Appendix A: Data Sharing Agreement Template

Download: docx | pdf

Appendix A: Data Sharing Agreement Template

This Data Use and Security Agreement (hereafter referred to as “Agreement”) effective as of      , 2024 (“Effective Data”), is made by and between the site (the “Data Provider”) and Center for Policy Research (CPR) (hereafter referred to as the “Data Recipient”). Data Provider and the Data Recipient will be collectively referred to as the “Parties.”

As a non-profit research organization, the Center for Policy Research (CPR), under the SAVES Project will receive and analyze child support system data. Specifically, the Center for Policy Research will be collecting data on selected characteristics of domestic violence (DV) cases and clients in the child support system and the actions taken on their cases for the purpose of understanding selected features of child support cases and clients with safety issues that are in the child support system. The study will also reveal client experiences with the program including payment outcomes, and enforcement activities. Under Contract Number 24 IHGA 188692, CPR will be collecting this data and conducting this analysis on behalf of the Colorado Department of Human Services, Division of Child Support Services, hereinafter referred to as “Client.” Client has a cooperative agreement with the Federal Office of Child Support Services (OCSS) (“Funder”) to implement the Safe Access for Victims’ Economic Security (“SAVES”) National Demonstration Model, Federal Award: 90FD0253. One duty of the SAVES Center is to conduct and disseminate national research on domestic violence victims’/survivors’ barriers and needs related to child support and parenting time services.

Data Recipient is bound by a variety of Government regulations and laws, as well as contractual obligations with all its clients, to be accountable for information confidentiality, integrity and security. Similarly, individual consultants and vendors, including their subcontractors, in the employ of Data Provider must be accountable for data security in the performance of Data Provider’s work.

This Agreement addresses the terms and conditions under which Data Provider will disclose the data-to-Data Recipient and the terms in which Data Recipient may use the data to carry out the terms of the scope of work pursuant to the contract noted above.

Data Recipient agrees to protect the data provided by Data Provider in accordance with all applicable laws and regulations, which may include, but not be limited to the requirements detailed below. By signing this Agreement, The Data Recipient acknowledges that violation of this Agreement may have potential criminal, administrative, monetary and/or civil penalties.

The Parties mutually agree that any data submitted by the Data Provider to the Data Recipient will not contain any personal identifiable information (PII) that would allow for simple identification of the study participants information. PII means information maintained by the Data Provider about an individual that can be used to distinguish or trace an individual’s identity, such as first or last name, social security number, date and place of birth, email address, mother’s maiden name, or bio metric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

[Add applicable paragraphs]

And/or This data is subject to the protections of The Privacy Act of 1974, 5 U.S.C. 552a. The purpose of the Privacy Act is to balance the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies' collection, maintenance, use, and disclosure of personal information

And/or In accordance with this Data Use & Security Agreement, Data Recipient has agreed to protect the confidentiality of the data and to ensure that any other authorized users of the data create, receive, maintain, or transmit confidential information with the same restrictions, conditions, and requirements that apply to the Data Recipient with respect to such information.

[Select which of the following paragraphs applies and delete the other]

And/or This data is covered and protected under the Family Educational Rights and Privacy Act (FERPA) set forth in 20 U.S.C. 123g and its regulations at Part 99 of Title 34 of the Code of Federal Regulations, as amended in 2012. Data Recipient has agreed to protect the confidentiality of this data and to ensure that any other authorized users of the data create, receive, maintain, or transmit confidential information with the same restrictions, conditions, and requirements that apply to the Data Recipient with respect to such information.

And/or This data is covered and protected under the Federal Information Security Management Act of 2002, as amended, Title III of the e-Government Act of 2002, 44 U.S.C. 3541-3549. Data Recipient has agreed to protect the confidentiality of this data and to ensure that any other authorized users of the data create, receive, maintain, or transmit confidential information with the same restrictions, conditions, and requirements that apply to the Data Recipient with respect to such information.

This Agreement supersedes all agreements between the Parties with respect to the use of data specified in this Agreement and provided by Data Provider. The terms of this Agreement can be changed only by written modification to this Agreement or by the Parties adopting a new Agreement.

To this end, the Parties agree to the following terms regarding the release and use of data provided by Data Provider hereunder.

1. Data to be Exchanged: This section should be tailored to specific Project Needs

1. The Data Recipient will obtain from the Data Provider, the data listed in Appendix A, which is attached hereto and incorporated into this Agreement.

2. The Parties mutually agree that the Data Recipient does not obtain any right, title, or interest in any of the data provided by Data Provider other than that allowed by the Contract Number noted above.

3. The Parties mutually warrant that the data provided will be used solely for the purposes described in the scope of work under the terms of the contract and for no other purpose.

4. The Data Recipient agrees not to attempt to link or merge records in an attempt to seek the identity of or to contact individuals when the Data Recipient is provided with de-identified data and the scope of work does not require further identification.

5. Data Recipient may link or merge records with its own survey data and with other records it has created or obtained related to study participants for research purposes.

2. Data Custodian & Point of Contact:

1. The Parties mutually agree that the following named individual is designated as the “Custodian” of the data on behalf of the Data Recipient and will be responsible for observing the security and privacy arrangements specified in this Agreement.

2. The Parties mutually agree that the following named individual will be designated as the point-of-contact for this Agreement on behalf of Data Provider.

	Custodian for Data Recipient		Point of Contact for Data Provider
Name	Lanae Davis	Name
Title	Senior Research Associate	Title
Organization	Center for Policy Research	Organization
Street Address	1570 Emerson St	Street Address
City/ State/ Zip	Denver, Colorado, 80218	City/ State/ Zip
Phone Number	303-947-7751	Phone Number
E-Mail Address	[email protected]	E-Mail Address

3. Authorized Users of the Data:

1. Data Recipient agrees that access to the data provided under this agreement will be limited to the minimum number of individuals necessary to perform the work.

2. With the exception of Data Recipients, Client and Subcontractors, the data shall not be shared or made available to any unauthorized personnel or other third party.

3. The Data Recipient agrees to ensure that any agents, including subcontractors, to who it provides the data, agree to the same restrictions and conditions that apply to the Data Recipient with respect to such information.

4. Term of Agreement:

This Agreement will commence on the Effective Date noted above and will expire on the last date of the SAVES Center Project, including all extensions of Federal Award: 90FD0253 by Funder and Client Any use of the data beyond the expiration date above shall require both Parties to execute a modification to this Agreement.

5. Data Destruction:

The Parties mutually agree that the data provided under this Agreement and/or any derivative file(s) may be retained only for the duration of this Agreement. At the end of this Agreement (and/or extensions of this Agreement to coincide with potential extensions of the Cooperative Agreement between Funder and Client and Client and Data Recipient, the Data Recipient must return or destroy all original data files and any derivative files as specified in the scope of work. Notwithstanding the foregoing, Data Recipient may retain a copy for archival purposes for a period of twelve (12) months after expiration of this Agreement.

6. Data Security:

Center For Policy Research utilizes Microsoft 365 E5 subscription to safely protect all data within SharePoint, OneDrive, and access from their laptops. Microsoft 365 E5 is a comprehensive subscription that combines productivity apps with advanced security, compliance, and analytical capabilities. The cloud apps and devices that access the data are governed and secured utilizing several security services and features that work together to prevent unauthorized access or data loss. These include:

• MFA and Conditional Access. Multi-Factor authentication is required for both computer and cloud app access. Conditional Access policies prevent login attempts from outside the US.

• Data Loss Prevention. Policies for automatic classification and retention. Also, manual labels can be applied to data to restrict access and prevent sharing.

• Information Protection. This includes Microsoft Purview Advanced Message Encryption, Insider Risk Management, Communication Compliance, Privileged Access Management, and Records Management. Also, Per-File Encryption in OneDrive for Business and SharePoint Online.

• Microsoft 365 E5 Security. This includes Microsoft Defender for Office 365 Plan 2, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Safe Documents. Computers and all cloud apps including email are protected.

7. Inspection:

The Data Recipient agrees that authorized representatives of Data Provider will be granted access to the Data Recipient’s premises where the data files are kept for the purpose of inspecting security arrangements to confirm compliance with this Agreement.

8. Scope of Relationship:

This Agreement will not constitute a partnership, agency or joint venture, and neither party may bind the other to any contract, arrangement or understanding except as specifically stated herein or otherwise mutually agreed to in writing by the parties.

9. Publication and Use of Name: Include language below based on Projects needs

1. Under Data Recipient’s prime contract with Client, Data Recipient may publish reports discussing their research and findings under the Program. In such reports, Data Recipient may disclose and publish the aggregated statistics based on the data files provided under this Agreement. Since no PII will be collected, the Data Recipient will not publish any PII in connection with that data provided under this Agreement.

2. Data Recipient is authorized to use Data Provider’s name as the source of the data provided in this Agreement in any future public presentation(s) or report(s) without prior written consent.

10. Headings:

Descriptive headings used in this Agreement are for convenience only and must not be used to interpret this Agreement.

11. Limitation of Liability and Indemnification:

It is the intent of the Parties that each Party shall remain liable, to the extent provided by law, regarding its own acts and omissions. In no event shall either Party be liable under any provision of this Agreement for special, indirect, or consequential loss or damage of any kind whatsoever, including but not limited, to lost profits.

12. Compliance:

1. The Parties mutually acknowledge that certain types of personal, health and financial data are protected by Government regulations and laws, including but not limited to the Privacy Act of 1974 (5 U.S.C. 552a et seq.), HIPAA Privacy Rule (104-191 P.L.), the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act of 1999. The Parties further mutually acknowledge that there are administrative, civil, or criminal penalties for disclosure or misuse of these data.

2. By signing this agreement, the Data Recipient agrees to abide by the provisions noted in this Agreement for the protection of the data file(s) noted, and acknowledges having received notice of potential criminal, administrative, or civil penalties for violation of the terms of the Agreement.

The signatories below hereby attest that he or she is authorized to commit to this Agreement on behalf of their respective organization and further agrees to abide by all of the terms specified in this Agreement.

DATA RECIPIENT:

__________________________________________________________________

Name Title

__________________________________________________________________

Signature Date

DATA PROVIDER:

__________________________________________________________________

Name Title

__________________________________________________________________

Signature Date

APPENDIX A

Scope

Introduction: The SAVES Center will work collaboratively with demonstration sites to examine the policies and practices that support survivor physical and psychological safety, minimize disparities, increase financial security, and best meet survivors’ self-defined goals. The study of anonymous information extracted from automated child support systems will assess client demographics and experiences with the program, including payment outcomes, enforcement activities, and timeframes for key events such as order establishment and payments. This study will help the SAVES Center to better understand the sociodemographic and child support case characteristics of custodial parents (CPs) and non-custodial parents (NCPs) in child support cases where a family violence flag is applied versus CPs and NCPs in child support cases where a family violence flag is not applied at SAVES demonstration sites.

Sample: Information on baseline patterns for DV cases and clients and their treatment in the

child support system will come from extracts from automated child support systems generated in 2023, the first year of the SAVES demonstration project.  The extracted information will be conveyed to CPR in an anonymous fashion with no personal identifiers or other information that could be used to ascertain the identity of the child support client and his/her case that is included in the extract. All data analyses will be conducted in an anonymous fashion and patterns will be reported for pooled statistical groups.

Timeline: Data extraction will occur twice (during year 3 and year 5 of the SAVES project). At both time points, the cases with a DV flag will be compared with samples of cases of similar size that are not identified as having a safety issue and lack a DV flag.

Potential Data Elements: The following is an inventory of potential data elements available in automated systems that CPR hopes to determine the extent to which could be extracted with relative ease. This list may be revised and simplified based on discussions with demonstration sites about what data fields are available and reliable. 

Data Element Form:

SAVES Data Extract Variables Framework
Variable Name	CPR Expected Output	SAVES Demonstration Site Output
Member ID	To be used for matching cases in payment and enforcement action files (if submitted separately)
Violence Assessment (FVI = Family Violence Indicator)	Binary (yes/no)
CP Race	Categorical
NCP Race	Categorical
CP Ethnicity	Binary or Categorical
NCP Ethnicity	Binary or Categorical
CP Age	Date of Birth (month/day/year)
NCP Age	Date of Birth (month/day/year)
CP Sex/gender	Binary or categorical
NCP Sex/gender	Binary or categorical
CP Zip code of residence	Categorical
NCP Zip code of residence	Categorical
Marital status on case	Categorical
Number of children on case	Total number
Age of youngest child on case	Date of birth (month/day/year)
Number of cases CP has	Total number
Number of cases NCP has	Total number
CP Income (without CS)	Amount and frequency (ex per hour, annually etc.)
NCP Income (without CS)	Amount and frequency (ex per hour, annually etc.)
CP Employment Status	Full-time, part-time, seasonal, self-employed, unemployed
NCP Employment Status	Full-time, part-time, seasonal, self-employed, unemployed
County/Region	Categorical
Case creation date	Date (month/day/year)
Order establishment date	Date (month/day/year)
Referral source (e.g., mandatory, self)	Categorical (e.g., mandatory, self)
Order establishment method	Categorical (admin, judicial, default, etc.)
CP attorney representation	Binary (yes/no)
NCP attorney representation	Binary (yes/no)
Case type	Categorical (child support, intrastate, Medicaid only, etc.)
TANF status at establishment	Categorical (current, former, never)
Monthly Support Obligation (MSO)	Amount of current support due per month (exclude arrears, interest, etc.)
Arrears balance at order establishment	Total amount
Arrears balance at extract	Total amount
Method of paternity establishment	Categorical (VAP, court, etc.)
Method of child medical coverage ordered	Categorical (NCP, CP, Medicaid, etc.)
Method of child medical coverage provided	Categorical (NCP, CP, Medicaid, etc.)
Method of paternity establishment	Categorical (VAP, court, etc.)
Verified Employer at extract	Binary (yes/no)
Date employment verified (or previous 12 months)	Date (month/day/year)
Was good cause application made?	Binary (yes/know or DK)
Good cause application date	Date (month/day/year)
Good cause outcome	Categorical or binary
Evidence of Case closure activity?	Binary (yes/no)
Case closure reason	Categorical (interested in closure for safety)
Case closure date	Date (month/day/year)
Was there a request for FVI	Binary (yes/no)
FVI Application	Date (month/day/year)
Date FVI Assigned	Date (month/day/year)
FVI Recertification	Binary (yes/no)
FVI Recertification Date	Date (month/day/year)
Date FVI Removed	Date (month/day/year)
Enrolled in address confidentiality program	Yes/no/type?
Can be submitted in separate spreadsheet
Current support due (monthly for prior 12 months)	Month 1 amount due Month 2 amount due Month 3 amount due Month 4 amount due Month 5 amount due Month 6 amount due Month 7 amount due Month 8 amount due Month 9 amount due Month 10 amount due Month 11 amount due Month 12 amount due
Current support paid (monthly for prior 12 months)	Month 1 amount paid Month 2 amount paid Month 3 amount paid Month 4 amount paid Month 5 amount paid Month 6 amount paid Month 7 amount paid Month 8 amount paid Month 9 amount paid Month 10 amount paid Month 11 amount paid Month 12 amount paid
Was wage withholding or income assignment a method of payment in the prior 12 months? Or was the last payment in month 11 paid by wage assignment?
Enforcement actions ever taken on case	Type and date action taken (credit bureau, driver’s license, recreation license, passport, contempt, FIDM, etc.)

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	DRAFT
Author	mcintosj
File Modified	0000-00-00
File Created	2024-10-07