Establish clear and predictable processes for data sharing.

Many states struggle to share data across departments, programs, and systems in a coordinated and consistent way. Most states utilize individual memoranda of agreements or data sharing agreements on a project specific basis that is both time and labor intensive and severely constrains a state’s ability to leverage integrated data for policy analysis. The following are generalized versions of legislative remedies utilized by states that have enhanced their ability to establish statewide integrated data systems.

Example 1: Indiana’s Management and Performance Hub:

MPH duties Sec. 10. The MPH shall do the following:

(1) Establish and maintain a program to collect, analyze, and exchange government information in carrying out the powers and duties of the OMB and the powers and duties of the executive state agency sharing the data. In carrying out this program, the MPH may, in accordance with IC 4-1-6, obtain government information from each executive state agency.

(2) In accordance with IC 4-1-6 and IC 5-14-3, establish and maintain a program to make government information available to executive state agencies, political subdivisions, educational institutions, researchers, nongovernmental organizations, and the general public, subject to the following:

(A) A request for data subject to IC 4-1-6-8.6 shall be made in conformance with that section. (B) A program established and maintained under this chapter must include policies governing access to government information held by the MPH under this chapter. Government information may be made available only in accordance with applicable confidentiality and disclosure laws.

(3) Establish privacy and quality policies for government information that comply with all applicable Indiana and federal laws, rules, and policies.

(4) In accordance with standards developed by the office of technology established by IC 4-13.1-2-1, establish and maintain a program to ensure the security of government information under this chapter.

(5) Conduct operational and procedural audits of executive state agencies.

(6) Perform financial planning and design and implement efficiency projects for executive state agencies.

(7) Advise and assist each executive state agency to identify and implement continuous process improvement in state government.

(8) Carry out such other responsibilities as may be designated by the director of the OMB or the chief data officer to carry out the responsibilities of the OMB or the chief data officer.

Some agencies may be concerned that legally protected data is unintentionally disclosed under state public records requests. The following language can be used to ensure that only the agency from which the data originates can determine whether such data may be disclosed.

IC 4-3-26-12 Title to government information Sec. 12. (a) Title to any government information that is obtained by the MPH under section 11 of this chapter and that is unchanged by the MPH remains with the executive state agency sharing the government information, including an executive state agency’s sole authority to license use of government information.

(b) Title to government information that is obtained by the MPH under section 11 of this chapter and that the MPH has changed in a substantive manner is vested in the MPH.

(c) Requests made in accordance with IC 5-14-3 for government information to which the MPH does not have title must be directed to the executive state agency sharing the government information. The MPH may not fulfill such a request.

The following section is a critical element to streamline the sharing of data to a centralized data integration organization. By establishing the MPH as an agent of the agency that administers programs that collect data, it authorizes the MPH organization to receive data from an agency thus eliminating the need for individual memoranda of agreement with each agency and for each program from which the data will be shared. It does not eliminate the need for individual data sharing agreements.

IC 4-3-26-13 MPH agent of executive state agency

Sec. 13. The MPH is considered to be an agent of the executive state agency sharing government information and is an authorized receiver of government information under the statutory or administrative law that governs the government information. Interagency data sharing under this chapter does not constitute a disclosure or release under any statutory or administrative law that governs the government information.

Given that the above language does not eliminate the need for specific data sharing agreements, the following language enables the MPH to establish a consistent approach to creating necessary agreements.

IC 4-3-26-14 Prescribed form for data sharing

Sec. 14. (a) The MPH shall prescribe a form to be used to memorialize the sharing of data under this chapter. (b) The form prescribed under subsection (a) must be:

(1) completed by the executive state agency or person described in section 15 of this chapter; and (2) signed by the administrative head of the executive state agency or person. (c) A data sharing form completed and signed under subsection (b) constitutes the agreement required by any statutory or administrative law that governs the data. No additional documentation may be required to share data under this chapter.

Example 2: North Carolina:

Since an integrated data system generally involves the sharing of sensitive and legally protected personal information, states may seek to craft more detailed legislation in order to address any specific privacy or security concerns. Additionally, the legislative process may require negotiations to narrow more broad language referred to above. The following example specifically lays out the responsibilities of individual agencies and establishes detailed duties and responsibilities of a data integration center. In addition, where the previous example broadly designates the Indiana Management and Performance Hub as an agent of any program or agency that may participate, this example includes language intended to authorize the North Carolina Government Data Analytics Center as an agent of specific programs.

The following sections from the North Carolina General Statutes are intended to authorize the entity to receive data from specific programs. Similar to the above language from Indiana, this eliminates the need for program specific memoranda of agreements, however this identifies the specific programs and laws governing each program from which the entity may receive data. The following represents many of the critical programs in all states; however, it is not an exhaustive list. States may want to add or remove sections based on their priorities.

(c) Data Sharing. -

(1)General duties of all State agencies. - Except as limited or prohibited by federal law, the head of each State agency, department, and institution shall do all of the following:

a.Grant the State CIO and the GDAC access to all information required to develop and support State business intelligence applications pursuant to this section. The State CIO and the GDAC shall take all necessary actions and precautions, including training, certifications, background checks, and governance policy and procedure, to ensure the security, integrity, and privacy of the data in accordance with State and federal law and as may be required by contract.

b.Provide complete information on the State agency’s information technology, operational, and security requirements.

c.Provide information on all of the State agency’s information technology activities relevant to the State business intelligence effort.

d.Forecast the State agency’s projected future business intelligence information technology needs and capabilities. e.Ensure that the State agency’s future information technology initiatives coordinate efforts with the GDAC to include planning and development of data interfaces to incorporate data into the initiative and to ensure the ability to leverage analytics capabilities.

f.Provide technical and business resources to participate in the initiative by providing, upon request and in a timely and responsive manner, complete and accurate data, business rules and policies, and support. g.Identify potential resources for deploying business intelligence in their respective State agencies and as part of the enterprise-level effort.

h.Immediately seek any waivers and enter into any written agreements that may be required by State or federal law to effectuate data sharing and to carry out the purposes of this section, as appropriate.

(2) Specific agency requirements. - The following agency-specific requirements are designed to illustrate but not limit the type and extent of data and information required to be released under subdivision (1) of this subsection: a. The North Carolina Industrial Commission shall release to the GDAC, or otherwise provide electronic access to, all data requested by the GDAC relating to workers’ compensation insurance coverage, claims, appeals, compliance, and enforcement under Chapter 97 of the General Statutes.

b.The North Carolina Rate Bureau (Bureau) shall release to the GDAC, or otherwise provide electronic access to, all data requested by the GDAC relating to workers’ compensation insurance coverage, claims, business ratings, and premiums under Chapter 58 of the General Statutes. The Bureau shall be immune from civil liability for releasing information pursuant to this subsection, even if the information is erroneous, provided the Bureau acted in good faith and without malicious or willful intent to harm in releasing the information.

c.The Department of Commerce, Division of Employment Security (DES), shall release to the GDAC, or otherwise provide access to, all data requested by the GDAC relating to unemployment insurance coverage, claims, and business reporting under Chapter 96 of the General Statutes. d.The Department of Labor shall release to the GDAC, or otherwise provide access to, all data requested by the GDAC relating to safety inspections, wage and hour complaints, and enforcement activities under Chapter 95 of the General Statutes.

e.The Department of Revenue shall release to the GDAC, or otherwise provide access to, all data requested by the GDAC relating to the registration and address information of active businesses, business tax reporting, and aggregate federal tax Form 1099 data for comparison with information from DES, the Rate Bureau, and the Department of the Secretary of State for the evaluation of business reporting. Additionally, the Department of Revenue shall furnish to the GDAC, upon request, other tax information, provided that the information furnished does not impair or violate any information-sharing agreements between the Department and the United States Internal Revenue Service. Notwithstanding any other provision of law, a determination of whether furnishing the information requested by the GDAC would impair or violate any information-sharing agreements between the Department of Revenue and the United States Internal Revenue Service shall be within the sole discretion of the State Chief Information Officer. The Department of Revenue and the Office of the State CIO shall work jointly to assure that the evaluation of tax information pursuant to this sub-subdivision is performed in accordance with applicable federal law.

f.The North Carolina Department of Health and Human Services, pursuant to this Part, shall share (i) claims data from NCTRACKS and the accompanying claims data warehouse and (ii) encounter data with the GDAC in order to leverage existing public-private partnerships and subject matter expertise that can assist in providing outcome-based analysis of services and programs as well as population health analytics of the Medicaid and LME/MCO patient population.

This section contains language similar to the Indiana example making the office an authorized agent of an agency; however, it refers to specific programs or laws rather than broadly across government.

(d)Provisions on Privacy and Confidentiality of Information.

(1) Status with respect to certain information. - The State CIO and the GDAC shall be deemed to be all of the following for the purposes of this section:

a.A criminal justice agency (CJA), as defined under Criminal Justice Information Services (CJIS) Security Policy. The State CJIS Systems Agency (CSA) shall ensure that CJLEADS receives access to federal criminal information deemed to be essential in managing CJLEADS to support criminal justice professionals.

. b.With respect to health information covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended, and to the extent allowed by federal law:

1.A business associate with access to protected health information acting on behalf of the State’s covered entities in support of data integration, analysis, and business intelligence.

2.Authorized to access and view individually identifiable health information, provided that the access is essential to the enterprise fraud, waste, and improper payment detection program or required for future initiatives having specific definable need for such data.

c. Authorized to access all State and federal data, including revenue and labor information, deemed to be essential to the enterprise fraud, waste, and improper payment detection program or future initiatives having specific definable need for the data.

d. Authorized to develop agreements with the federal government to access data deemed to be essential to the enterprise fraud, waste, and improper payment detection program or future initiatives having specific definable need for such data.

(2)Release of information. - The following limitations apply to (i) the release of information compiled as part of the initiative, (ii) data from State agencies that is incorporated into the initiative, and (iii) data released as part of the implementation of the initiative: a. Information compiled as part of the initiative. - Notwithstanding the provisions of Chapter 132 of the General Statutes, information compiled by the State CIO and the GDAC related to the initiative may be released as a public record only if the State CIO, in that officer’s sole discretion, finds that the release of information is in the best interest of the general public and is not in violation of law or contract.

b. Data from State agencies. - Any data that is not classified as a public record under G.S. 132-1 shall not be deemed a public record when incorporated into the data resources comprising the initiative. To maintain confidentiality requirements attached to the information provided to the State CIO and the GDAC, each source agency providing data shall be the sole custodian of the data for the purpose of any request for inspection or copies of the data under Chapter 132 of the General Statutes. c. Data released as part of implementation. - Information released to persons engaged in implementing the State’s business intelligence strategy under this section that is used for purposes other than official State business is not a public record pursuant to Chapter 132 of the General Statutes. d. Data from North Carolina Rate Bureau. - Notwithstanding any other provision of this section, any data released by or obtained from the North Carolina Rate Bureau under this initiative relating to workers’ compensation insurance claims, business ratings, or premiums are not public records, and public disclosure of such data, in whole or in part, by the GDAC or State CIO, or by any State agency, is prohibited.