LICENSE FOR THE USE OF
PERSONALLY IDENTIFIABLE INFORMATION PROTECTED UNDER THE PRIVACY ACT OF 1974
WHEREAS, the United States Department of Housing and Urban Development (HUD) has collected and maintains personally identifiable information, the confidentiality of which is protected by the Privacy Act of 1974 (5 U.S.C. § 552a); and
WHEREAS, HUD wishes to make the data available for statistical, research, or evaluation purposes to researchers qualified and capable of research and analysis consistent with the statistical, research, or evaluation purposes for which the data were provided or are maintained, but only if the data are used and protected in accordance with the terms and conditions stated in this license (License), upon receipt of such assurance of qualification and capability, it is hereby agreed between
(Insert the name of the organization to be licensed)
Hereinafter referred to as the “Licensee” and HUD that:
INFORMATION SUBJECT TO THIS AGREEMENT
All data containing personally identifiable information maintained by HUD that are provided to the Licensee and all information derived from that data, and all data resulting from merges, matches, or other uses of the data provided by HUD with other data are subject to this License and are referred to in this License as subject data.
Subject data under this License may be in the form of CD-ROMs, electronic data, hard copy, etc. The Licensee may only use the subject data in a manner and to a purpose consistent with:
The statistical, research, or evaluation purpose for which the data are maintained. All subject data that include personally identifiable information are protected under the Privacy Act and may be used only for statistical, research, or evaluation purposes consistent with the purposes for which the data was collected and or is maintained (Licensee’s application describing the planned research and analysis is attached and made a part of this License – Attachment No. 1.);
The limitations imposed under the provisions of this License; and
The Privacy Act of 1974 (5 U.S.C. §552a).
INDIVIDUALS WHO MAY HAVE ACCESS TO SUBJECT DATA
There are three categories of individuals that the Licensee may authorize to have
access to subject data. The three categories of individuals are as follows:
The Principal Project Officer (PPO) is the most senior officer in charge of the day-to-day operations involving the use of subject data and is responsible for communication with HUD. The PPO or his designees also responsible for maintaining the day-to-day security of the licensed data, including the implementation, maintenance, and periodic update of the Security Plan to protect the data in strict compliance with statutory and regulatory requirements.
Professional/Technical staff (P/T) conduct the research for which this License was issued.
Support staff includes secretaries, typists, computer technicians, messengers, etc. Licensee may disclose subject data to support staff who come in contact with the subject data in the course of their duties only to the extent necessary to support the research under this License.
Licensee may disclose subject data to only seven (7) staff, including the PPO, P/TS, and support staff.
Each staff member must sign a notarized affidavit. The list of authorized staff must be updated as personnel working on data changes.
Licensee will convey an updated list and signed affidavit to HUD as personnel changes.
Staff must be informed of their legal responsibility not to disclose the data to anyone other than an authorized staff member.
If an authorized staff member leaves employment or is no longer working on the project, their user ID and access to the data will be terminated within one day. These steps will be documented, and HUD reserves the right to review such documentation.
LIMITATIONS ON DISCLOSURE
Licensee shall not use or disclose subject data for any administrative purposes nor may the subject data be applied in any manner to change the status, condition, or public perception of any individual on whom subject data is maintained. (Note: Federal Law preempts any State law that might require the reporting or dissemination of the data for any purpose other than the statistical, research, and evaluation purposes for which they were collected and/or are maintained.)
Licensee shall not make any publication or other release of subject data listing information regarding individuals even if the individual identifiers have been removed.
Licensee shall not use subject data to identify individuals for re-contacting or new information collection unless the Licensee has obtained advance written approval from the Assistant Secretary for Policy Development and Research.
Licensee may publish the results, analysis, or other information developed as a result of any research based on subject data made available under this License only in summary or statistical form so that the identity of individuals contained in the data is not revealed.
HUD must review all articles, reports, and statistical summaries generated from the data before they are published or otherwise communicated. The results must adhere to HUD’s disclosure limitation practices.
ADMINISTRATIVE REQUIREMENTS
Execution of Affidavits of Nondisclosure.
Licensee shall provide a copy of this agreement, together with the Security Plan contained in the Licensee’s Application (Attachment No.1) to to the PPO and each P/T and support staff person of the Licensee who will have access to subject data and shall require each of those individuals to execute an Affidavit of Nondisclosure (Attachment No2).
The Licensee must ensure that each individual who executes an Affidavit of Nondisclosure reads and understands the materials provided to him or her before executing the Affidavit.
Licensee shall ensure that each Affidavit of Nondisclosure is notarized upon execution.
Licensee may not permit any individual specified in paragraph II.A. to have access to subject data until the procedures in paragraphs IV.A.1 through 3 of this license are fulfilled for that individual.
Licensee shall promptly, after the execution of each Affidavit, send the original affidavit to HUD and shall maintain a copy of each Affidavit at the Licensee’s secured facility protected under this License.
Publications made available to HUD
Licensee shall provide HUD a copy of each publication containing information based on subject data or other data product based on subject data before they are made available to individuals who have not executed an Affidavit of Nondisclosure.
Because the publication or other release of research results could raise reasonable questions regarding disclosure of individually identifiable information contained in subject data, copies of the proposed publication or release must be provided to HUD before that disclosure is made so that HUD may advise whether the disclosure is authorized under this License and the Privacy Act of 1974. Licensee agrees not to publish or otherwise release research results provided to HUD if HUD advises such disclosure is not authorized.
Licensee shall notify HUD immediately upon the receipt of any legal, investigatory, or other demand for disclosure of subject data.
Licensee shall notify HUD immediately upon discovering any breach or suspected breach of security or any disclosure of subject data to unauthorized parties or agencies.
Licensee agrees that representatives of HUD have the right to make unannounced and unscheduled inspections of the Licensee’s facility, including any associated computer center, to evaluate compliance with the terms of this License and the requirements of the Privacy Act of 1974.
Licensee agrees that an officer of the licensee with special responsibility and expertise in the field of information security will consult with the Principal Project Officer and if necessary will inspect any or all relevant data systems to ascertain compliance with the data security plan of the original application for the data license, the data security requirements of this agreement, and the data security policies of the organization. The information security officer of the licensee shall report annually to HUD on the status of project compliance with the plan, the requirements, and the policies referenced in the previous sentence.
Any person who knowingly or willfully requests or obtains any record concerning an
individual from an agency under false pretenses shall be subject to criminal penalties under the Privacy Act and may be subject to prosecution under other statutes such as 18 U.S.C. § 494, § 495, and § 1001. In the event of improper use or disclosure of HUD data, the Licensee agrees to report the incident immediately to HUD and to cooperate fully with HUD. Waiting over 24 hours after learning of an improper disclosure to report to HUD shall be considered a violation of the license agreement,
(1) “Operation of a system of records,” as used in this clause, means the performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.
“Record,” as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voice print or a photograph.
“System of records on individual” as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
SECURITY REQUIREMENTS
Maintenance of, and access to, subject data.
Licensee shall retain the original version of the subject data at a single location and may make no copy or extract of the subject data available to anyone except the PPO , P/T, or support staff member as necessary for the purpose of the statistical research for which the subject data were made available to the Licensee.
Licensee shall maintain subject data (whether maintained on a personal computer or on printed or other material) in a space that is limited to access by the PPO and authorized P/T or support staff.
Licensee shall ensure that access to subject data maintained in computer memory is controlled by password protection. Licensee shall maintain all printouts, CD-ROMS, or other physical products containing personally identifiable information derived from subject data in locked cabinets, file drawers, or other secure locations when not in use.
Licensee shall ensure that all printouts, tabulations, and reports are edited for any possible disclosures of subject data.
Licensee shall establish security protections to ensure that subject data cannot be used or taken by unauthorized individuals.
Licensee shall not permit removal of any subject data from the limited access space protected under the provisions of this License as required in the Security Plan contained in the application (Attachment No. 1), without first notifying, and obtaining written approval from HUD.
Licensee shall comply with applicable Federal and HUD statutes, regulations, policies and procedures governing the security of system(s) including, but not limited to:
Federal Information Security Management Act (FISMA) of 2002
OMB Circular A-130 Management of Federal Information Resources Appendix III, Security of Federal Automated Information Resources
HUD Handbook 2400.25, Information Security Policy
The HUD Handbook at http://www.hudclips.org/cgi/index.cgi
NIST Special Publication 800-112
Retention of Subject Data
Licensee shall return to HUD all subject data or destroy the data under HUD supervision or by approved HUD procedures when the statistical analysis, research, or evaluation that is the subject of this agreement has been completed or this license terminates, whichever occurs first. Licensee, as part of its responsibilities discussed herein, agrees to submit a completed Close-out Certification form to HUD.
Compliance with Established Security Procedures
Licensee shall comply with the security procedures described in the Security Plan
contained in the application (Attachment No.1 to this License).
PENALTIES
Any violation of the terms and conditions of this License may subject the Licensee to immediate revocation of the License by HUD.
The HUD official responsible for communication with the Licensee shall initiate revocation of this License by written notice to Licensee indicating the factual basis and grounds for revocation.
Upon receipt of the notice specified in paragraph VI.A.1 of this License, the Licensee has thirty (30) days to submit written argument and evidence to Deputy Assistant Secretary, Office of Research and Monitoring in the Office of Policy Development & Research (DAS of OREM) indicating why the License should not be revoked.
The (DAS of OREM) shall decide whether to revoke the License based solely on the information contained in the notice to the Licensee and the Licensee’s response and shall provide written notice of the decision to the Licensee within forty-five (45) days after receipt of Licensee’s response. The Deputy Secretary of Policy Development and Research may extend this time period for good cause.
Any violation of this License may also be a violation of Federal criminal law under the Privacy Act of 1974. The penalty for violation of the Privacy Act is a fine of not more than $5,000.
PROCESSING OF THIS LICENSE
The term of this License shall be for ___ years. If, before the expiration of this
License, HUD promulgates regulatory standards for the issuance and content of Licenses, the Licensee agrees to comply with the regulatory standards.
This License may be amended, extended, or terminated by mutual written agreement between the Licensee and HUD. Any amendment must be signed by the PPO and the HUD Assistant Secretary for Policy Development & Research (PD&R) and is effective on the date that all required parties have signed the amendment.
The Senior Official (SO), having the legal authority to bind the organization to the terms of the License, shall sign this License below. The SO certifies, by his or her signature, that –
The organization has the authority to undertake the commitments in this License;
The SO has the legal authority to bind the organization to the provisions of this License; and
The PPO is the most senior subject matter officer for the Licensee who has the authority to manage the day-to-day statistical, research, or evaluation operations of the Licensee.
Signature of the Senior Official Date
Type/Print Name of the Senior Official
The individual described in paragraph II.A.I. as the PPO shall sign this License below. If the SO acts as the chief statistical officer for the Licensee (as the PPO) the SO shall likewise sign this paragraph as well as having signed under paragraph C.
Signature of the Principal Project Officer Date
Type/Print Name of the Principal Project Officer
Title: Telephone: _____________________________
The Assistant Secretary for Policy Development and Research issues this License to
. The License is effective as of the date of the signature below or such other period specified in the Licensee’s request for the License.
Signature of Assistant Secretary for PD&R or Designee
Title
Type/Print Name
Date
Hud License Control Number: _________________________________
Paperwork Reduction Act Notice. Public reporting burden for this collection of information is estimated to be 1 hour per applicant, and includes time for reviewing the instructions, and completing and reviewing the responses. Your completion of this information collection is voluntary. HUD may not collect this information, and you are not required to complete this form, unless it displays a current, valid OMB control number.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Hill, Ronald M |
File Modified | 0000-00-00 |
File Created | 2021-01-14 |