HomeMy WebLinkAboutAgreement A-17-630 with RTI International.pdfMEMORANDUM OF UNDERSTANDING BETWEEN FRESNO COUNTY DEPARTMENT OF SOCIAL SERVICES AND RTI INTERNATIONAL Page 1 of 5 This Memorandum of Understanding ("MOU") is entered into by and between the County of Fresno ("Fresno County") and RTI International ("RTI"). Fresno County and RTI each may be referred to herein as "Party" and collectively as "Parties." I. PURPOSE The purpose of this MOU is to set forth the terms and conditions under which Fresno County and its Department of Social Services agrees to participate in the National Survey of Child and Adolescent Well-Being Ill ("NSCAW Ill") sponsored by the federal Administration for Children and Families ("ACF") and conducted by RTI. The purpose of NSCAW is to gain a better understanding of the well-being, needs, and services received by children and families who come into contact with the child welfare system. II. BACKGROUND AND AUTHORITY Since 1999, ACF has been sponsoring a longitudinal survey, NSCAW, to provide nationally representative Information about the well-being, service needs and service utilization of children and families who come to the attention of the U.S. child welfare system. The study, authorized under the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 ("PRWORA")\ provides information about program, policy and practice issues of concern to federal, state and local governments and child welfare agencies. Two prior surveys were conducted in 1999 ("NSCAW") and 2008 ("NSCAW II"). In 2016, ACF awarded a contract to RTI to collect data relating to a third cohort of children and families for purposes of conducting NSCAW Ill. The administrative data provided to RTI will be used to identify individual children aged birth to 17 1/2 years who come in contact with the child welfare system within a 15 month period beginning in July 2017. Following completion of the work, the survey data will be stripped of all identifying information and analyzed for the possibility of re-identification/inadvertent disclosure before being made available to the larger research and policy community to encourage secondary analyses that will support further research and timely policy decisions. The National Data Archive for Child Abuse and Neglect (NDACAN) at Cornell University is the repository for NSCAW data. Ill. SCOPE OF WORK A. Fresno County understands the California Department of Social Services (COSS) may disclose confidential information to RTI for purposes directly connected with the administration of the program in compliance with the above legal authority and documented in the MOU on record between RTI and COSS (Appendix A). 1 Title V, Sec. 429A, National Random Sample Study of Child Welfare (PL No. 104-193) Agreement No. 17-630
Page 2 of 5 B. Fresno County will designate an agency liaison who will provide assistance and information to the NSCAW Field Representatives and will encourage but not require caseworkers to participate in brief interviews. Specifics of the assistance to be provided by Fresno County are listed in Appendix B, Agency Responsibilities. IV. RTI RESPONSIBILITIES RTI shall be provided access to confidential data for the sole purpose of conducting research as described herein. RTI agrees to: A. Use the data it receives under this MOU only for the purpose of completing its NSCAW Ill obligations and for no other purpose. The data shall not be used for personal gain or profit. B. Protect the confidentiality of all data it receives, maintains, stores and transmits pursuant to this MOU and shall implement administrative, physical and technical safeguards based upon applicable laws, regulations, policies, or other rules or standards that reasonably and appropriately protect the confidentiality of the data. C. Designate a person to be responsible for the security and confidentiality of the data. RTI shall immediately notify COSS and Fresno County in writing of a designee change. The person responsible for security and confidentiality of data at RTI is: Orin Day RTI International 3040 East Cornwallis Road P.O. Box 12194 Research Triangle Park, NC 27709-2194 (919) 541-5515 oday@rti.org D. Comply with the provisions of the MOU in Appendix A. V. TERM This MOU shall be effective upon signature of both Fresno County and RTI. The MOU shall expire on May 31, 2022, unless terminated pursuant to Paragraph VII, B. below. VI. PROJECT REPRESENTATIVES The project representatives during the terms of this MOU are: For Fresno County: Tricia Gonzalez, Deputy Director Child Welfare Seivices 1404 L. Street Fresno, CA 93721 Phone: (559) 600-2306 Email: gonzapd@co.fresno.ca.us
For RTI: Melissa Dolan, NSCAW Project Director 230 W. Monroe St., Suite 2100 Chicago, IL 60606-4901 Phone: (312) 456-5250 Email: mdolan@rti.org Page 3 of 5 Either party may make changes to the project representatives above by giving five (5) days written notice to the other party. Said changes shall not require an amendment to this MOU. VII. GENERAL PROVISIONS A. Amendments: No condition or provision of this MOU shall be waived or altered except by written amendment signed by a duly authorized representative of Fresno County and RTI. No oral understanding or agreement not incorporated herein shall be binding upon either party. B. Termination 1. Termination without cause: This MOU may be terminated by either party without cause upon giving 30 days written notice. 2. Termination with cause: This MOU may be terminated immediately by either party if the terms of this MOU are violated in any manner. 3. Other grounds for termination: In the event that any other contract, agreement or MOU (identified in Section II. Background as being related to or necessary for the performance of this MOU) terminates or expires, this MOU may be terminated upon the effective date of the termination of that contract, agreement or MOU, even if such termination will occur with less than thirty (30) days written notice. C. Return or Destruction of Data Confidential data used, compiled, processed, stored or derived through the performance of this MOU shall be destroyed or returned upon the expiration or termination of this MOU, as directed by Fresno County. RTI shall destroy all data not returned when the authorized use ends in accordance with approved methods of confidential destruction, including but not limited to, shredding, burning, certified or witnessed destruction, or degaussing of magnetic media. RTI shall provide a certification letter confirming that all data was destroyed and method utilized to destroy the data.
Page 4 of 5 D. Dispute Resolution Process: If a dispute arises between Fresno County and RTI, the parties must seek resolution using the process outlined below: The RTI Project Representative should first informally discuss the problem with Fresno County Project Representative. If the problem cannot be resolved informally, the RTI Project Representative must direct the grievance, in writing, to the Fresno County Project Representative. The Fresno County Project Representative must make a written decision within ten (1 0) working days after receipt of the written grievance. Should RTI disagree with the written decision of the Fresno County Project Representative, then RTI may appeal in writing to the Fresno County Project Representative, specifying the dispute, the facts, and the legal authority, if any, supporting the position of RTL The Fresno County Project Representative shall respond in writing within ten (10) working days of receipt of the appeal with a final decision. The decision of Fresno County shall be final. E. Choice of Law and Consent to Jurisdiction: Any action relating to this MOU must be brought in the federal or state courts located in California, and RTI irrevocably consents to the jurisdiction of such courts for any action. F. Notices: All notices, reports, requests, or other communications given pursuant to this Agreement shall be made in writing, shall be delivered by hand delivery or overnight courier service, and shall be deemed to have been duly given when delivery is confirmed/verified. G. Entire Agreement: This MOU constitutes the entire agreement between the parties; no promises, terms, or conditions not recited, incorporated or referenced herein, including prior agreements or oral discussions, shall be binding upon either party. H. Survival: All provisions of this MOU relating to privacy, confidentiality and information security shall survive the termination or expiration of this Agreement.
f'age 5 of 5
VIII. AUTHORIZED REPRESENTAiJVES
By signing below, the. individual certifies that It is acting as the representative of the entity
named below and possesses the authority to enter into this MOU on behalf of that entity.
COUNTY OF FRESNO
/L~j_
Brian Pacheco. Chairman of the Board of Supervisors
of the County of Fresno
ATTEST:
Bernice E. Seidel
Clerk to the Board of Supervisors
County of Fresno, State of California
Fumi/Subclass: NI A
Organization: 5610700 I
Account: N/ A
Appendix A: MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI International MEMORANDUM OF UNDERSTADNING BETWEEN CALIFORNIA DEPARTMENT OF SOCIAL SERVICES AND RTI INTERNATIONAL Page 1 of 7 This Memorandum of Understanding ("MOU'') is entered into by and between the California Department of Social Services ("COSS") and RTI International (''RTI"). COSS and RTI each may be referred to as herein as "Party" and collectively as "Parties.'' I. PURPOSE The purpose of this MOU is to set forth the terms and conditions under which COSS agrees to provide RTI with confidential data for participation in the National Survey of Child and Adolescent Well-Being Ill ("NSCAW Ill") sponsored by the federal Administration for Children and Families ("ACF"). The data to be provided is needed to gain a better understanding of the child welfare system, the children and families who come in contact with it and the services they receive. The data will allow RTI to identify and contact survey participants, including children, parents, non-parent adult caregivers and caseworkers. The data to be provided will be from certain California counties that have agreed to participate in NSCAW Ill. 11. BACKGROUND AND AUTHORITY Since 1999, ACF has been sponsoring a longitudinal survey, NSCAW, to provide nationally representative information about the well-being, service needs and service utilization of children and families who come to the attention of the U.S. child welfare system. The study, authorized under the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 ("PRWORA") 1, provides information about program, policy and practice issues of concern to federal. state and local governments and child welfare agencies. Two prior surveys were conducted in 1999 (''NSCAW") and 2008 ("NSCAW II"). In 2016, ACF awarded a contract to RTI to collect data relating to a third cohort of children and families for purposes of conducting NSCAW Ill. The administrative data provided to RTI will be used to identify individual children aged birth to 17 ½ years who come in contact with the child welfare system within a 12 month period beginning in July 2017. Following completion of the work, the survey data will be stripped of all identifying information and analyzed for the possibility of re-identification/inadvertent disclosure before being made available to the larger research and policy community to encourage secondary analyses that will support further research and timely policy decisions. The National Data Archive for Child Abuse and Neglect (NDACAN) at Cornell University is the repository for NSCAW data. COSS is the single state agency under Title IV of the Social Security Act that is responsible for oversight of county and community agencies in the implementation of child welfare services (CWS) programs, which include services provided to children and families when a child is at risk or is alleged to be the victim of child abuse, neglect, or exploitation. The vision of California's 1 Title V, Sec, 429A, National Random Sample Study of Child Welfare (PL No.104-193)
Appendix A: MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI International Page 2 of 7 child welfare system is that every child in California will live in a safe, stable, permanent home, nurtured by healthy families and strong communities. In order to achieve this vision, COSS is committed to efforts to support effective and rigorous program analyses of services provided to children and families, and ultimately, to improve the safety, health and well-being of California's children. Ill. SCOPE OF WORK Under this MOU, COSS is disclosing confidential information to RTI for purposes directly connected with the administration of the program in compliance with the above legal authority. The confidential data to be provided will come from the following participating California counties: Butte, Fresno, Los Angeles, Monterey, Riverside, San Bernardino and San Diego. Additional counties may be added to this MOU without requiring an amendment to this MOU. The data provided will include, but shall not be limited to, the following: A. Extracts of the California Child Welfare Services/Case Management System (CWS/CMS) File data set that are available consisting of child cases with closed investigations/assessments as well as child cases that entered legal custody without an investigation/assessment for 12 months beginning with July 2017 cases. The specific data elements to be provided are found in Attachment A, Table 2 8. National Child Abuse and Neglect Data System (NCANDS) Child File data set consisting of child-specific data of all reports of maltreatment to State child protective service agencies that received an investigation or assessment response covering the study period (July 2017 to December 2020). The specific data elements to be provided are found in Attachment A, Table 2. C. Federal Adoption and Foster Care Analysis and Reporting System (AFCARS) data elements as established in Section 479 of the Social Security Act and 45 CFR Section 1355 covering the study period (July 2017 to December 2020). The specific data elements to be provided are found in Attachment A, Table 2. D. A crosswalk of encrypted and unencrypted child identification numbers for NCANDs and AFCARS data sets. IV. RTI RESPONSIBILITIES RTI shall be provided access to confidential data for the sole purpose of conducting research as described herein. RTI agrees to: A. Enter into any agreements with the counties that are necessary to obtain the data for NSCAW Ill.
Appendix A: MOU Between RTI and CDSS Agreement 17-6011 COSS/RTI International Page 3 of 7 8. Use the data it receives under this MOU only for the purpose of completing its NSCAW 111 obligations and for no other purpose. The data shall not be used for personal gain or profit. C. Protect the confidentiality of all data it receives, maintains, stores and transmits pursuant to this MOU and shall implement administrative, physical and technical safeguards based upon applicable laws, regulations, policies, or other rules or standards that reasonably and appropriately protect the confidentiality of the data. D. Designate a person to be responsible for the security and confidentiality of the data. RTI shall immediately notify COSS in writing of a designee change. The person responsible for security and confidentiality of data at RTI is: Orin Day RTI International 3040 East Cornwallis Road P.O. Box 12194 Research Triangle Park, NC 27709:2194 (919) 541-5515 oday@rti.org E. Comply with the provisions of COSS Confidentiality and Information Security Requirements, Attachment B of this MOU. F. Maintain the approval of this research project by the Committee for the Protection of Human Subjects (CPHS) via annual renewals of the original CPHS approval dated June 26, 2017. RTI shall notify COSS within ten (10) business days of any adverse events or deviation which is required to be reported to the CPHS along with copies of any such report and any documents from CPHS related to that adverse event or deviation. G. Acknowledge COSS as the original source of the data in any publications resulting from or related to the use of the data. H. Include a disclaimer that credits the respective departmental authors for any analysis, interpretations, or conclusions reached. A suggested wording is: 'The findings reported herein were performed with the permission of COSS. The opinions and conclusions expressed herein are solely those of the authors and should not be considered as representing the policy of the collaborating agency or of any agency of the California government." I. Provide COSS with a pre-publication draft of any reports utilizing the data provided under this MOU no later than sixty (60) calendar days before publication so that COSS can review the reports, offer edits, and express any concerns with content to RTI prior to the publication of the report. RTI shall collaborate with COSS to resolve any concerns raised during the review, including the removal of information by which an individual may be personally identified. Should COSS disagree with any part of the report, CDSS's disagreement must be Included In the final published report, preferably located in the Executive Summary.
Appendix A: MOU Between RTI and COSS Agreement 17-6011 COSS/RTI International Page 4 of 7 J. Any publication that solely includes aggregated national data and additionally meets either of the following conditions shall not be subject to the requirements established in Paragraphs G, Hor I of Section IV: 1. California's state-or county-level data cannot be derived, inferred or otherwise identified from the publication; 2. The publication does not include any findings, analysis, interpretations or conclusions that specifically addresses California at either a state-or county-level either independently or in comparison to other national, state or county data within the publication. K. Ensure that technical descriptions of the data derived from the data are consistent with those provided by CDSS. L. Allow, with an advance written ten (10) day notice to RTI, CDSS or its authorized representatives to access locations of the datasets and to conduct an audit. The purpose of any such audit shall be to confirm that the use of the data and datasets complies with the terms of this MOU, including Attachment B, the COSS Confidentiality and Security Requirements Agreement and the plan submitted to Institutional Review Board of the CPHS and related approval(s) of the CPHS. 1. RTI shall cooperate and assist with any such audit, which may include the provision of information relating to identification of the locations of the datasets or data; those who accessed, used or disclosed the datasets or data; or other information relevant to the security and protection of the confidentiality or privacy of the information contained within the datasets. 2. Identified audit items shall be corrected by RTI through the implementation of a corrective action plan approved by COSS. V. COSS RESPONSIBILITIES A. On a monthly basis, commencing in August 2017, or as soon as is practicable thereafter, COSS will transmit to RTI the data specified in Attachment A. Any additional data as may be requested by RTI and agreed to by COSS shall be transmitted on a mutually agreed upon date. B. COSS may, in its discretion, conduct random on-site inspections of facilities and operations, wherever the data provided hereunder is stored, accessed to transmitted, to ensure the terms of this MOU are being complied with. VI. TERM This MOU shall be effective upon signature of both CDSS and RTI. The MOU shall expire on May 31, 2022, unless terminated pursuant to Paragraph VIII, 8. below.
Appendix A: MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI International VII. PROJECT REPRESENTATIVES The project representatives during the terms of this MOU are: For CDS$: Jenny Chi, Staff Services Manager I Research Services Branch 744 P St., MS 9-13-56 Sacramento, CA 95814 Phone: (916) 653-1428 Email: Jenny.Chi@dss.ca.gov For RTI: Melissa Dolan, NSCAW Project Director Survey Research Division 230 West Monroe St., Suite 2100 Chicago, IL 60606 Phone: (312) 456-524 7 Email: mdolan@rti.org Page 5 of 7 Either party may make changes to the project representatives above by giving five (5) days written notice to the other party. Said changes shall not require an amendment to this MOU. VIII. GENERAL PROVISIONS A. Amendments. No condition or provision of this MOU shall be waived or altered except by written amendment signed by a duly authorized representative of COSS and RTI. No oral understanding or agreement not incorporated herein shall be binding upon either party. B. Termination. 1. Termination without cause: This MOU may be terminated by either party without cause upon 30 days' written notice. 2. Termination with cause. This MOU may be terminated immediately by either party if the terms of this MOU are violated in any manner. 3. Other grounds for termination. In the event that any other contract, agreement or MOU which is identified in Section II. Background and Authority, above, as being related to or necessary for the performance of this MOU, terminates or expires, this MOU may be terminated upon the effective date of the termination of that contract, agreement or MOU, even if such termination will occur with less than thirty (30) days written notice.
Appendix A: MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI International C. Return or Destruction of Data Page 6 of 7 Confidential data used, compiled, processed, stored or derived through the performance of this MOU shall be destroyed or returned upon the expiration of termination of this MOU, as directed by COSS. RTI shall destroy all data not returned when the authorized use ends in accordance with approved methods of confidential destruction. including but not limited to, shredding, burning, certified or witnessed destruction, or degaussing of magnetic media. RTI shall provide a certification letter confirming that all data was destroyed and method utilized to destroy the data. D. Dispute Resolution Process: If a dispute arises between COSS and RTI. the parties must seek resolution using the process outline below: The RTI Project Representative should first informally discuss the problem with CDSS Project Representative. If the problem cannot be resolved Informally, the RTI Project Representative must direct the grievance, in writing, to CDSS Project Representative. The CDSS Project Representative must make a written decision within ten (10) working days after receipt of the written grievance. Should RTI disagree with the written decision of the CDSS Project Representative, the RTI may appeal in writing to CDSS Project Representative, specifying the dispute, the facts, and the legal authority, if any, supporting the position of RTI. The COSS Project Representative shall respond in writing within ten (1 O) working days of receipt of the appeal with a final decision. The decision of CDSS shall be final. E. Choice of Law and Consent to Jurisdiction. Any action relating to this MOU must be brought in the federal or state courts of competent jurisdiction located in California. F. Notices. All notices, reports, requests, or other communications given pursuant to this Agreement shall be made in writing and shall be delivered by hand delivery, overnight courier service. It shall be deemed to have been duly given when delivery is confirmed/verified. G. Entire Agreement. This MOU constitutes the entire agreement between the parties; no promises, terms, or conditions not recited, incorporated or referenced herein, including prior agreements or oral discussions, shall be binding upon either party. H. Survival. All provisions of this MOU relating to privacy, confidentiality and information security shall survive the termination or expiration of this Agreement.
Appendix A: MOU Between RTI and COSS Agreement 17-6011 COSS/RTI International IX. AUTHORIZED REPRESENTATIVES Page 7 of7 By signing below, the lndivjdual certifies that it is acting as the representative of the entity named below and possesses the authority to enter into this MOU on behalf of that entity. CALIFORNIA DEPARTMENT OF SOCIAL SERVICES By: -'ti~ Michael White, Staff Services Manager I, Contacts and Purchasing Bureau Date
Appendix A: MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI International Page 1 of 7 Attachment A ~ National Survey of Child and Adolescent Well-Being "J....yt RTI li1temat1ona1. PO Box 12194 • Research Triangle Park, North Carolina 27709 • USA Sponsored by· Adminislralion for Children and Families Conducted by· RTI International • The University of North Carolina at Chapel HIii • Washington Unlverslly In St. Louis Thank you for your participation in the National Survey of Child and Adolescent Well-Being (NSCA W)! This document provides instructions for preparing and submitting monthly data files from which children will be sampled for the study. The following items are described in detail: • the types of child cases that will be included in the sample, • the data fields necessary for developing a list of children from which the NSCA W sample will be drawn, • the preferred formats for the data fields requested, and • methods for transferring files to RTL I. Cases to be Sampled for NSCAW The NSCA W sample wi 11 consist of two types of child protective services (CPS) cases: I) children with a closed maltreatment investigation or assessment (other than at risk, sibling abused), and 2) children who have been removed without an investigation or assessment and who are in state or county legal custody. The latter group might include, for example, children who entered the child welfare system via the juvenile justice system. Children with a maltreatment investigation or assessment are eligible for sampling regardless of whether the allegations of child abuse or neglect were substantiated.. Our goal is to interview 4,565 eligible children nationwide. We will randomly select approximately 65-75 children from the caseloads of each participating agency. Children will be sampled from monthly files covering a 12 month period. We request that monthly files include all children who had a closed (or completed) investigation/assessment in the previous month, and all children who entered legal custody in the previous month. For example, in August 2017, we will be selecting from July 2017's cases. From this list of the previous month's cases, we will select a random sample of children. Because there may be delays in which the data for closed cases are entered into the computer system, we would like to receive lists of the children who had a closed investigation/assessment in the previous 3 months. This will allow us to check the list of cases that were closed in the previous two months and include any children whose cases were not included in the previous month's list. For the 12-montb period, then, we are requesting the submission of 14 total files. Children who have certain characteristics that we are particularly interested in will be selected at higher rates than other children. That is, certain groups will be "oversampled." Each child will be classified into one of the following sampling groups listed in Table l.
Appendix A: MOU Between RTI and CDSS Agreement 17-6011 CDSS/RTI International Table l. NSCA W Within-County Sampling Groups • Infant (under 1 year old) o Receiving services in home o Receiving services out of home o No services • Ages I to 11 o Receiving services in home o Receiving services out of home o No services • Ages 12 to l 7 o Receiving services in home o Receiving services out of home o No services Page 2 of 7 Attachment A For the groups listed in the table, all infants and the children ages 12 to 17 receiving services will be oversampled. II. Data Elements Specifications Table 2 contains data elements requested in each monthly file submission. Included in the table are three columns: (1) the data element name (Data Element), (2) the preferred data type (Preferred Format), and (3) brief explanations / comments of that element (Explanations / Comments). In general, the Explanations / Comments column provides the guidance on how equivalent information can be obtained if the data elements requested are not available. The Explanations/ Comments box (column 3) includes several items describing the data element. First is the purpose, which explains our need for the item and its purpose in the construction of the NSCA W sample. Second is the comments, which provides additional detail and guidance on the data element, and notes alternative variables that we could use to obtain the required information. Next is the confidentiality concerns, which provides strategies for limiting the amount of identifying information requested for specific data elements (if necessary). Lastly1 is mapping, which describes the data element in relation to any corresponding Statewide Automated Child Welfare Information System (SACWIS) definitions and variables reported to the National Child Abuse and Neglect Data System (NCANDS) and Adoption and Foster Care Analysis and Reporting System (AFCARS). This mapping procedure will help to ease the programming burdens in preparing the data files. If variables that are different from those requested but provide the same information are available and can be extracted, we will work with your agency to utilize those variables.
Appendix A: MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI International m. File Specifications and Methods of Transfer Page 3 of 7 Attachment A The preferred fonnats in Table 2 are only guidelines; we will accept the data in almost any format that your agency finds convenient. Data security procedures are in place to ensure the protection of the personally identifiable infonnation (PU) contained in the sample files. Sample files can be transmitted to RTI via a password-protected, secure website (https:\\nscaw~rtLOn!). Your agency will have a unique login and web page for submission of monthly files. Your agency's web page will allow designated staff to upload files and view the filenames and timestamps of the files that have been uploaded in prior sess1.ons. Once uploaded, sample files will be encrypted and saved to RTl's enhanced security network. RTl's enhanced security network is isolated from the internet and accessed only via two-factor authentication (PIN plus token). RTI will maintain the privacy of all personally identifiable information (PU) provided by your agency to the extent permitted by law. Data will be transmitted and stored in such a way that only members of the project team who are authorized and have need will have access to any identifying infonnation. All staff working on NSCA W must sign affidavits pledging that the data they will collect or work with will not be disclosed. Penalties for disclosure include termination of employment and financial fines. This collection of information is voluntary and responses will be kept private to the extent permitted by law, The information will be used to learn about the functioning and we/I.being, service needs, and service utilization of CWS-involved children and families. Public reporting burden for this collection of information is estimated to average 120 minutes per response for meeting with project staff to review the sample file instructions, and 50 minutes for the generation and transmission of each monthly sample file. An agency may not conduct or sponsor, and a person is not required to respond to, o collection of information unless it displays a currently valid 0MB control number. The 0MB number and expiration dote for this collection ore 0MB II: 0970-0202, exp: 11/30/2019. List of Data Elements Needed for Sampling 1. CPS Child ID/SSN 12. Assessment/Investigation Start Date 2. NCANDS ID 13. Assessment/Investigation End Date 3. AFCARS ID 14. Report Date 4. Child Case ID 15. Referral ID 5. County of Investigation/Assessment 16. Case/ Investigation / Report ID 6. Regional/Local Office ID 17. Report Disposition 7. Date of Birth 18. Child's Race 8. Maltreatment Type 19. Hispanic Origin 9. Receiving CWS Services Case Opened 20. Child's Sex 10. Placement Episode End Date 21. Agency Code 11. Date of Latest Removal
Appendix A; MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI International Page4 of7 Attachment A Table 2. Data Eltntcnts Ntcdrd for NSCAW Within-County Sampling Data ElemenHH PrcferrcdFonoat 12) Explanations/ Commenlii (3) .. I. CPS Child ID/SSN None Purpose: The CPS Child lD/SSN is to link the selected sample records back to the (key) CPS agency data system. Comment$: The CPS child ID should be a unique ID for the child, not for the case. This ID should be pem1anent and the child should not receive a second ID if he/she is investigated agnin. Mannim~: None. 2, NCANDS ID (key) None Purpolir: The NCANDS ID will allow linkage of the NSCA W data to NCANDS datll. Comments: TIie unique unencrypted NCANDS ID is assigned to each child in NCANDS. Mapping: Unencrypted NCANDS field 114, ChlD. 3. AFCARS ID (key) None Purpose: The AFCARS ID will allow linkage of the NSCAW data to AFCARS datn. Comments: The unique unencryped AFCARS ID is assigned to each child in NCANDS. Mannin2: UnencrvPlcd AFCARS field 114, Rec Number. 4. Child Case ID None Purpose: This will allow RTI the ability to find identifying infonnation from the county. Comment: Agency will be responsible for the CllSC for identifying purposes. MaPPine: None 5. County of Alphanumeric 3 ·Purpo$e: To identify the case'5 geographical origin. The County of I nveStigntion/ Assess-Investigation/Assessment should renect the county in which the ment (key) investigation/assessment of the case wus conducted. If applicable. the Regional/1.ocal Office ID should indicate the office that ha:. jurisdiction oYer the 6. Regional/Local investigntion / assessment. Office ID (key, if Comment$: A 3-digit County Flf'S code or other county identifier that is being used applicable) by the agency system. lftJ1e county is divided between 2 or more regional offices ~nd/or if there arc 2 or more local offices within the county, n Regional/Local Office ID should be included in the file. · Mapping: None.
Appendix A; MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI International Data Elen,entm PreJ'erredEormat 1-ll 7. Date ofBirth (key) DOB: Alphonumeric 8 YYYYMMDD) 8. Maltreatment Type Alpminumeric: (key} 1 -Physical Abuse 2 -Neglect or Deprivation of Necessities 3 -Medical Neglect 4-Sexual Abuse 5 -Psychological or Emotional 6-No Alleged Maltreatment 8-Other 9 -Unknown or Missini:: 9. Receiving CWS Alphanumeric: I or0 Services (key)(Case 1-Case Open Opened) 0-No Case 10, Placement Episode End Date (key) Page 5 of 7 Attachment A E,cplanal1ons I Comments (3) Purpose: Date of 8irth is used to distinguish infants (less then 1 year old) from the older children_ Children who are older than 17 years and 6 months at the closing of the invcstigiitlon/as~cssmcnt will be ci,:cludcd from the study_ Comments: Date of Birth should follow as: year (4), month (2), day (2). M11pping: Date of Birth can be mapped to SACW1$ (Date of Birth), NCANDS (CHBDATE). Child Age can be mapped to SACWIS (Age) and NCANDS (CHAOE;.)_ Purpose: The type of maltreatment will be used to adjust for nonrcspomc and will allow for improved estimntes when conducting nnolysis of the data_ Comments: This is the main type of maltreatment tl1at was reported. M11pping: Can be mapped directly to the NC ANDS variable ChMaJ 1. Purpose: To disringuish children and their families who receive services provided by the CPS agencies from those who do not recc;ive CWS services. This infonnation will be used to oversample children who receive CWS services. Comments: Whether or not a child is receiving services should be indicated by the child or family's currem service status at the time the data files are compiled. If the system is not nble to create a receiving services indicator variable, we will accept service variables that would allow us lo extract the required infoflTlation. Mappin2: Can be directly ,napped to SACW!S {service) only. Purpose: To identify children who spent more than 72 hours in out-of-home services for sampling purposes. Comments: Because the Receiving CWS Services clement includes children receiving in-home and out-of-home care services, children receiving out-of-home serviccs/in foster Cflre will be identified by cross-reforencing the Receiving CWS Services elements with he Date of Latest Removal element. Mappini:: Can be indirectly mapped to SACWlS (Service-Foster Care Services)_ Arty !record ln AFCARS Fost4;r Care Detail File implies a child has received Foster Care Services.
Appendix A: MOU Between RTI and COSS Agreement 17-6011 CDSS/RTI lnlernallonal Data Eltlmcnt (1) Pr'1!fcrred Format (2) 11. Date ofUJtest Alphanumeric 8 Removal (key) (YYVYMMDD) 12,Assessmcnt/ Alphanumeric 8 Investigation Start (YYYYMMDD) Date(key) J3, Assessment/ Alphanumeric 8 Investigation End (YYYYMMDD) Date(key) 14. rteport Date: (key) Alphanumeric 8 (YYYYMMDD) 15. Referral ID (key) None !6.Caw/lD None E1rnl!lllatio115 / Commeot5 (3) Page 6 of 7 Attachment A Purpose: To establish the eligibility of the cases for inclusion on the sampling fhlme. Because the Receiving CWS Services element includes children receiving in-home lilld oul-of-homc care services, children receiving oul-of-home services/in foster care will be identi fled by cross-referencing the Receiving CWS Services elements with the Date of Latest Removal element. Comment5: Date the child received the most recent out-of•homc placement services. Mappini:: Can be mapped to AFC A RS (field #21 of the Foster Care Detail File). Purpose: To establish the eligibility of the cases for inclusion in the sampling frame. Comments: Dates for when the investigation/assessment of child abuse or neglect began ond ended (or closed). M11pping; C!ll! be mapped lo SACWIS (Opened Case and Case Close Pate), Purpose: To establish when the maltreatment report was filed with the agency. Comrncnls: The date agency wus notified of the suspected child maltteal.JtlenL Mapping: Can be mapped to NCANDS field #6, RptOt l>urpo$e: ·rhc Family ID will allow us to identify families so that on!y one child will be selected from a family. Comment~: A unique identification n1.1mbcr given lo families under investigation/ assessment. Maooinl!: Ca.n be mapped 10 SACWIS (Familv ID). Purpose: °The Case ID should be used to link selected sample records back to the some case/report in the CPS data system. This also will ollo,v us to uniquely identify child records for deduplicalion. Commcnls: A unique idenliflcation number given to a case or report under inveslign1ion / esscssmeni. The Case/Report ID may be the same as the Family ID. M11nnln11: None.
Appendix A: MOU Between RTI and COSS Agreemenl 17-6011 CDSS/RTI lnternalional Data Eleml!ot (1) f>re(erred fQrmat (2) 17. Report Disposilioo Alphanumeric: (key) 1 -Substantiated 2 -Indicated or reason to suspect 3 -Alternative response disposition-victim 14 -Alternative response !disposition-not a victim S -Unsubstantiated ~ -Unsubstantiated due to intentiOnally false 7 -Closed-no finding 88-Other ()9 -Unknown or missin!l 18. Child's Race Alphanumeric: I, 2. 3 (key) 1 -Black 2-White 3-Othcr 19. Hispanic Alphanumeric: I or 0 Origin (key) I -Hispanic origin 0-Otherwise 20. Child's Sex Alphanumeric: I or0 (key) I-Male 0-Fcmale 21. A!lCl1CY Code Nono Exnl1uu;itions / Comments (3\ Page 7 of7 Attachment A Purpose: The disposition of the investigation/ assessment will allow us to refine our sampling slrala, It will also be important infoTTT1alion tbr improved estimates when conducting analysis of the datu. Comments: The disposition is Ille result 11Ssigned upon the completion ofan investigation or assessment. Mnpping: Can be mapped indirectly 10 NC ANDS field #9, RptDisp. Purpose: Key demographic information, II c:in :ilso be used to assist us in uniquely identifying child records fordeduplicalion. Comments: The r:icc of the child. Mnpplng: Can be indireclly mapped to SACWIS (Race) and NCANDS (CH RACE), Purpose: Key demographic information. It can also be 11Sed to assist us in uniquely identifying child records for deduplication. Comments: Denotes a child has a Hispanic elhnidty, Maooin!!: Can be maooed to SACWIS Cliistlanic Ori11.inl and NCANDS (CHISPl. P11rpo$e:· Key demographic information. It can also be used to assist us in uniquely identifying child records for deduplicalion. Comments: Sex of child at birth, male or female. Momiioi!: Can be matloed to SACWIS (Sex) and NC ANDS I CHS EX\, Purpose: To show Wclfa.n: or Probation Jurisdiction
Appendix A: MOU Between RTI and COSS The California Department of Social Services Confidentiality and Information Security Requirements Contractor/Entity -v 2017 07 This Confidentiality and Information Security Requirements Exhibit (hereinafter referred to as uthis Exhibit") sets forth the information security and privacy requirements Contractor/Entity (hereinafter referred to as "Contractor") is obligated to follow with respect to all confidential and sensitive information (as defined herein) disclosed to or collected by Contractor, pursuant to Contractor's Agreement (the "Agreement") with the California Department of Social Services (hereinafter "COSS") in which this Exhibit is incorporated. The COSS and Contractor desire to protect the privacy and provide for the security of COSS Confidential, Sensitive, and/or Personal (CSP) Information (hereinafter referred to as i'CDSS CSP") in compliance with state and federal statutes, rules and regulations. I. Order of Precedence. With respect to information security and privacy requirements for all COSS CSP, unless specifically exempted, the terms and conditions of this Exhibit shall take precedence over any conflicting terms or conditions set forth in any other part of the Agreement between Contractor and COSS and shall prevail over any such conflicting terms or conditions. II. Effect on lower tier transactions. The terms of this Exhibit shall apply to all lower tier transactions (e.g. agreements, sub-agreements, contracts, subcontracts, and sub-awards, etc.) regardless of whether they are for the acquisition of services, goods, or commodities. The Contractor shall incorporate the contents of this Exhibit into each lower tier transaction to its agents, contractors, subcontractors, or independent consultants, etc. Ill. Confidentiality of Information. a. DEFINITIONS. The following definitions apply to this Exhibit and relate to CDSS Confidential, Sensitive, and/or Personal Information. i. "Confidential Information" is information maintained by the COSS that is exempt from disclosure under the provisions of the California Public Records Act (Government Codes Sections 6250 et seq.) or has restrictions on disclosure in accordance with other applicable state or federal laws. ii. "Sensitive Information" is information maintained by the COSS, which is not confidential by definition, but requires special precautions to protect it from unauthorized access and/or modification (i.e., financial or operational information). Sensitive information is information in which the disclosure would jeopardize the integrity of the COSS (i.e., COSS' fiscal resources and operations). iii. "Personal Information" is information, in any medium (paper, electronic, or oral) that identifies or describes an individual (i.e., name, social security number, driver's license, home/mailing address, telephone number, financial matters with security codes, medical insurance policy number, Protected Health Information (PHI), etc.) and must be protected from inappropriate access, use or disclosure and must be made accessible to information subjects upon request. It can also be information in the possession of the Department in which the disclosure is limited by law or contractual Agreement (I.e., proprietary information, etc.).
Appendix A: MOU Between RTI and COSS iv. "Breach" is 1. the unauthorized acquisition, access, use, or disclosure of CDSS CSP in a manner which compromises the security, confidentiality or integrity of the information; or 2. the same as the definition of "breach of the security of the system" set forth in California Civil Code section 1798.29(f). v. "Information Security Incident" is 1. an attempted breach; 2. the attempted or successful unauthorized access or disclosure, modification or destruction of CDS$ CSP, in violation of any state or federal law or in a manner not permitted under the Agreement between Contractor and CDSS, including this Exhibit; or 3. the attempted or successful modification or destruction of, or interference with, Contractor's system operations in an information technology system, that negatively impacts the confidentiality, availability or Integrity of COSS CSP. b. COSS CSP by the COSS which may become available to the Contractor as a result of the implementation of the Agreement shall be protected by the Contractor from unauthorized access, use, and disclosure as described in this Exhibit. c. Contractor is notified that unauthorized disclosure of CDSS CSP may be subject to civil and/or criminal penalties under state and federal law, including but not limited to: • California Welfare and Institutions Code section 10850 • Information Practices Act -California Civil Code section 1798 et seq. • Public Records Act -California Government Code section 6250 et seq. • California Penal Code Section 502, 11140-11144, 13301-13303 • Health Insurance Portability and Accountability Act of 1996 ("HIPAA") -45 CFR Parts 160 and 164 • Safeguarding Information for the Financial Assistance Programs -45 CFR Part 205.50 d. EXCLUSIONS. "Confidential Information", "Sensitive Information", and "Personal Information" (COSS CSP) does not include information that i. is or becomes generally known or available to the public other than because of a breach by Contractor of these confidentiality provisions; ii. already known to Contractor before receipt from COSS without an obligation of confidentiality owed to COSS; iii. provided to Contractor from a third party except where Contractor knows, or reasonably should know, that the disclosure constitutes a breach of confidentiality or a wrongful or tortious act; or
Appendix A: MOU Between RTI and COSS iv. independently developed by Contractor without reference to the COSS CSP. IV. Contractor Responslbilltles. a. Training. The Contractor shall Instruct all employees, agents, and subcontractors with access to the COSS CSP regarding: i. The confidential nature of the information; ii. The civil and criminal sanctions against unauthorized access, use, or disclosure found in the California Civil Code Section 1798.55, Penal Code Section 502 and other state and federal laws; iii. COSS procedures for reporting actual or suspected information security incidents in Paragraph V -Information Security Incidents and/or Breaches; and iv. That unauthorized access, use, or disclosure of CDSS CSP is grounds for immediate termination of this Agreement with COSS and the Contractor and may be subject to penalties, both civil and criminal. b. Use Restrictions. The Contractor shall take the appropriate steps to ensure that their employees, agents, contractors, subcontractors, and independent consultants will not intentionally seek out, read, use, or disclose the COSS CSP other than for the purposes of providing the requested services to COSS and meeting its obligations under the Agreement. c. Disclosure. The Contractor shall not disclose any individually identifiable COSS CSP to any person other than for the purposes of providing the requested services to COSS and meeting its obligations under the Agreement. Contractor is permitted to disclose individually identifiable COSS CSP with the consent of the individual to its service providers, its vendors, and its partners for the purposes of Contractor providing services to COSS or otherwise to meet Contractor's obligations under the Agreement. For COSS CSP, Contractor must provide COSS Program Manager and COSS Information Security Office with a list of Contractor authorized service providers and ensure they are bound by obligations sufficient to protect COSS CSP in accordance with this Agreement. d. Subpoena. If Contractor receives a subpoena or other validly issued administrative or judicial notice requesting the disclosure of COSS CSP, Contractor will immediately notify the COSS Program Contract Manager and the COSS Information Security and Privacy Officer. In no event should notification to COSS occur more than three (3) business days after receipt by Contractor's responsible unit for handling subpoenas and court orders. e. Information Security Officer. The Contractor shall designate an Information Security Officer to oversee its compliance with this Exhibit and to communicate with COSS on matters concerning this Exhibit. f. Requests for COSS CSP by Third Parties. The Contractor and its employees, agents, or subcontractors shall promptly transmit to the COSS Program Contract Manager and the COSS Information Security and Privacy Officer all requests for disclosure of any COSS CSP requested by third parties to the Agreement between Contractor and COSS (except from an Individual for an accounting of disclosures of the Individual's personal information pursuant to applicable state or federal law), unless prohibited from doing so by applicable state or federal law.
Appendix A: MOU Between RTI and COSS g. Documentation of Disclosures for Requests for Accounting. Contractor shall maintain an accurate accounting of all requests for disclosure of CDSS CSP Information and the information necessary to respond to a request for an accounting of disclosures of personal information as required by Civil Code section 1798.25, or any applicable state or federal law. h. Return or Destruction of COSS CSP on Expiration or Termination. Upon expiration or termination of the Agreement between Contractor and CDSS, or upon a date mutually agreed upon by the Parties following expiration or termination, Contractor shall return or destroy the CDSS CSP. If return or destruction is not feasible, Contractor shall provide a written explanation to the CDSS Program Contract Manager and the CDSS Information Security and Privacy Officer, using the contact information in this Agreement. CDS$, in its sole discretion, will make a determination of the acceptability of the explanation and, if retention is permitted, shall inform Contractor in writing of any additional terms and conditions applicable to the retention of the CDS$ CSP. i. Retention Required by Law. If required by state or federal law. Contractor may retain, after expiration or termination, CDSS CSP for the time specified as necessary to comply with the law. j. Obligations Continue Until Return or Destruction. Contractor's obligations regarding the confidentiality of CDSS CSP set forth in this Agreement. including but not limited to obligations related to responding to Public Records Act requests and subpoenas shall continue until Contractor returns or destroys the COSS CSP or returns the COSS CSP to CDSS; provided however, that on expiration or termination of the Agreement between Contractor and CDSS, Contractor shall not further use or disclose the CDSS CSP except as required by state or federal law. k. Notification of Election to Destroy CDSS CSP. If Contractor elects to destroy the CDSS CSP, Contractor shall certify in writing, to the COSS Program Contract Manager and the CDSS Information Security and Privacy Officer, using the contact information, that the COSS CSP has been destroyed. I. Background Check. Before a member of the Contractor's workforce may access COSS CSP, Contractor must conduct a thorough background check of that worker and evaluate the results to assure that there is no indication that the worker may present a risk to CDSS information technology systems and/or CDS$ data. The Contractor shall retain each workforce member's background check documentation for a period of three (3) years following Agreement termination. m. Confidentiality Safeguards. The Contractor shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the CDSS CSP that it creates, receives, maintains, uses, or transmits pursuant to the Agreement. Contractor shall develop and maintain a written information privacy and security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the Contractor's operations and the nature and scope of its activities, including at a minimum the following safeguards:
Appendix A: MOU Between RTI and COSS I. General Security controls 1. Confidentiality Acknowledgement. By executing this Agreement and signing Paragraph XI, COSS Confidentiality and Security Compliance Statement, Contractor acknowledges that the information resources maintained by COSS and provided to Contractor may be confidential, sensitive, and/or personal. CDSS CSP information is not open to the public and requires special precautions to protect it from wrongful access, use, disclosure, modification, and destruction. 2. Workstation/Laptop Encryption. All Contractor-owned or managed workstations, laptops, tablets, smart phones, and similar devices that process and/or store COSS CSP must be encrypted using a FIPS 140-2 certified algorithm which is 128 bit or higher, such as Advanced Encryption Standard (AES). The encryption solution must be full disk unless approved by the COSS Information Security Office. 3. Data Encryption. Any COSS CSP shall be encrypted at rest when stored on network file shares or document repositories. 4. Server Security. Servers containing unencrypted COSS CSP must have sufficient administrative, physical, and technical controls in place to protect that data, based upon a risk assessment/system security review. 5. Minimum Necessary. Only the minimum necessary amount of the COSS CSP required to perform necessary business functions may be copied, downloaded, or exported. 6. Removable Media Devices. All electronic files that contain the COSS CSP must be encrypted when stored on any removable media or portable device (i.e. USB thumb drives, floppies, CD/DVD, smart phone, backup tapes etc.). Encryption must be a FIPS 140-2 certified algorithm which is 128 bit or higher, such as AES. 7. Antivirus Software. All Contractor-owned or managed workstations, laptops, tablets, smart phones, and similar devices that process and/or store CDSS CSP must install and actively use comprehensive anti-virus software solution with automatic updates scheduled at least dally. 8. Patch Management. To correct known security vulnerabilities, Contractor shall install security patches and updates in a timely manner on all Contractor-owned or managed workstations, laptops, tablets, smart phones, and similar devices that process and/or store COSS CSP as appropriate based on Contractor's risk assessment of such patches and updates, the technical requirements of Contractor's systems, and the vendor's written recommendations. If patches and updates cannot be applied in a timely manner due to hardware or software constraints, mitigating controls will be implemented based upon the results of a risk assessment.
Appendix A: MOU Between RTI and CDSS 9. User IDs and Password Controls. All users must be Issued a unique user name for accessing CDSS CSP. Contractor's password policy must be based on information security best practices for password length, complexity, and reuse. 10. Data Destruction. Upon termination of the Agreement, all CDS$ CSP must be wiped using the Gutmann or US Department of Defense (DoD) 5220.22-M (7 Pass) standard, or by degaussing. Media may also be physically destroyed in accordance with NIST Special Publication 800-88. Other methods require prior written permission of the COSS Information Security Office. ii. System Security Controls 1. System Timeout. The system providing access to the COSS CSP must provide an automatic timeout, requiring re-authentication of the user session after no more than thirty (30) minutes of inactivity. 2. Warning Banners. All systems containing COSS CSP must display a warning banner stating that data is confidential, systems are logged, and system use Is for business purposes only. User must be directed to log off the system if they do not agree with these requirements. 3. System Logging. The system must maintain an automated audit trail which can identify the user or system process which initiates a request for COSS CSP, or which alters COSS CSP. The audit trail must be date and time stamped, must log both successful and failed accesses, must be read only, and must be restricted to authorized users. If COSS CSP is stored in a database, database logging functionality must be enabled. Audit trail data must be archived for at least one ( 1) year after occurrence. 4. Access Controls. The system must use role based access controls for all user authentications, enforcing the principle of least privilege. 5. Transmission Encryption. All data transmissions of COSS CSP by the Contractor outside the secure internal network must be encrypted using a FIPS 140-2 certified algorithm, such as Advanced Encryption Standard (AES), with a 128bit key or higher. Encryption can be end to end at the network level, or the data files containing COSS CSP can be encrypted. This requirement pertains to any type of COSS CSP in motion such as website access, file transfer, and email. 6. Intrusion Detection. All systems involved in accessing, holding, transporting, and protecting CDSS CSP that are accessible via the Internet must be protected by a comprehensive intrusion detection and prevention solution.
Appendix A: MOU Between RTI and CDSS iii. Audit Controls 1. System Security Review. All systems processing and/or storing COSS CSP must have at least an annual system risk assessmenVsecurity review which provides assurance that administrative, physical, and technical controls are functioning effectively and providing adequate levels of protection. Reviews shall include vulnerability scanning tools. 2. Log Reviews. All systems processing and/or storing COSS CSP must have a routine procedure in place to review system logs for unauthorized access. 3. Change Control. All systems processing and/or storing COSS CSP must have a documented change control procedure that ensures separation of duties and protects the confidentiality, integrity and availability of data. iv. Business Continuity I Disaster Recovery Controls 1. Disaster Recovery. Contractor must establish a documented plan to enable continuation of critical business processes and protection of the security of electronic COSS CSP In the event of an emergency. Emergency means any circumstance or situation that causes normal computer operations to become unavailable for use in performing the work required under this Agreement for more than twenty-four (24) hours. 2. Data Backup Plan. Contractor must have established documented procedures to backup CDSS CSP to maintain retrievable exact copies of COSS CSP. The plan must include a regular schedule for making backups, storing backups offsite, an inventory of backup media, and the amount of time to restore COSS CSP should it be lost. At a minimum, the schedule must be a weekly full backup and monthly offsite storage of COSS data. v. Paper Document Controls 1. Supervision of Information. CDSS CSP in paper form shall not be left unattended at any time, unless it is locked in a file cabinet, file room, desk or office. Unattended means that information may be observed by an individual not authorized to access the information. COSS CSP in paper form shall not be left unattended at any time in vehicles or planes and shall not be checked in baggage on commercial airplanes. 2. Escorting Visitors. Visitors to areas where the COSS CSP are contained shall be escorted and COSS CSP shall be kept out of sight while visitors are in the area. 3. Confidential Destruction. COSS CSP must be disposed of through confidential means, such as cross cut shredding and/or pulverizing. 4. Removal of Information. COSS CSP must not be removed from the premises of the Contractor except for identified routine business purposes or with express written permission of COSS.
Appendix A: MOU Between RTI and COSS 5. Faxing. COSS CSP that must be transmitted by fax shall require that the Contractor confirms the recipient fax number before sending, takes precautions to ensure that the fax was appropriately received, maintains procedures to notify recipients if the Contractor's fax number changes, and maintains fax machines in a secure area. 6, Mailing. Paper copies of CDSS CSP shall be mailed using a secure, bonded mail service, such as Federal Express, UPS, or by registered U.S. Postal Service (i.e., accountable mail using restricted delivery). All packages must be double packed with a sealed envelope and a sealed outer envelope or locked box. V. Information Security Incidents and/or Breaches a. Information Security Incidents and/or Breaches Response Responsibility. The Contractor shall be responsible for facilitating the Information Security Incident and/or Breach response process as described in California Civii Code 1798.29(e), California Civil Code 1798.82(f), and State Administrative Manual (SAM) Section 5340, Incident Management. b. Discovery and Notification of Information Security Incidents and/or Breaches. The Contractor shall notify the COSS Program Contract Manager and the COSS Information Security and Privacy Officer within one (1) business day by telephone call and email upon the discovery of the Information Security Incident and/or Breach affecting the security of COSS CSP if the COSS CSP was, or is reasonably believed to have been, acquired by an unauthorized person, or there is an intrusion, potential loss, actual loss, or unauthorized use or disclosure of the COSS CSP is in violation of this Agreement, this provision, or applicable law. The Contractor shall take: i. Prompt corrective action to mitigate the risks or damages involved with the Information Security Incident and/or Breach and to protect the operating environment; and IL Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. c. Isolation of System or Device. A system or device containing COSS CSP compromised by an exploitation of a technical vulnerability shall be promptly disconnected or quarantined and investigated until the vulnerability is resolved. Contractor will notify CDSS CSP within one (1) business day of a confirmed exploitation of a technical vulnerability and keep CDSS informed as to the investigation until resolution of the vulnerability is completed. d. Investigation of Information Security Incidents and/or Breaches. The Contractor shall promptly investigate Information Security Incidents and/or Breaches. CDSS shall have the right to participate in the investigation of such Information Security Incidents and/or Breaches. CDSS shall also have the right to conduct its own Independent investigation, and the Contractor shall cooperate fully in such investigations.
Appendix A: MOU Between RTI and CDSS e. Updates on Investigation. The Contractor shall provide regular (at least once a week) email updates on the progress of the Information Security Incident and/or Breach investigation to the COSS Program Contract Manager and the COSS Information Security and Privacy Officer until they are no longer needed, as mutually agreed upon between the Contractor and the COSS Information Security and Privacy Officer. f. Written Report. The Contractor shall provide a written report of the investigation to the COSS Program Contract Manager and the CDSS Information Security and Privacy Officer within thirty (30) business days of the discovery of the Information Security Incident and/or Breach. To the extent Contractor has such information, the report shall include but not be limited to the following: i. Contractor point of contact information; ii. Description of what happened, including the date of the Information Security Incident and/or Breach and the date of the discovery of the Information Security Incident and/or Breach, if known; iiL Description of the types of COSS CSP that were involved and the extent of the information involved in the Information Security Incident and/or Breach; iv. A description of the unauthorized persons known or reasonably believed to have improperly used or disclosed COSS CSP; v. A description of where the CDSS CSP is believed to have been improperly transmitted, sent, or utilized; vi. A description of the probable causes of the improper use or disclosure; vii. Whether Civil Code sections 1798.29 or 1798.82 or any other federal or state laws requiring individual notifications of breaches are triggered; and viii. Full, detailed corrective action plan, including information on measures that were taken to halt and/or contain the Information Security Incident and/or Breach. g. Cost of Investigation and Remediation. Per SAM Section 5305.8, the Contractor shall be responsible for all costs incurred by COSS due to Information Security Incidents and/or Breaches resulting from the Contractor's failure to perform or from negligent acts of its personnel, and resulting in the unauthorized disclosure, release, access, review, or destruction; or loss, theft or misuse of an information asset. These costs include, but are not limited to, notice and credit monitoring for impacted individuals, COSS staff time, material costs, postage, media announcements, and other identifiable costs associated with the Information Security Incident, Breach and/or loss of data.
Appendix A: MOU Between RTI and COSS VI. Contact Information. To direct communications to the above referenced COSS staff, the Contractor shall Initiate contact as indicated herein. COSS reserves the right to make changes to the contact information below by giving written notice to the Contractor. Said changes shall not require an amendment to this Exhibit or the Agreement to which it is incorporated. COSS Program Contract Manager COSS Information Security & Privacy Officer California Department of Social Services Information Security & Privacy Officer See the Scope of Work exhibit for Program 7 44 P Street, MS 9-9-70 Contract Manager information Sacramento, CA 95814 Email: iso@dss.ca.gov Telephone: (916) 651-5558 VII. Audits and Inspections. COSS may inspect and/or monitor compliance with the safeguards required in this Exhibit. Contractor shall promptly remedy any violation of any provision of this Exhibit and shall certify the same to the COSS Program Contract Manager and the COSS Information Security and Privacy Officer In writing. The fact that COSS inspects, or fails to inspect, or has the right to inspect, Contractor's facilities, systems and procedures does not relieve Contractor of Its responsibility to comply with this Exhibit. VIII. Amendment. The parties acknowledge that federal and state laws regarding information security and privacy rapidly evolves and that amendment of this Exhibit may be required to provide for procedures to ensure compliance with such laws. The parties specifically agree to take such action as is necessary to Implement new standards and requirements imposed by regulations and other applicable laws relating to the security or privacy of COSS CSP. IX. Interpretation. The terms and conditions in this Exhibit shall be interpreted as broadly as necessary to implement and comply with regulations and applicable State laws. The parties agree that any ambiguity in the terms and conditions of this Exhibit shall be resolved in favor of a meaning that complies and is consistent with federal and state laws and regulations. X. Termination. An Information Security Incident and/or Breach by Contractor, its employees, agents, or subcontractors, as determined by COSS, may constitute a material breach of the Agreement between Contractor and COSS and grounds for immediate termination of the Agreement.
Appendix A: MOU Between RTI and COSS Agreement 17-8011 CDSS/RTI International XI. COSS Confldentlaflty and Security Compliance Statement Exhibit E -Attachment 1 Pa9e 11 of 11 CALIFORNIA DEPARTMENT of SOCIAL SERVICES CONFIDENTIALITY AND SECURITY COMPLIANCE STATEMENT v 2017 07 Information resources maintained by the California Department of Social Services (COSS) and provided to Contractor may be confidential, sensitive, and/or personal. Confidential, Sensitive, and/or Personal (CSP) information is not open to the public and requires special precautions to protect it from wrongful access, use, disclosure, modification, and destruction. We hereby acknowledge that the confidential and/or sensitive records of the CDSS are subject to strict confidentiality requirements Imposed by state and federal law, which may include, but i5 not limited to, the following; the California Welfare and Institutions Code §10850, Information Practices Act -California Civil Code §1798 et seq., Public Records Act· California Government Code §6250 et seq., Caltfomia Penal Code §602, 11140-11144, 13301-13303, Health Insurance Portability and Accountability Act of 1996 ("HIPAA") -45 CFR Parts 160 and 164, and Safeguarding Information for the Flnanclal Assistance Programs -45 CFR Part 205.50. Contractor agrees to comply with the laws applicable to the COSS CSP received. 'Proiec! Representative Name (Printed): Title: Contractor: Email Address: Phone: Signature: Date Sfaned: •1nformlltl0n Security Officer Name (Printed): Title: Contractor: Email Address: Phone: Signature: Date Sii:ined: .3\-z.. .-4-SC., -52L,17 · OR~rv A. D1t.., lnfonnation secyrjty Officer \<.Tr 17-6011 Exhibit E-Contractor.docx
APPENDIX B: Fresno County Summary of Services Summary of Services The National Survey of Child and Adolescent Well-Being (NSCAW), is a longitudinal study of children and families who come in contact with the child welfare system. This summary of services accompanies an agreement between Fresno County, California and RTI International (RTI) regarding Fresno County's participation in NSCAW. Participation in this study is voluntary. Sponsored by the Administration for Children and Families of the U.S. Department of Health and Human Services, the study examines the characteristics and needs of children and families as they enter the system, their experiences while they are in the system and after they leave it, and their situations and outcomes throughout the study period. Sample selection is scheduled to begin at a mutually agreed upon date following execution of this agreement with baseline interviews with children, parents/caregivers, and caseworkers occurring shortly thereafter. Follow-up interviews with children and families are scheduled to occur through 2020. Over 80 counties have been selected across the U.S. to obtain a nationally representative sample of children and families. Approximately 55 children and families will be interviewed from each county for the study. The provisions below describe the agreement between Fresno County and RTI. Agency Responsibilities 1. Provide a designated Agency Liaison for your agency who will provide assistance and information to the NSCAW Field Representatives (FRs) at your site in preparing for and implementing the study in your agency. This individual is subject to change at the discretion of Fresno County. This person is: Lydia Johnson, Social Work Supervisor --~---------------Examples of the kinds of assistance the Agency Liaison will be asked to provide include: • Providing an orientation to the agency organization and culture, which will help us carry out project work in ways that fit best with agency schedules and procedures. • Providing the FR with the names and addresses of families selected for the sample. The FR will then send a letter and information about the study to those families and follow-up with a telephone call to schedule an appointment.
• Assisting the FR to locate the sampled child by providing the last known contact information or information about changes to the child's living situation and current caregiver. • Providing or arranging for consent for the participation of sampled children who are in the custody of the state/agency. • Supporting and encouraging caseworker participation in interviews focused on sampled children in their caseload. The FR will contact caseworkers and schedule interviews when they are most convenient California Department of Social Services (CDSS) Responslb/1/tles As detailed in the MOU between RTI and CDSS, CDSS has agreed to: 1. On a monthly basis for 15 months, closed maltreatment investigations, as well as cases that entered legal custody without an investigation, will be compiled and sent to RTI for sampling purposes. The files will include child identification numbers, demographic data, and case-level data (such as whether the child was placed in out of home care) that RTI will use to draw the child sample within your agency and (with legal guardian consent) to link participating children's survey data to other administrative data (such as Medicaid data and data submitted to NCANDS and AFCARS). a. The individual in charge of this data submission is: Alicia Sandoval, Child Welfare Data Analysis Bureau, California Department of Social Services. We estimate that it will take approximately one hour per month, or 15 total hours, to prepare and submit the monthly files to RTI. 2. Copies of NCANDS and AFCARS files already being submitted to the Children's Bureau during the study period, as well as a crosswalk of encrypted and unencrypted child identification numbers will be submitted to RTL Only after legal guardian consent, RTI will link participating children's survey data to this administrative data on maltreatment re-reports, placements, and adoptions. a. The individual in charge of this data submission is: Alicia Sandoval, Child Welfare Data Analysis Bureau, California Department of Social Services. Project Team Responslbllltles The project team will be responsible for carrying out all the day-to-day activities for the project and will make your agency's participation as easy as possible. The project team will: 1. Be a resource to the agency, responding to questions or concerns raised by agency staff, and ensure that agency concerns are communicated and addressed.
2. Prepare a NSCAW research study package for review and secure state-level IRB approvals, a data sharing agreement through the state, a Petition and Order for Research to Fresno County Superior Court, and any other formal approvals prior to initiating sampling or data collection activities. 3. Maintain the privacy of all personally identifiable information (Pll) provided by the agency to the extent permitted by law. Data will be transmitted and stored in such a way that only members of the project team who are authorized and have need will have access to any identifying information. Sample files will be maintained in a secure data archive at RTI until study completion when they will be destroyed. 4. Disseminate NSCAW reports or research briefs detailing study findings and any other relevant project updates. Data analyses and reports will not include any identifying information on children or families. The NSCAW Field Representatives (FRs) will: 1. Conduct interviews with sampled children, parents/caregivers, and caseworkers; serve as liaison to the project team to ensure agency concerns are addressed; and be available to respond to questions about the project. The FR's supervisor will also be in contact with the Agency Liaison periodically to ensure that activities are going smoothly. 2. Protect the privacy of information provided by the agency and by NSCAW participants. Prior to conducting an interview, review with each participant a consent statement that includes assurances that the research team will protect the privacy of respondents to the fullest extent possible under the law, that respondents' participation is voluntary, and that they may withdraw their consent at any time without any negative consequences. Note: There is one exception: if an FR or the project team thinks that a child's life or health is in danger, they will inform the appropriate county or state agency.