This section includes:

• IDEA agreement

• List of signatories

• BUCP template

• Notice, Email and Disclosure templates

• Background materials

Version 1.2 | Last Updated Aug 24, 2022

Introduction

This guidebook is designed to help you use the Interagency Data Exchange Agreement (IDEA). IDEA is an umbrella Memorandum of Understanding (MOU) that is intended to facilitate data exchange between state entities in California.

The IDEA consists of two parts:

1. one single master agreement with general legal boilerplate language and

2. smaller subordinate agreements for instances of data exchange called “Business Use Case Proposals (BUCP)”, containing specific information such as data type, intended use, etc.

The master agreement combined with a BUCP will form the complete standardized legally compliant data sharing agreement.

The concept is like the procurement model provided by the California Multiple Award Schedules (CMAS). Vendors sign onto a general master agreement (CMAS) and then state entities produce smaller and more detailed Requests for Offers (RFOs). Both parts together form the complete contract.

Version Notes

IDEA Briefing Deck

This presentation introduces the IDEA process, including the background, rationale, process to develop, and scope.

Please if you note any errors.

State employees can find the signed agreement in the teams channel.

Template: BUCP

Use this Word document to draft your BUCPs. If needed, we will periodically update this based on feedback and include version notes.

Template: Data Field Definitions Template

One of the best ways to improve data use is to provide data that is well-documented. The data field definitions table below will help both the Data Provider and Recipient develop a shared understanding of the data to be exchanged.

Use the Dispute Resolution Process to mediate disagreements in any of the following categories:

1. Data Provider objects to the data exchange

2. Disagreement on the method for de-identification

3. Disagreement on costs

The goal of the dispute resolution process is to resolve issues at the lowest level possible and to create a different process when one of the parties to the BUCP is not under the authority of the Governor.

Steps in the dispute resolution process

1. Determine if both state entities are under the authority of the Governor.

   1. If yes, escalate the issue to your respective Agency Chief Data Officers, if applicable, else the Agency Information Officer for a mediation meeting.

      1. If this resolves the dispute, finalize the BUCP and file it via the (external link to AirTable).

      2. If the dispute is not resolved, proceed to step 3.

      3. If not, continue to step 2.

2. Both the Data Provider and Data Recipient must develop written comments and recommendations that represent their perspective.

3. Both must compile and submit this documentation to the Chief Data Officer via the (external link to AirTable).

4. Conduct joint mediation meetings.

   1. If this resolves the dispute, finalize the BUCP and file it via the (external link to AirTable).

   2. If this does not resolve the dispute:

      1. And both entities are under the authority of the Governor, the Chief Data Officer will submit a recommendation to the Governor’s office for final decision.

      2. And one or more of the entities are not under the authority of the Governor, the BUCP is not approved.

See the flowchart below as well.

Template: Email to initiate a data exchange under IDEA

Subject: Request to exchange data under IDEA

Dear <insert Data Provider contact name>,

We are both Signatory Entities under the State of California’s Interagency Data Exchange Agreement (IDEA), the umbrella memorandum of understanding that is intended to facilitate data exchange between state entities. If you are unfamiliar with IDEA, you can learn more in the attached FAQ.

We are interested in exchanging the following information with your department and have drafted an initial Business Use Case Proposal (BUCP) as required by IDEA.

<Insert brief description of data and purpose>

At your convenience, we would like to meet and discuss this request with you. If you feel another contact is more appropriate, please feel free to let us know.

Best,

<insert Data Recipient name>

Template: Planning for a BUCP Kickoff Meeting

Use this template to plan for your BUCP Kickoff Meeting.

Suggested attendees:

• Data Recipient. Program contacts that are responsible for the business use case.

• Data Providers. Program contacts that have a deep understanding of the data to exchange and can inform and even advise on the business use case needs.

Inputs to meeting:

• Draft of BUCP (provided by Data Recipient)

• List of available data fields to review and discuss (provided by Data Provider)

Meeting objective: Refine business use case needs and develop preliminary list of data fields

Meeting agenda:

1. Introductions (All parties)

2. Background on business use case purpose and importance (Data Recipient)

3. Discussion of data needs in support of use case (All parties). Use this time to list and start to refine the list of data fields that would meet business use case. Flag (but don’t attempt to resolve) issues that would require legal or security input.

4. Identify next steps. Next steps should include at a minimum the following:

   1. How to finalize list of data elements that are in scope

   2. Legal and security input needed

Template: Notice of unauthorized access (provision 8.5)

Subject: Notice of unauthorized access to data exchanged under IDEA

Dear <insert Data Provider contact name>,

We are both Signatory Entities under the State of California’s Interagency Data Exchange Agreement (IDEA), the umbrella memorandum of understanding that is intended to facilitate data exchange between state entities.

Under IDEA, we negotiated a Business Use Case Proposal (BUCP), attached, in which you provided us with the following data: <insert brief description of data>.

Under provision 8.5 of IDEA, we are required to notify you that we experienced an instance of unauthorized access as follows:

<insert brief description of unauthorized access>.

Please let us know if you need any additional information to assess this instance of unauthorized access. We are able to meet at a time of your convenience. Further, our team is reviewing this instance of unauthorized access and identifying any remediations and future mitigation measures to prevent any future unauthorized access.

Best,

<insert Data Recipient name>

Template: Notice of security incident (provision 8.6)

Subject: Notice of security incident involving data exchanged under IDEA

Dear <insert Data Provider contact name>,

We are both Signatory Entities under the State of California’s Interagency Data Exchange Agreement (IDEA), the umbrella memo of understanding that is intended to facilitate data exchange between state entities.

Under IDEA, we negotiated a Business Use Case Proposal (BUCP), attached, in which you provided us with the following data: <insert brief description of data>.

Under provision 8.6 of IDEA, we are required to notify you that we experienced a security incident relating to this data:

<insert brief description of unauthorized access and consider attaching a more detailed report>.

Please let us know if you need any additional information to assess this incident. We are able to meet at a time of your convenience. Further, our team is reviewing this incident and identifying any remediations and future mitigation measures to prevent any future security incidents.

Best,

<insert Data Recipient name>

Template: Data disclosure language (provision 5.11)

Under IDEA, a Data Recipient may modify data and disclose it consistent with the signed BUCP. If disclosed, the Data Recipient must indicate that the data is modified and not original. We suggest including a footnote as follows:

Note: Our department is not the original source of this data. We have modified this data to support our own business needs. Any inconsistency with the original data is our responsibility.

Template: Notice to terminate data exchange under IDEA (provision 5.14 - rule change)

Subject: Notice to terminate data exchange under IDEA

CC: Agency Chief Data Officer or the Agency Information Officer

Dear <insert Data Recipient contact name>,

We are both Signatory Entities under the State of California’s Interagency Data Exchange Agreement (IDEA), the umbrella memorandum of understanding that is intended to facilitate data exchange between state entities.

Under IDEA, we negotiated a Business Use Case Proposal (BUCP), attached, in which we provided you with the following data: <insert brief description of data>.

Under provision 5.14 of IDEA, we are terminating this agreement due to the following statutory, regulatory, or contractual change which now prohibits our ability to share the data under our BUCP:

<insert brief description of change and why this requires a termination and any time constraints or requirements for deletion/removal; consider attaching a more detailed report>.

We request to meet and discuss the steps involved in this termination.

Best,

<insert Data Provider name>

Template: Notice to terminate data exchange under IDEA (provision 5.14 - Data Recipient’s Acts)

Subject: Notice to terminate data exchange under IDEA

CC: Agency Chief Data Officer or the Agency Information Officer

Dear <insert Data Recipient contact name>,

We are both Signatory Entities under the State of California’s Interagency Data Exchange Agreement (IDEA), the umbrella memorandum of understanding that is intended to facilitate data exchange between state entities.

Under IDEA, we negotiated a Business Use Case Proposal (BUCP), attached, in which we provided you with the following data: <insert brief description of data>.

Under provision 5.14 of IDEA, we are terminating this agreement due to your act as described below:

<insert brief description of Data Recipeint’s act that prompted this termination and why that act should lead to a termination. Describe time constraints or requirements for deletion/removal; consider attaching a more detailed report>.

We request to meet and discuss the steps involved in this termination.

Best,

<insert Data Provider name>

Template: Notice to terminate data exchange under IDEA (provision 7.4)

Subject: Notice to terminate data exchange under IDEA due to cause

CC: Statewide Chief Data Officer and Agency Chief Data Officer or the Agency Information Officer

Dear <insert Data Recipient contact name>,

We are both Signatory Entities under the State of California’s Interagency Data Exchange Agreement (IDEA), the umbrella memorandum of understanding that is intended to facilitate data exchange between state entities.

Under IDEA, we negotiated a Business Use Case Proposal (BUCP), attached, in which we provided you with the following data: <insert brief description of data>.

Under provision 7.4 of IDEA, we request to terminate this agreement as we believe you, the Data Recipient has violated a material term of our agreement:

<insert brief description of violation and why this requires a termination and any time constraints or requirements for deletion/removal; consider attaching a more detailed report>.

We request to meet and discuss the steps involved in this termination.

Best,

<insert Data Provider name>

Follow the steps below to develop a BUCP under the IDEA. Typically, a BUCP will be initiated by a Data Recipient to request data from a Data Provider. However, all parties may work together to develop a BUCP. These two roles are referred to throughout this guidebook and in the IDEA and BUCP template.

Flowchart: We’ve created a flowchart that supports the steps below.

Step 1. Determine if you need to use the IDEA

The IDEA is designed for data that requires protection and cannot be freely shared across state entities. Typically this means the data faces restrictions on disclosures to other state entities under federal or state law due to privacy or security reasons.

The IDEA does not apply to public, non-confidential data. In addition, it does not apply to non-confidential, internal use data that you share with other state entities even if the data is not intended for public use. For these cases, treat data sharing as a normal part of business.

Step 2. Confirm that all parties are signatories to IDEA

All state agencies under the Governor’s authority and their reporting departments have signed IDEA, in addition to several other entities. Confirm that the Data Recipient(s) and the Data Provider(s) are signatories on the agreement. If one or the other is not a signatory, you are welcome to use the IDEA agreement and BUCP templates as a starting point but are not required to do so. We encourage the entity that has not yet signed onto IDEA to do so and are happy to review it with them.

Step 3. Draft initial Business Use Case Proposal (BUCP)

The BUCP template is the document you will use to finalize your data sharing agreement. The Data Recipient’s program staff who will use the data should draft the initial BUCP. At this time, work with the program team to develop this draft. Later in the process, you can engage your Data Officer and Legal team. The template is broken down into the following sections:

Step 4. Submit the draft BUCP to the Data Provider

Once the Data Recipient has a working draft BUCP, they should identify the appropriate contact at the Data Provider. A good initial starting point is the program contacts for the data, who are in the best position to help you develop the BUCP. They can bring in additional groups as necessary including legal, privacy, technology, and security.

Step 5. Work together to complete the BUCP

All entities’ programs should work together to complete a draft BUCP for approval. Typically, a completed draft will require input from your legal, privacy, security, and technology teams.

If there is a dispute while developing the BUCP, please follow the dispute resolution process. Disputes fall into three categories:

1. Data Provider objects to the data exchange

2. Disagreement on the method for de-identification

3. Disagreement on costs

Step 6. Submit the final BUCP to the Statewide Chief Data Officer

The Data Recipient must file the final BUCP via the BUCP Inventory Form (external link to AirTable). This is for tracking and auditing purposes only (there is no 'approval' that happens by CalData). Once submitted you should move immediately to Step 7 to begin exchanging the data.

Step 7. Exchange and manage the data per the agreement

Follow the terms of the agreement to exchange and manage the data. Below we included a series of templates that may be useful under several of IDEA’s clauses.

Step 8. (If applicable) file a notice of termination

IDEA recognizes two instances in which a Data Provider may file a notice of termination.

1. If the termination is due to statutory, regulatory, or contractual changes, under §5.14 of IDEA, the Data Provider must notify the Agency Chief Data Officer or the Agency Information Officer of the action and reasons.

2. Under §7.4 of IDEA, if the Data Provider determines that the Data Recipient has violated a material term of the agreement, they may terminate the agreement. The Data Provider must immediately notify the Data Recipient and Chief Data Officer.

Flowchart for Managing Data Sharing Agreements

Background and When to Use

What data exchange does IDEA apply to?

IDEA applies to data that is protected by state or federal law typically due to privacy or security concerns. In short, this is data that must be assessed to ensure that exchange is allowable and secure under any prevailing statute or regulation. This typically includes personally identifiable information (PII) or highly sensitive information such as that related to security. This does not apply to data that is public or even used for internal purposes but not rising to the level of protected information. Typically, protected information is that which faces specific requirements for disclosure and allowable use or for breaches (often called notice-triggering events).

Do we have to use IDEA for data exchange?

Yes, if your department or entity is a signatory to IDEA. The goal of IDEA is to reduce administrative overhead by using the same framework for data exchange versus renegotiating the same questions. It also helps ensure that the data exchange uses consistent privacy and security practices.

Are the UCs, CSUs and Community Colleges included in this effort?

Any state entity is encouraged to and can sign onto the IDEA. As of March 2022, the UCs, CSUs, and Community Colleges have not yet done so. Please refer to the list of signature entities for current status.

Does IDEA require us to give our data to any other state entity?

No. Any data exchange must be allowable under governing statute and regulation. State entities retain authority to sign and allow or decline data exchange under a BUCP.

Can we use this process for research-related data sharing?

Yes, if the research requires sensitive data from another state entity that has signed the IDEA. This includes cases where the state entity is using a service provider to conduct the research on the entity’s behalf. Importantly, IDEA does not replace any existing approval processes for independent research. For example, a BUCP for research-related data from a university will need to include Institutional Review Board (IRB) approval. See the BUCP template and Section 3 of IDEA for more details. Requests for data by external researchers, either academics or institutions, for research purposes are covered by other existing processes and IDEA should not be used.

We already have existing data exchange agreements. Do we need to migrate them to IDEA?

You can leave existing agreements as is. However, any renewals or new agreements should use the BUCP process.

BUCP Details

Can we create a BUCP without an end date?

Yes. While the BUCP includes a termination date, data exchanges can be ongoing or terminated by notice as long as the law allows it.

We have special security and/or privacy requirements. Can we include these?

IDEA establishes minimum security requirements by requiring that Signatory Entities meet Chapter 5300 of the State Administrative Manual. Additional security and privacy requirements can be included in the BUCP. Any additional requirements should be commensurate with risk or due to prevailing rules or regulations.

Why would we ever need to de-identify data under a signed BUCP?

You should limit data exchange to that which is necessary to meet the business need or objective. Wherever possible, data should be de-identified if individual identifiers are not necessary. For example, while the business case may require record level data, it may not require known identifiers such as name, address, or phone number. In addition, if aggregated data meets the use case aggregate data should be used. Moreover, data that has been de-identified and suppressed can be published in an open data portal.

What Happens If/When

What happens if the Data Recipient has a breach for data exchanged under a BUCP?

The Data Recipient should contact the Data Provider to identify who is responsible for notification under §9.2 of IDEA. If the breach involves HIPAA-protected data held by a Covered Entity or its Business Associate, the parties must follow breach provisions in Addendum A of IDEA.

How do we use the BUCP process when we need to transfer funds?

1. Case 1: If two or more departments want to share data and transfer funds, the contractual process can run in parallel to the BUCP approval process. For example, data exchange can be addressed by the BUCP and the transfer of funds or services can be addressed by an Interagency Agreement. To avoid work duplication, attach the BUCP as an exhibit to the Interagency Agreement.

2. Case 2: If two or more programs within the same department want to share data and transfer funds, the contractual process can also run in parallel to the BUCP approval process. For example, data exchange can be addressed by the BUCP and the transfer of funds or services can be addressed by a Memorandum of Agreement. To avoid work duplication, attach the BUCP as an exhibit to the Memorandum of Agreement.

What should we do if we have a change in law or rule that affects data under a signed BUCP?

Work with your legal and privacy team to determine if your existing BUCPs are still allowable under the rule change.

1. If they are still allowable, update the BUCP to reflect the new legal analysis under the legal authority and refile the BUCP via the BUCP Inventory Form.

2. If the data exchange is no longer permitted, see Step 8 in the guidebook on filing a notice of termination.

We (the Data Recipients) received an external request for data that we received via a BUCP. How do we handle it?

If a Data Recipient receives a request under the California Public Records Act (CPRA), a subpoena, a court order, a litigation-related request, or any other request for the data under a BUCP, under §5.18 of IDEA, immediately notify the Data Provider to meet and confer on the appropriate response.

Legal

Does IDEA, including data sharing with contractors, comply with § 6254.5 in the Public Records Act?

Yes. Data that is shared consistent with the Information Practices Act, other laws covering the data, or to a governmental agency that agrees to keep the data confidential means that the data keeps its confidential status (see Government Code § 6254.5). The IDEA itself is an agreement to keep confidential data that is shared as confidential. Sharing of confidential data with other governmental agencies, contractors or business associates is permitted, and confidential information shared via IDEA will generally remain confidential and exempt from PRA. See §5.18 of IDEA and FAQ 8 for details on managing PRA requests.

Does IDEA impact attorney-client or other existing privileges?

No. Per §5.20 of IDEA, nothing in the IDEA or BUCP will diminish any privileges or protections.

Results and Feedback

What are the expected benefits of IDEA?

We expect the following benefits from the IDEA:

• Reduction in time and effort spent negotiating terms. After CHHS adopted a single agency agreement, completion time went from 2-3 years on average to 79 days.

• Shifts bias to sharing and working together. Most data sharing negotiations are adversarial and start from a position of “no.” The IDEA starts with a commitment to data sharing and collaboration to improve services.

• Reduction in duplication of resources and workload. The IDEA establishes the legal framework so the focus moves from creation of a legal agreement towards developing the data elements and transmission logistics. CHHS statistics show data is often transferred earlier than the projected date.

• Greater visibility into areas of disagreement. The IDEA establishes an escalation process for when agencies don’t agree to share that could uncover both cultural reluctance and/or legal issues that need to be addressed.

• Ultimately, better government services through the improved sharing and use of data.

What should we expect next? Can I provide feedback?

The IDEA process is relatively new, and we want to give it time to take root. As its usage expands, we are eager to understand what is working and where there may be gaps. If you have just completed a BUCP, there is an opportunity to let us know what you think on the inventory form. At any other point you can submit feedback using our feedback form. In time, based on feedback, we will determine if there is the need to revisit and update the IDEA or BUCP templates. If there are updates, they would likely only apply to future agreements.