Laserfiche WebLink
Contract Template <,000 <br />May 2021 <br /> Page 31 <br />REV: 06-16-22 SK <br />e. Contractor agrees that all Contractor’s staff performing services under this <br />Agreement sign a confidentiality statement prior to accessing PII and annually <br />thereafter. The signed statement shall be retained for a period of three (3) years, <br />and the statement include at a minimum: (1) general use; (2) security and privacy <br />safeguards; (3) unacceptable use; and (4) enforcement policies. <br />f. Contractor agrees to conduct a background check of Contractor’s staff before they <br />may access PII with more thorough screening done for those employees who are <br />authorized to bypass significant technical and operational security controls. <br />Contractor further agrees that screening documentation shall be retained for a <br />period of three (3) years following conclusion of the employment relationship. <br />g. Contractor agrees to conduct periodic privacy and security reviews of work activity, <br />including random sampling of work product by Contractor’s staff by management <br />level personnel who are knowledgeable and experienced in the areas of privacy <br />and information security in the administration of County’s programs and the use <br />and disclosure of PII. Examples include, but are not limited to, access to data, <br />case files or other activities related to the handling of PII. <br />h. Contractor shall ensure that PII is used and stored in an area that is physically safe <br />from access by unauthorized persons at all times and safeguard PII from loss, <br />theft, or inadvertent disclosure by securing all areas of its facilities where <br />Contractor’s staff assist in the administration of the County’s programs and use, <br />disclose, or store PII. <br />i. Contractor shall ensure that each physical location, where PII is used, disclosed, <br />or stored, has procedures and controls that ensure an individual who is terminated <br />from access to the facility is promptly escorted from the facility by an authorized <br />employee of Contractor and access is revoked. <br />j. Contractor shall ensure that there are security guards or a monitored alarm system <br />at all times at Contractor’s facilities and leased facilities where five hundred (500) <br />or more individually identifiable records of PII is used, disclosed, or stored. Video <br />surveillance systems are recommended. <br />k. Contractor shall ensure that data centers with servers, data storage devices, <br />and/or critical network infrastructure involved in the use, storage, and/or <br />processing of PII have perimeter security and physical access controls that limit <br />access to only those authorized by this Agreement. Visitors to any Contractor data <br />centers area storing PII as a result of administration of a County program must be <br />escorted at all times by authorized Contractor’s staff. <br />l. Contractor shall have policies that include, based on applicable risk factors, a <br />description of the circumstances under which Contractor staff can transport PII, as <br />well as the physical security requirements during transport. <br />ATTY/AGR.2022.153/County of San Mateo (HSA Contract June 2022) (Page 31 of 37) <br />DocuSign Envelope ID: F5FF63A3-8103-4442-8F5F-F37301405123