(a) Purpose. The purpose of this rule is to provide
the mechanism by which the Department will ensure the security and
privacy of Protected Information belonging to persons who do business
with the Department and those they serve.
(b) Definitions. The following words and terms, when
used in this subchapter, shall have the following meanings, unless
the context clearly indicates otherwise.
(1) Affiliate--Shall have the meaning assigned by the
specific program or programs described in this title.
(2) Computing Device--Any computer, laptop, server,
smart phone, or any other data processing device that is used to connect
to the Department's network.
(3) Contractor--A third party, including, but not limited
to, outside auditors and legal counsel, funding agencies, Vendors
or Subrecipients, including any and of its Representatives that may
gain access to Protected Information on account of a contract with
the Department.
(4) Criminal History Records Information--For the purposes
of Tex. Gov't Code Chapter 411, Subchapter F, information collected
about a person by a Criminal Justice Agency that consists of identifiable
descriptions and notations of arrests, detentions, indictments, information,
and other formal criminal charges and their dispositions. The term
does not include:
(A) Identification information, including fingerprint
records, to the extent that the identification information does not
indicate involvement of the person in the criminal justice system;
or
(B) Driving record information under Subchapter C,
Chapter 521 Transportation Code.
(5) Department--The Texas Department of Housing and
Community Affairs.
(6) Financial Statements of a Tax Credit Applicant--For
purposes of Tex. Gov't Code §2306.6717(d)(Public Information
and Hearings), a formal statement of the financial activities of a
Low Income Housing Tax Credit Applicant, submitted to the Department
as part of a Low Income Housing Tax Credit Application, including
but not limited to, the balance sheet, income statement, cash flow
statement or changes in equity.
(7) Information Resources--The procedures, equipment,
and software that are employed, designed, built, operated, and maintained
to collect, record, process, store, retrieve, display, and transmit
information, and associated personnel including consultants and contractors.
(8) Information Security and Privacy Agreement (ISPA)--An
agreement between the Department and a Contractor implementing information
security and privacy requirements of the Department.
(9) Non-Public Personal Information--For purposes of
the Graham-Leach-Bliley Act (15 USC §§6801-6809 and 6821-6827),
and implementing regulations, personally identifiable financial information
provided to the Department or any of its Contractors, resulting from
any transaction with, or any service performed for a client or consumer,
or otherwise obtained by the Department or its Contractors, unless
the information is otherwise publically available.
(10) Personal Identifying Information--For purposes
of Tex. Bus. & Com. Code Chapter 521 (Unauthorized Use of Identifying
Information), and any implementing regulations, information that alone
or in conjunction with other information identifies an individual,
including an individual's name, Social Security number, date of birth,
or government-issued identification number, mother's maiden name,
unique biometric data including fingerprint, voice print, retina or
iris image, unique electronic identification number, address, or routing
code, and telecommunication access devices as defined by Tex. Penal
Code §32.51.
(11) Personal or Business Financial Information--For
purposes of Tex. Gov't Code §2306.039 (Open Meetings and Open
Records), any personal or business financial information including,
but not limited to, Social Security numbers, tax payer identification
numbers, or bank account numbers submitted to the Department to receive
a loan, grant, or other housing assistance by a housing sponsor, individual
or family.
(12) Protected Health Information--For purposes of
Tex. Health & Safety Code Chap. 181 (adopting definitions in 45
CFR §160.103), any information that relates to the past, present,
or future physical or mental health or condition of an individual;
the provision of health care to an individual; or the past, present,
or future payment for the provision of health care to an individual,
and that identifies the individual, or can be used to identify the
individual.
(13) Protected Information--Protected Health Information,
Personal Identifying Information, Sensitive Personal Information,
Personal or Business Financial Information, Non-Public Personal Information,
Financial Statement of a Tax Credit Applicant, WAP Applications and
Participation Information, Criminal History Records Information, and
Victims of Violence Information.
(14) Representative--Any officer, employee, contractor,
subcontractor, member, director, advisor, partner, or agent of Vendor/Subrecipient,
or any person serving in such a role, however titled or designated.
(15) Sensitive Personal Information--For purposes of
Tex. Bus. & Com. Code Chapter 521 (Unauthorized Use of Identifying
Information), an individual's first name or first initial and last
name in combination with any one or more of the following items if
the name and items are not encrypted:
(A) Social Security number;
(B) Driver's license or government-issued identification
number;
(C) Account or credit/debit card number in combination
with any required security code, access code, or password that would
permit access; or
(D) Information that identifies or reveals an individual
and the physical or mental health or condition of the individual,
the provision of health care to the individual, or payment for the
provision of health care to the individual.
(E) The term does not include publicly available information
that is lawfully made publicly available.
(16) Subrecipient--An organization with whom the Department
contracts, and entrusts to administer federal or state programs or
funds, including but not limited to, units of local government, non-profit
and for-profit corporations, administrators, community action agencies,
collaborative applications, sub-grantees, developers, owners, land
banks, participating mortgage lenders, and non-profit owner-builder
housing providers. This also includes an Affiliate of a Subrecipient.
(17) Vendor--A person or organization that supplies
goods or services, properly procured under relevant laws, to the Department.
(18) Victims of Violence Information--Any information
submitted to a covered housing provider, including the Department
and its Contractors pursuant to 24 CFR §5.2007, including the
fact that an individual is a victim of domestic violence, dating violence,
sexual assault, or stalking. Also included pursuant to Tex. Gov't
Code §552.138 is information regarding the location or physical
layout, an employee, volunteer, former or current client, or the provision
of services to a former or current client, a private donor, or a member
of a board of directors or board of trustees of a family violence
shelter center, victims of trafficking shelter center, or sexual assault
program.
(19) WAP Applications and Participation Information--For
purposes of Weatherization Program Notice 10-08, U.S. Department of
Energy, issued February 1, 2010, regarding the Department of Energy
Weatherization Assistance Program (WAP), any specifically identifying
information related to an individual's eligibility application for
WAP or the individual's participation in WAP, such as name, address,
or income information.
(c) Applicability and Implementation.
(1) This rule applies to Contractors as defined in
subsection (b)(3) of this section. This rule is not applicable to
third parties that contract with the Department but have no access
to Department Protected Information.
(2) Contractors with Department contracts that are
active on the effective date of this rule shall have 180 calendar
days from the effective date of this rule to enter into an ISPA with
the Department. Contractors that execute new Department contracts
or contract renewals on or after the effective date of this rule shall
enter into an ISPA with the Department no later than the date of contract
execution, if an ISPA with the Department is not already in place.
The ISPA shall be in a form provided by the Department on its website.
A Contractor must download, execute and return the contract according
to instructions on the website and as directed by the Program Services
Division of the Department. A Contractor need only execute one ISPA,
even if they participate with the Department in multiple programs
or activities.
Cont'd... |