Background and When to Use
What data exchange does IDEA apply to?
IDEA applies to data that is protected by state or federal law typically due to privacy or security concerns. In short, this is data that must be assessed to ensure that exchange is allowable and secure under any prevailing statute or regulation. This typically includes personally identifiable information (PII) or highly sensitive information such as that related to security. This does not apply to data that is public or even used for internal purposes but not rising to the level of protected information. Typically, protected information is that which faces specific requirements for disclosure and allowable use or for breaches (often called notice-triggering events).
Do we have to use IDEA for data exchange?
Yes, if your department or entity is a signatory to IDEA. The goal of IDEA is to reduce administrative overhead by using the same framework for data exchange versus renegotiating the same questions. It also helps ensure that the data exchange uses consistent privacy and security practices.
Are the UCs, CSUs and Community Colleges included in this effort?
Any state entity is encouraged to and can sign onto the IDEA. As of March 2022, the UCs, CSUs, and Community Colleges have not yet done so. Please refer to the for current status.
Does IDEA require us to give our data to any other state entity?
No. Any data exchange must be allowable under governing statute and regulation. State entities retain authority to sign and allow or decline data exchange under a BUCP.
Can we use this process for research-related data sharing?
Yes, if the research requires sensitive data from another state entity that has signed the IDEA. This includes cases where the state entity is using a service provider to conduct the research on the entity’s behalf. Importantly, IDEA does not replace any existing approval processes for independent research. For example, a BUCP for research-related data from a university will need to include Institutional Review Board (IRB) approval. See the BUCP template and Section 3 of IDEA for more details. Requests for data by external researchers, either academics or institutions, for research purposes are covered by other existing processes and IDEA should not be used.
We already have existing data exchange agreements. Do we need to migrate them to IDEA?
You can leave existing agreements as is. However, any renewals or new agreements should use the BUCP process.
Can we create a BUCP without an end date?
Yes. While the BUCP includes a termination date, data exchanges can be ongoing or terminated by notice as long as the law allows it.
We have special security and/or privacy requirements. Can we include these?
IDEA establishes minimum security requirements by requiring that Signatory Entities meet Chapter 5300 of the State Administrative Manual. Additional security and privacy requirements can be included in the BUCP. Any additional requirements should be commensurate with risk or due to prevailing rules or regulations.
Why would we ever need to de-identify data under a signed BUCP?
You should limit data exchange to that which is necessary to meet the business need or objective. Wherever possible, data should be de-identified if individual identifiers are not necessary. For example, while the business case may require record level data, it may not require known identifiers such as name, address, or phone number. In addition, if aggregated data meets the use case aggregate data should be used. Moreover, data that has been de-identified and suppressed can be published in an open data portal.
What Happens If/When
What happens if the Data Recipient has a breach for data exchanged under a BUCP?
The Data Recipient should contact the Data Provider to identify who is responsible for notification under §9.2 of IDEA. If the breach involves HIPAA-protected data held by a Covered Entity or its Business Associate, the parties must follow breach provisions in Addendum A of IDEA.
How do we use the BUCP process when we need to transfer funds?
Case 1: If two or more departments want to share data and transfer funds, the contractual process can run in parallel to the BUCP approval process. For example, data exchange can be addressed by the BUCP and the transfer of funds or services can be addressed by an Interagency Agreement. To avoid work duplication, attach the BUCP as an exhibit to the Interagency Agreement.
Case 2: If two or more programs within the same department want to share data and transfer funds, the contractual process can also run in parallel to the BUCP approval process. For example, data exchange can be addressed by the BUCP and the transfer of funds or services can be addressed by a Memorandum of Agreement. To avoid work duplication, attach the BUCP as an exhibit to the Memorandum of Agreement.
What should we do if we have a change in law or rule that affects data under a signed BUCP?
Work with your legal and privacy team to determine if your existing BUCPs are still allowable under the rule change.
If they are still allowable, update the BUCP to reflect the new legal analysis under the legal authority and refile the BUCP via the .
If the data exchange is no longer permitted, see Step 8 in the guidebook on filing a notice of termination.
We (the Data Recipients) received an external request for data that we received via a BUCP. How do we handle it?
If a Data Recipient receives a request under the California Public Records Act (CPRA), a subpoena, a court order, a litigation-related request, or any other request for the data under a BUCP, under §5.18 of IDEA, immediately notify the Data Provider to meet and confer on the appropriate response.
Does IDEA, including data sharing with contractors, comply with § 6254.5 in the Public Records Act?
Yes. Data that is shared consistent with the Information Practices Act, other laws covering the data, or to a governmental agency that agrees to keep the data confidential means that the data keeps its confidential status (see Government Code § 6254.5). The IDEA itself is an agreement to keep confidential data that is shared as confidential. Sharing of confidential data with other governmental agencies, contractors or business associates is permitted, and confidential information shared via IDEA will generally remain confidential and exempt from PRA. See §5.18 of IDEA and FAQ 8 for details on managing PRA requests.
Does IDEA impact attorney-client or other existing privileges?
No. Per §5.20 of IDEA, nothing in the IDEA or BUCP will diminish any privileges or protections.
Results and Feedback
What are the expected benefits of IDEA?
We expect the following benefits from the IDEA:
Reduction in time and effort spent negotiating terms. After CHHS adopted a single agency agreement, completion time went from 2-3 years on average to 79 days.
Shifts bias to sharing and working together. Most data sharing negotiations are adversarial and start from a position of “no.” The IDEA starts with a commitment to data sharing and collaboration to improve services.
Reduction in duplication of resources and workload. The IDEA establishes the legal framework so the focus moves from creation of a legal agreement towards developing the data elements and transmission logistics. CHHS statistics show data is often transferred earlier than the projected date.
What should we expect next? Can I provide feedback?
The IDEA process is relatively new, and we want to give it time to take root. As its usage expands, we are eager to understand what is working and where there may be gaps. If you have just completed a BUCP, there is an opportunity to let us know what you think on the inventory form. At any other point you can submit feedback using . In time, based on feedback, we will determine if there is the need to revisit and update the IDEA or BUCP templates. If there are updates, they would likely only apply to future agreements.
