Laserfiche WebLink
Template version date: February 22, 2017 Issued by: 3 <br /> <br />e. Contractor agrees that all Contractor’s staff performing services under this <br />Agreement sign a confidentiality statement prior to accessing PII and annually <br />thereafter. The signed statement shall be retained for a period of three (3) years, <br />and the statement include at a minimum: (1) general use; (2) security and privacy <br />safeguards; (3) unacceptable use; and (4) enforcement policies. <br /> <br />f. Contractor agrees to conduct a background check of Contractor’s staff before <br />they may access PII with more thorough screening done for those employees <br />who are authorized to bypass significant technical and operational security <br />controls. Contractor further agrees that screening documentation shall be <br />retained for a period of three (3) years following conclusion of the employment <br />relationship. <br /> <br />g. Contractor agrees to conduct periodic privacy and security reviews of work <br />activity, including random sampling of work product by Contractor’s staff by <br />management level personnel who are knowledgeable and experienced in the <br />areas of privacy and information security in the administration of County’s <br />programs and the use and disclosure of PII. Examples include, but are not <br />limited to, access to data, case files or other activities related to the handling of <br />PII. <br /> <br />h. Contractor shall ensure that PII is used and stored in an area that is physically <br />safe from access by unauthorized persons at all times and safeguard PII from <br />loss, theft, or inadvertent disclosure by securing all areas of its facilities where <br />Contractor’s staff assist in the administration of the County’s programs and use, <br />disclose, or store PII. <br /> <br />i. Contractor shall ensure that each physical location, where PII is used, disclosed, <br />or stored, has procedures and controls that ensure an individual who is <br />terminated from access to the facility is promptly escorted from the facility by an <br />authorized employee of Contractor and access is revoked. <br /> <br />j. Contractor shall ensure that there are security guards or a monitored alarm <br />system at all times at Contractor’s facilities and leased facilities where five <br />hundred (500) or more individually identifiable records of PII is used, disclosed, <br />or stored. Video surveillance systems are recommended. <br /> <br />k. Contractor shall ensure that data centers with servers, data storage devices, <br />and/or critical network infrastructure involved in the use, storage, and/or <br />processing of PII have perimeter security and physical access controls that limit <br />access to only those authorized by this Agreement. Visitors to any Contractor <br />data centers area storing PII as a result of administration of a County program <br />must be escorted at all times by authorized Contractor’s staff. <br /> <br />l. Contractor shall have policies that include, based on applicable risk factors, a <br />description of the circumstances under which Contractor staff can transport PII, <br />as well as the physical security requirements during transport. <br /> <br />m. Contractor shall ensure that any PII stored in a vehicle shall be in a non-visible <br />area such as a trunk, that the vehicle is locked, and under no circumstances <br />permit PII be left unattended in a vehicle overnight or for other extended periods <br />of time. <br />ATTY/AGR.2021.130/County of San Mateo (Page 26 of 31)