20 CFR § 603.9 - What safeguards and security requirements apply to disclosed information?

§ 603.9 What safeguards and security requirements apply to disclosed information?

(a) In general. For disclosures of confidential UC information under § 603.5(d)(2) (to a third party (other than an agent) or disclosures made on an ongoing basis); § 603.5(e) (to a public official), except as provided in paragraph (d) of this section; § 603.5(f) (to an agent or contractor of a public official); § 603.6(b)(1) through (4), (6), and (7)(i) (as required by Federal UC law); and § 603.22 (to a requesting agency for purposes of an IEVS), a State or State UC agency must require the recipient to safeguard the information disclosed against unauthorized access or redisclosure, as provided in paragraphs (b) and (c) of this section, and must subject the recipient to penalties provided by the State law for unauthorized disclosure of confidential UC information.

(b) Safeguards to be required of recipients.

(1) The State or State UC agency must:

(i) Require the recipient to use the disclosed information only for purposes authorized by law and consistent with an agreement that meets the requirements of § 603.10;

(ii) Require the recipient to store the disclosed information in a place physically secure from access by unauthorized persons;

(iii) Require the recipient to store and process disclosed information maintained in electronic format, such as magnetic tapes or discs, in such a way that unauthorized persons cannot obtain the information by any means;

(iv) Require the recipient to undertake precautions to ensure that only authorized personnel are given access to disclosed information stored in computer systems;

(v) Require each recipient agency or entity to:

(A) Instruct all personnel having access to the disclosed information about confidentiality requirements, the requirements of this subpart B, and the sanctions specified in the State law for unauthorized disclosure of information, and

(B) Sign an acknowledgment that all personnel having access to the disclosed information have been instructed in accordance with paragraph (b)(1)(v)(A) of this section and will adhere to the State's or State UC agency's confidentiality requirements and procedures which are consistent with this subpart B and the agreement required by § 603.10, and agreeing to report any infraction of these rules to the State UC agency fully and promptly,

(vi) Require the recipient to dispose of information disclosed or obtained, and any copies thereof made by the recipient agency, entity, or contractor, after the purpose for which the information is disclosed is served, except for disclosed information possessed by any court. Disposal means return of the information to the disclosing State or State UC agency or destruction of the information, as directed by the State or State UC agency. Disposal includes deletion of personal identifiers by the State or State UC agency in lieu of destruction. In any case, the information disclosed must not be retained with personal identifiers for longer than such period of time as the State or State UC agency deems appropriate on a case-by-case basis; and

(vii) Maintain a system sufficient to allow an audit of compliance with the requirements of this part.

(2) In the case of disclosures made under § 603.5(d)(2) (to a third party (other than an agent) or disclosures made on an ongoing basis), the State or State UC agency must also—

(i) Periodically audit a sample of transactions accessing information disclosed under that section to assure that the entity receiving disclosed information has on file a written release authorizing each access. The audit must ensure that the information is not being used for any unauthorized purpose;

(ii) Ensure that all employees of entities receiving access to information disclosed under § 603.5(d)(2) are subject to the same confidentiality requirements, and State criminal penalties for violation of those requirements, as are employees of the State UC agency.

(c) Redisclosure of confidential UC information.

(1) A State or State UC agency may authorize any recipient of confidential UC information under paragraph (a) of this section to redisclose information only as follows:

(i) To the individual or employer who is the subject of the information;

(ii) To an attorney or other duly authorized agent representing the individual or employer;

(iii) In any civil or criminal proceedings for or on behalf of a recipient agency or entity;

(iv) In response to a subpoena only as provided in § 603.7;

(v) To an agent or contractor of a public official only if the person redisclosing is a public official, if the redisclosure is authorized by the State law, and if the public official retains responsibility for the uses of the confidential UC information by the agent or contractor;

(vi) From one public official to another if the redisclosure is authorized by the State law;

(vii) When so authorized by Section 303(e)(5), SSA, (redisclosure of wage information by a State or local child support enforcement agency to an agent under contract with such agency for purposes of carrying out child support enforcement) and by State law; or

(viii) When specifically authorized by a written release that meets the requirements of § 603.5(d) (to a third party with informed consent).

(2) Information redisclosed under paragraphs (c)(1)(v) and (vi) of this section must be subject to the safeguards in paragraph (b) of this section.

(d) The requirements of this section do not apply to disclosures of UC information to a Federal agency which the Department has determined, by notice published in the Federal Register, to have in place safeguards adequate to satisfy the confidentiality requirement of Section 303(a)(1), SSA.