention policy), law, and scientific transparency expectations for disseminated research results, and/or journal policies. A Requester who retains data for any of these purposes continues to be a xxxxxxx of the data and is responsible for the management of the retained data in accordance with the NIH Security Best Practices for ControlledAccess Data Subject to the NIH Genomic Data Sharing (GDS) Policy, and any institutional policies. Any retained data may only be used by the PI and Requester to support the findings (e.g., validation) resulting from the research described in the DAR that was submitted by the Requester and approved by NIH. The data may not be used to answer any additional research questions, even if they are within the scope of the approved Data Access Request, unless the Requester submits a new DAR and is approved by NIH to conduct the additional research. If a Requester retains data for any of these purposes, the relevant portions of Terms 4, 5, 6, 7, 8, and 12 remain in effect after termination of this Data Use Certification Agreement. These terms remain in effect until the data is destroyed.
Physical and Environmental Security DST shall: (i) restrict entry to DST’s area(s) where Fund Confidential Information is stored, accessed, or processed solely to DST’s personnel or DST authorized third party service providers for such access; and (ii) implement commercially reasonable practices for infrastructure systems, including fire extinguishing, cooling, and power, emergency systems and employee safety.
Destruction of Data Provider shall destroy or delete all Personally Identifiable Data contained in Student Data and obtained under the DPA when it is no longer needed for the purpose for which it was obtained or transfer said data to LEA or LEA’s designee, according to a schedule and procedure as the parties may reasonable agree. Nothing in the DPA authorizes Provider to maintain personally identifiable data beyond the time period reasonably needed to complete the disposition.
Paper Destruction DST shall shred all paper waste containing Fund Data and dispose in a secure and confidential manner making it unrecoverable.
Data Security and Unauthorized Data Release The Requester and Approved Users, including the Requester’s IT Director, acknowledge NIH’s expectation that they have reviewed and agree to manage the requested controlled-access dataset(s) and any Data Derivatives of controlled-access datasets according to NIH’s expectations set forth in the current NIH Security Best Practices for Controlled-Access Data Subject to the GDS Policy and the Requester’s IT security requirements and policies. The Requester, including the Requester’s IT Director, agree that the Requester’s IT security requirements and policies are sufficient to protect the confidentiality and integrity of the NIH controlled-access data entrusted to the Requester. If approved by NIH to use cloud computing for the proposed research project, as outlined in the Research and Cloud Computing Use Statements of the Data Access Request, the Requester acknowledges that the IT Director has reviewed and understands the cloud computing guidelines in the NIH Security Best Practices for Controlled-Access Data Subject to the NIH GDS Policy. The Requester and PI agree to notify the appropriate DAC(s) of any unauthorized data sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the DAC notification, the Requester agrees to submit to the DAC(s) a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Requester agrees to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures affecting the Requester. NIH, or another entity designated by NIH may, as permitted by law, also investigate any data security incident or policy violation. Approved Users and their associates agree to support such investigations and provide information, within the limits of applicable local, state, tribal, and federal laws and regulations. In addition, Requester and Approved Users agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.
Delivery and Control of Security Collateral (a) Any certificates or instruments representing or evidencing Security Collateral shall be delivered to and held by or on behalf of the Collateral Trustee pursuant hereto and shall be in suitable form for transfer by delivery, or shall be accompanied by duly executed instruments of transfer or assignment in blank, all in form and substance satisfactory to the Collateral Trustee. The Collateral Trustee shall have the right, at any time in its discretion and without notice to any Pledgor, to transfer to or to register in the name of the Collateral Trustee or any of its nominees any or all of the certificates and instruments representing or evidencing the Security Collateral, if any, subject only to the revocable rights specified in Section 9(a). In addition, the Collateral Trustee shall have the right at any time to exchange certificates or instruments representing or evidencing Security Collateral, if any, for certificates or instruments of smaller or larger denominations.
(b) At such time as any Pledgor has or acquires any Security Collateral in which such Pledgor has any right, title or interest and that constitutes an “uncertificated security” (within the meaning of Article 8 of the UCC), such Pledgor will use its commercially reasonable efforts to cause the issuer thereof to agree in an authenticated record substantially in the form of Exhibit B with such Pledgor and the Collateral Trustee that such issuer will comply with instructions with respect to such security originated by the Collateral Trustee without further consent of such Pledgor, such authenticated record to be in form and substance satisfactory to such issuer and the Collateral Trustee.
(c) With respect to any Pledged Equity in which any Pledgor has any right, title or interest and that is not a security (within the meanings of Article 8 and Article 9 of the UCC), such Pledgor will notify each such issuer of Pledged Equity that such Pledged Equity is subject to the security interest granted hereunder.
(d) With respect to any Pledged Debt in which any Pledgor has any right, title or interest, the Pledgor will notify each such issuer of Pledged Debt that such Pledged Debt is subject to the security interest granted hereunder.
(e) If, at any time, an issuer converts any Pledged Equity into a “security” within the meaning of Articles 8 and 9 of the UCC, the relevant Pledgor will either (i) use its commercially reasonable efforts to cause the issuer of such Pledged Equity to issue certificates or instruments evidencing or representing the Pledged Equity and deliver the originals of such certificates or instruments promptly to the Collateral Trustee (or as directed by the Collateral Trustee), and, if it or any Person other than the relevant Pledgor, receives any such certificates or instruments, shall promptly deliver or cause to be delivered to the Collateral Trustee, the originals of such certificates or instruments or (ii) if the security is an uncertificated security (within the meaning of Article 8 of the UCC), use its commercially reasonable efforts to cause the issuer of such Pledged Equity to enter into an Uncertificated Securities Control Agreement pursuant to clause (b) above.
(f) At such time as any Pledgor has or acquires any Security Collateral in which such Pledgor has any right, title or interest and that is not a security (within the meaning of Article 8 of the UCC), such Pledgor agrees that the Collateral Trustee may file a financing statement in the relevant jurisdiction.
(g) No Pledgor shall take or omit to take any action which would or could reasonably be expected to have the result of materially adversely affecting or impairing the Liens in favor of the Collateral Trustee and the holders of Parity Lien Obligations with respect to the Collateral.
