<<Prev Rule

Texas Administrative Code

Next Rule>>
RULE §1.24Information Security and Privacy Requirements

(a) Purpose. The purpose of this rule is to provide the mechanism by which the Department will ensure the security and privacy of Protected Information belonging to persons who do business with the Department and those they serve.

(b) Definitions. The following words and terms, when used in this subchapter, shall have the following meanings, unless the context clearly indicates otherwise.

  (1) Affiliate--Shall have the meaning assigned by the specific program or programs described in this title.

  (2) Computing Device--Any computer, laptop, server, smart phone, or any other data processing device that is used to connect to the Department's network.

  (3) Contractor--A third party, including, but not limited to, outside auditors and legal counsel, funding agencies, Vendors or Subrecipients, including any and of its Representatives that may gain access to Protected Information on account of a contract with the Department.

  (4) Criminal History Records Information--For the purposes of Tex. Gov't Code Chapter 411, Subchapter F, information collected about a person by a Criminal Justice Agency that consists of identifiable descriptions and notations of arrests, detentions, indictments, information, and other formal criminal charges and their dispositions. The term does not include:

    (A) Identification information, including fingerprint records, to the extent that the identification information does not indicate involvement of the person in the criminal justice system; or

    (B) Driving record information under Subchapter C, Chapter 521 Transportation Code.

  (5) Department--The Texas Department of Housing and Community Affairs.

  (6) Financial Statements of a Tax Credit Applicant--For purposes of Tex. Gov't Code §2306.6717(d)(Public Information and Hearings), a formal statement of the financial activities of a Low Income Housing Tax Credit Applicant, submitted to the Department as part of a Low Income Housing Tax Credit Application, including but not limited to, the balance sheet, income statement, cash flow statement or changes in equity.

  (7) Information Resources--The procedures, equipment, and software that are employed, designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information, and associated personnel including consultants and contractors.

  (8) Information Security and Privacy Agreement (ISPA)--An agreement between the Department and a Contractor implementing information security and privacy requirements of the Department.

  (9) Non-Public Personal Information--For purposes of the Graham-Leach-Bliley Act (15 USC §§6801-6809 and 6821-6827), and implementing regulations, personally identifiable financial information provided to the Department or any of its Contractors, resulting from any transaction with, or any service performed for a client or consumer, or otherwise obtained by the Department or its Contractors, unless the information is otherwise publically available.

  (10) Personal Identifying Information--For purposes of Tex. Bus. & Com. Code Chapter 521 (Unauthorized Use of Identifying Information), and any implementing regulations, information that alone or in conjunction with other information identifies an individual, including an individual's name, Social Security number, date of birth, or government-issued identification number, mother's maiden name, unique biometric data including fingerprint, voice print, retina or iris image, unique electronic identification number, address, or routing code, and telecommunication access devices as defined by Tex. Penal Code §32.51.

  (11) Personal or Business Financial Information--For purposes of Tex. Gov't Code §2306.039 (Open Meetings and Open Records), any personal or business financial information including, but not limited to, Social Security numbers, tax payer identification numbers, or bank account numbers submitted to the Department to receive a loan, grant, or other housing assistance by a housing sponsor, individual or family.

  (12) Protected Health Information--For purposes of Tex. Health & Safety Code Chap. 181 (adopting definitions in 45 CFR §160.103), any information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual, or can be used to identify the individual.

  (13) Protected Information--Protected Health Information, Personal Identifying Information, Sensitive Personal Information, Personal or Business Financial Information, Non-Public Personal Information, Financial Statement of a Tax Credit Applicant, WAP Applications and Participation Information, Criminal History Records Information, and Victims of Violence Information.

  (14) Representative--Any officer, employee, contractor, subcontractor, member, director, advisor, partner, or agent of Vendor/Subrecipient, or any person serving in such a role, however titled or designated.

  (15) Sensitive Personal Information--For purposes of Tex. Bus. & Com. Code Chapter 521 (Unauthorized Use of Identifying Information), an individual's first name or first initial and last name in combination with any one or more of the following items if the name and items are not encrypted:

    (A) Social Security number;

    (B) Driver's license or government-issued identification number;

    (C) Account or credit/debit card number in combination with any required security code, access code, or password that would permit access; or

    (D) Information that identifies or reveals an individual and the physical or mental health or condition of the individual, the provision of health care to the individual, or payment for the provision of health care to the individual.

    (E) The term does not include publicly available information that is lawfully made publicly available.

  (16) Subrecipient--An organization with whom the Department contracts, and entrusts to administer federal or state programs or funds, including but not limited to, units of local government, non-profit and for-profit corporations, administrators, community action agencies, collaborative applications, sub-grantees, developers, owners, land banks, participating mortgage lenders, and non-profit owner-builder housing providers. This also includes an Affiliate of a Subrecipient.

  (17) Vendor--A person or organization that supplies goods or services, properly procured under relevant laws, to the Department.

  (18) Victims of Violence Information--Any information submitted to a covered housing provider, including the Department and its Contractors pursuant to 24 CFR §5.2007, including the fact that an individual is a victim of domestic violence, dating violence, sexual assault, or stalking. Also included pursuant to Tex. Gov't Code §552.138 is information regarding the location or physical layout, an employee, volunteer, former or current client, or the provision of services to a former or current client, a private donor, or a member of a board of directors or board of trustees of a family violence shelter center, victims of trafficking shelter center, or sexual assault program.

  (19) WAP Applications and Participation Information--For purposes of Weatherization Program Notice 10-08, U.S. Department of Energy, issued February 1, 2010, regarding the Department of Energy Weatherization Assistance Program (WAP), any specifically identifying information related to an individual's eligibility application for WAP or the individual's participation in WAP, such as name, address, or income information.

(c) Applicability and Implementation.

  (1) This rule applies to Contractors as defined in subsection (b)(3) of this section. This rule is not applicable to third parties that contract with the Department but have no access to Department Protected Information.

  (2) Contractors with Department contracts that are active on the effective date of this rule shall have 180 calendar days from the effective date of this rule to enter into an ISPA with the Department. Contractors that execute new Department contracts or contract renewals on or after the effective date of this rule shall enter into an ISPA with the Department no later than the date of contract execution, if an ISPA with the Department is not already in place. The ISPA shall be in a form provided by the Department on its website. A Contractor must download, execute and return the contract according to instructions on the website and as directed by the Program Services Division of the Department. A Contractor need only execute one ISPA, even if they participate with the Department in multiple programs or activities.


Next Page

Link to Texas Secretary of State Home Page | link to Texas Register home page | link to Texas Administrative Code home page | link to Open Meetings home page