# Frequently Asked Questions ### **Background and When to Use** #### **What data exchange does IDEA apply to**? IDEA applies to data protected by state or federal laws, usually because of privacy or security concerns. This means the data must be checked to make sure sharing it is legal and secure, according to any relevant laws or rules. This usually includes personal information (PII) or very sensitive information, like security-related data. IDEA doesn't apply to public data or data used internally that isn't considered protected. Protected information usually has specific rules about when it can be shared and how it can be used. It also often has rules about what happens if the data is exposed, such as disclosure requirements, appropriate use, and breach notifications (often called notice triggering events). #### **Do we have to use IDEA for data exchange?** Yes, if your department or entity is a signatory to IDEA. The goal of IDEA is to reduce administrative overhead by using the same framework for data exchange versus renegotiating the same questions. It also helps ensure that the data exchange uses consistent privacy and security practices. #### **Are the UCs, CSUs and Community Colleges included in this effort?** Any state entity is encouraged to and can sign onto the IDEA. As of August 2025, the UCs, CSUs, and Community Colleges have not yet done so. Please refer to the [list of signature entities](/interagency-data-exchange-idea-guidebook/resources-and-references/list-of-signatories.md) for current status. #### **Does IDEA require us to give our data to any other state entity?** No. Any data exchange must be allowable under governing statute and regulation. State entities retain authority to sign and allow or decline data exchange under a BUCP. #### **Can we use this process for research-related data sharing?** You can share data for research using the IDEA. But you can only use it if the research is being done by or for state agencies that have signed the IDEA. If you need to share data with people who don't work for state government, like university professors or other organizations, you should not use the IDEA. Instead, their requests will be handled using other methods that are already in place. For example: Let's say you're working on a project and you want to team up with a university to study health trends in your community, and they have some survey data you need. Even though you want to work together, you cannot use the IDEA to get that health data from the university. That's because universities haven't signed the IDEA agreement. Instead, you would have to go through the university's own special approval process, often called an IRB (Institutional Review Board). #### **We already have existing data exchange agreements. Do we need to migrate them to IDEA?** You can leave existing agreements as is. However, any renewals or new agreements should use the BUCP process. #### Our department is part of a larger agency, do we still need to sign on to IDEA as an independent signatory? If a department or office or center has statutory authority by itself, it needs its own signature for the IDEA agreement. If independent authority is not defined within government statute, then the umbrella agency signature will cover the department. ### BUCP Details #### **Can we create a BUCP without an end date?** Yes. While the BUCP includes a termination date, data exchanges can be ongoing or terminated by notice as long as the law allows it. #### **We have special security and/or privacy requirements. Can we include these?** IDEA sets basic security rules by requiring all Signatory Entities to fulfill Chapter 5300 of the State Administrative Manual. You can add more security and privacy requirements to your BUCP if needed. Any extra requirements should be based on the level of risk or on existing rules and regulations. #### **Why would we ever need to de-identify data under a signed BUCP?** Only share the data you absolutely need to achieve your goal. If you don't need to know who the data belongs to, remove any personal identifiers like names, addresses, or phone numbers. For instance, you might need individual records, but not the names attached to them. Also, if using summarized data (aggregates) is enough, use that instead of individual records. Data that has been de-identified and suppressed to meet privacy protection standards can often be made available on a public data portal. #### What's the difference between the security, privacy, and legal reviews? These three reviews help your department(s) ensure that the proposed BUCP is solid. **Legal Review**: a lawyer checks that the BUCP complies with all relevant laws and regulations. They may check that the agreement has each department’s roles and responsibilities clearly stated, and that it complies with your department’s relevant governing statutes and laws. By approving a BUCP, an attorney has assessed the BUCP and evaluated whether it meets legal sufficiency for the signatory's needs. The key assessment criteria is validating whether the data usage and sharing terms meet state policy requirements for the department. These usually concern the Legal Authority, Description of Purpose, and Output Use sections within the BUCP template. These sections should be completed with enough detail to fulfill department requirements. **Privacy Review**: a privacy expert checks that the BUCP correctly handles personal information legally and ethically. They might make sure the agreement adequately explains how the data will be used, for what purpose, how individual’s right to privacy will be protected, privacy re-identification risk, and how it complies with privacy laws (such as CCPA, or HIPPA). By approving a BUCP, a privacy expert has assessed the BUCP and evaluated whether it sufficiently meets their agency's relevant privacy laws and regulations. The key assessment criteria is validating whether the data usage and sharing terms meet state policy requirements for the department. These usually concern the Privacy Requirements, Description of Purpose, and Output sections of the BUCP template. These sections should be completed with enough detail to fulfill department requirements. **Security Review:** an IT expert checks that there are technological and organizational safeguards in place to protect the data itself. They might check to ensure that the process in which data is shared and stored is secure. By approving a BUCP, an IT expert has assessed the BUCP and evaluated whether it sufficiently meets their agency's relevant security policies and industry best practices. The key assessment criteria is validating whether the data handling and storage practices meet state and federal security policy requirements for the department, and adequately protect the confidentiality, integrity, and availability of the data. These usually concern the Security Requirements, Description of Purpose, and Output sections of the BUCP template. These sections should be completed with enough detail to fulfill department requirements. #### **What does it mean to have each of the representatives register their opinion?** Providing a registered opinion means that someone has reviewed the proposed Business Use Case Proposal (BUCP) and documented any feedback and concerns regarding the BUCP. Before the BUCP is officially submitted, these questions and proposed changes should be discussed and addressed with the Executive Sponsor. The person reviewing doesn't need to actually sign the BUCP itself to show they've given their official expert opinion. Ultimately, the Executive Sponsor’s signature on the BUCP indicates that they have reviewed the registered opinions from each expert and have made a decision on whether or not to proceed with the BUCP. ### What Happens If/When #### **What happens if the Data Recipient has a breach for data exchanged under a BUCP?** The Data Recipient should contact the Data Provider to identify who is responsible for notification under §9.2 of IDEA. If the breach involves HIPAA-protected data held by a Covered Entity or its Business Associate, the parties must follow breach provisions in Addendum A of IDEA. #### **How do we use the BUCP process when we need to transfer funds?** 1. **Case 1:** If two or more departments want to share data and transfer funds, the contractual process can run in parallel to the BUCP approval process. For example, data exchange can be addressed by the BUCP and the transfer of funds or services can be addressed by an Interagency Agreement. To avoid work duplication, attach the BUCP as an exhibit to the Interagency Agreement. 2. **Case 2:** If two or more programs within the same department want to share data and transfer funds, the contractual process can also run in parallel to the BUCP approval process. For example, data exchange can be addressed by the BUCP and the transfer of funds or services can be addressed by a Memorandum of Agreement. To avoid work duplication, attach the BUCP as an exhibit to the Memorandum of Agreement. #### **What should we do if we have a change in law or rule that affects data under a signed BUCP?** Work with your legal and privacy team to determine if your existing BUCPs are still allowable under the rule change. 1. If they are still allowable, update the BUCP to reflect the new legal analysis under the legal authority and refile the BUCP via the [BUCP Inventory Form](https://airtable.com/appBDfkcteQhHoKBG/pag8eHPdioJyEW8uk/form)**.** 2. If the data exchange is no longer permitted, see Step 8 in the guidebook on filing a notice of termination. #### **We (the Data Recipients) received an external request for data that we received via a BUCP. How do we handle it?** If a Data Recipient receives a request under the California Public Records Act (CPRA), a subpoena, a court order, a litigation-related request, or any other request for the data under a BUCP, under §5.18 of IDEA, immediately notify the Data Provider to meet and confer on the appropriate response. ### Legal #### **Does IDEA, including data sharing with contractors, comply with § 6254.5 in the Public Records Act?** Yes. Data that is shared consistent with the Information Practices Act, other laws covering the data, or to a governmental agency that agrees to keep the data confidential means that the data keeps its confidential status (see Government Code § 6254.5). The IDEA itself is an agreement to keep confidential data that is shared as confidential. Sharing of confidential data with other governmental agencies, contractors or business associates is permitted, and confidential information shared via IDEA will generally remain confidential and exempt from PRA. See §5.18 of IDEA and FAQ 8 for details on managing PRA requests. #### **Does IDEA impact attorney-client or other existing privileges?** No. Per §5.20 of IDEA, nothing in the IDEA or BUCP will diminish any privileges or protections. #### What exactly are legal representatives agreeing to when giving a registered opinion on BUCP documents? By approving a BUCP, an attorney has assessed the BUCP and evaluated whether it meets legal sufficiency for the signatory's needs. The key assessment criteria is validating whether the data usage and sharing terms meet state policy requirements for the department. These usually concern the Legal Authority, Description of Purpose, Specialized Privacy/Security, and Output Use sections within the BUCP template. These sections should be completed with enough detail to fulfill department requirements. IDEA is meant to be a tool framework to help align and improve data sharing agreements across the state, as opposed to a compliance framework for enforcement. It aims to improve on best practice efforts to tighten security and privacy terms for data sharing agreements. ### Results and Feedback #### **What are the expected benefits of IDEA?** We expect the following benefits from the IDEA: * **Reduction in time and effort spent negotiating terms.** After CHHS adopted a single agency agreement, completion time went from 2-3 years on average to 79 days. * **Shifts bias to sharing and working together.** Most data sharing negotiations are adversarial and start from a position of “no.” The IDEA starts with a commitment to data sharing and collaboration to improve services. * **Reduction in duplication of resources and workload.** The IDEA establishes the legal framework so the focus moves from creation of a legal agreement towards developing the data elements and transmission logistics. CHHS statistics show data is often transferred earlier than the projected date. * **Greater visibility into areas of disagreement.** The IDEA establishes an escalation process for when agencies don’t agree to share that could uncover both cultural reluctance and/or legal issues that need to be addressed. * **Ultimately, better government services** through the improved sharing and use of data. #### **What should we expect next? Can I provide feedback?** As usage of IDEA expands, we are eager to understand what is working and where there may be gaps. If you have just completed a BUCP, there is an opportunity to let us know what you think on the inventory form. At any other point you can submit feedback using [our feedback form](https://airtable.com/appcS7OwQZrdRJ6LE/paggCzzqgzZTGREe6/form). In time, based on feedback, we will determine if there is the need to revisit and update the IDEA or BUCP templates. Any ongoing updates to the IDEA framework would only apply to future agreements. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.data.ca.gov/interagency-data-exchange-idea-guidebook/frequently-asked-questions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.