TITLE 20 - EMPLOYEES' BENEFITS, CHAPTER V - EMPLOYMENT AND TRAINING ADMINISTRATION, DEPARTMENT OF LABOR, PART 603 - FEDERAL-STATE UNEMPLOYMENT COMPENSATION PROGRAM, CONFIDENTIALITY AND DISCLOSURE OF STATE UC INFORMATION, SUBPART A - IN GENERAL, §603.9 WHAT SAFEGUARDS AND SECURITY REQUIREMENTS APPLY TO DISCLOSED INFORMATION? (b) SAFEGUARDS TO BE REQUIRED OF RECIPIENTS. (1) The State or State UC agency must: (i)
Require the recipient to use the disclosed information only for purposes authorized by law and consistent with an agreement that meets the requirements of §603.10 ii)
Require the recipient to store the disclosed information in a place physically secure from access by unauthorized persons; (iii)
Require the recipient to store and process disclosed information maintained in electronic format, such as magnetic tapes or discs, in such a way that unauthorized persons cannot obtain the information by any means; (iv)
Require the recipient to undertake precautions to ensure that only authorized personnel are given access to disclosed information stored in computer systems;(v)
Require each recipient agency or entity to: (A) Instruct all personnel having access to the disclosed information about confidentiality requirements, the requirements of this subpart B, and the sanctions specified in the State law for unauthorized disclosure of information, and (B) Sign an acknowledgment that all personnel having access to the disclosed information have been instructed in accordance with paragraph (b)(1)(v)(A) of this section and will adhere to the State's or State UC agency's confidentiality requirements and procedures which are consistent with this subpart B and the agreement required by §603.10, and agreeing to report any infraction of these rules to the State UC agency fully and promptly, (vi)
Require the recipient to dispose of information disclosed or obtained, and any copies thereof made by the recipient agency, entity, or contractor, after the purpose for which the information is disclosed is served, except for disclosed information possessed by any court. Disposal means return of the information to the disclosing State or State UC agency or destruction of the information, as directed by the State or State UC agency. Disposal includes deletion of personal identifiers by the State or State UC agency in lieu of destruction. In any case, the information disclosed must not be retained with personal identifiers for longer than such period of time as the State or State UC agency deems appropriate on a case-by-case basis; and (vii)
Maintain a system sufficient to allow an audit of compliance with the requirements of this part. (2) In the case of disclosures made under §603.5(d)(2) (to a third party (other than an agent) or disclosures made on an ongoing basis),
the State or State UC agency must also—(i)
Periodically audit a sample of transactions accessing information disclosed under that section to assure that the entity receiving disclosed information has on file a written release authorizing each access. The audit must ensure that the information is not being used for any unauthorized purpose; (ii)
Ensure that all employees of entities receiving access to information disclosed under §603.5(d)(2) are subject to the same confidentiality requirements, and State criminal penalties for violation of those requirements, as are employees of the State UC agency. (c) REDISCLOSURE OF CONFIDENTIAL UC INFORMATION. (1) A State or State UC agency may authorize any recipient of confidential UC information under paragraph (a) of this section to r
edisclose information only as follows: (i) To the individual or employer who is the subject of the information; (ii) To an attorney or other duly authorized agent representing the individual or employer; (iii) In any civil or criminal proceedings for or on behalf of a recipient agency or entity; (iv) In response to a subpoena only as provided in §603.7; (v) To an agent or contractor of a public official only if the person redisclosing is a public official, if the redisclosure is authorized by the State law, and if the public official retains responsibility for the uses of the confidential UC information by the agent or contractor; (vi) From one public official to another if the redisclosure is authorized by the State law; ... (viii) When specifically authorized by a written release that meets the requirements of §603.5(d) (to a third party with informed consent. (2) Information redisclosed under paragraphs (c)(1)(v) and (vi) of this section must be subject to the safeguards in paragraph (b) of this section.
§603.10 WHAT ARE THE REQUIREMENTS FOR AGREEMENTS?
(a) Requirements. (1) For disclosures of confidential UC information under §603.5(d)(2) (to a third party (other than an agent) or disclosures made on an ongoing basis); §603.5(e) (to a public official), except as provided in paragraph (d) of this section; §603.5(f) (to an agent or contractor of a public official); §603.6(b)(1) through (4), (6), and (7)(i) (as required by Federal UC law); and §603.22 (to a requesting agency for purposes of an IEVS), a State or State UC agency must enter into a written, enforceable agreement with any agency or entity requesting disclosure(s) of such information. The agreement must be terminable if the State or State UC agency determines that the safeguards in the agreement are not adhered to. (2) For disclosures referred to in §603.5(f) (to an agent or contractor of a public official), the State or State UC agency must enter into a written, enforceable agreement with the public official on whose behalf the agent or contractor will obtain information. The agreement must hold the public official responsible for ensuring that the agent or contractor complies with the safeguards of §603.9. The agreement must be terminable if the State or State UC agency determines that the safeguards in the agreement are not adhered to.(b) Contents of agreement—(1) In general. Any agreement required by paragraph (a) of this section must include, but need not be limited to, the following terms and conditions:(i) A description of the specific information to be furnished and the purposes for which the information is sought; (ii) A statement that those who request or receive information under the agreement will be limited to those with a need to access it for purposes listed in the agreement;
(iii) The methods and timing of requests for information and responses to those requests, including the format to be used;(iv) Provision for paying the state or State UC agency for any costs of furnishing information, as required by §603.8 (on costs); (v) Provision for safeguarding the information disclosed, as required by §603.9 (on safeguards); and(vi) Provision for on-site inspections of the agency, entity, or contractor, to assure that the requirements of the State's law and the agreement or contract required by this section are being met.(2) In the case of disclosures under §603.5(d)(2) (to a third party (other than an agent) or disclosures made on an ongoing basis), the agreement required by paragraph (a) of this section must assure that the information will be accessed by only those entities with authorization under the individual's or employer's release, and that it may be used only for the specific purposes authorized in that release.
