Data sharing contract compliance

You'll get more detailed information about these requirements after you submit a request for protected personal information (PPI). All information you provide under these requirements is available to the public. There may be exemptions. For more information, see the Washington Public Records Act (RCW 42.56).

Communications security

We use secure email when sending communications containing confidential information. Ask for a secure email link before sending us compliance documents.

Requirements for requesting a large amount of PPI

These requirements apply when you make one of the following requests for protected personal information (PPI):

• Driver and ID data requests
• Abstract Driver Records (ADR) requests
• Vehicle and boat data requests

New applicants: Requesting a single file

When you request a single data file, and after you sign your contract, you must submit the following information before receiving the file:

Audit reports

Provide evidence of an audit report that an independent auditor conducted within the last 12 months. The audit should focus on the system(s) and personnel who would process the PPI we provide. The report must describe how the auditor tested the effectiveness of each control.

• You can show evidence of the audit instead of submitting the report to us
• Include a description of each exception or deficiency identified in the audit report
• If no audit is available, discuss other options with our compliance staff

Deficiencies

Provide a statement signed by an officer of your organization attesting to the current status of each exception or deficiency identified in the audit report.

Common deficiencies include:

• Not training staff on data security and privacy
• Not auditing subrecipients
• Not having policies for handling confidential data

Security tests

Provide evidence of the following tests on all systems where you'll process PPI:

• A penetration test performed within the prior year, and
• A vulnerability test performed in the past calendar quarter

Statement of compliance

Provide a statement signed by an officer of your organization attesting that you're in compliance with our privacy and security requirements in Attachment B of the contract terms and conditions.

If you can’t make the statement with confidence, tell us where you suspect or know exceptions exist. Let us know if you have plans to correct each deficiency.

New applicants: Requesting files frequently

When your request involves getting PPI files frequently, and after you sign your contract, you must submit the following information before receiving your first file:

• You must submit a data security audit that is no more than 12 months old 
• An independent, third-party auditor must conduct the audit
• We'll review the audit to see if you comply with the data security requirements in Attachment B of the contract terms and conditions 
• You'll need a corrective action plan if there are deficiencies 

Annual statement of compliance

Each year you must attest to complying with privacy, security, subrecipient, and cyber liability insurance requirements. You do this by sending us a written statement before the due date in your agreement.

Audits

We’ll bill you for the time we spend scheduling and reviewing audits. You must pay for the cost of all audits.

Data security audits

• You must submit a data security audit about every 3 years
• The due date is in the data sharing agreement
• Audits show if you comply with the data security requirements in Attachment B of the contract terms and conditions
• An independent, third-party auditor must conduct the audit
• You'll need a corrective action plan if there are deficiencies

Permissible use audits

• We conduct these audits about every 3 years
• We’ll notify you about 6 months before the audit
• Audits show if you comply with the privacy, permissible use, subrecipient requirements, and other requirements such as insurance
• You'll need a corrective action plan if there are deficiencies

Consent audits

• We conduct these audits at our discretion when you receive Abstract Driver Records (ADRs) for employment or volunteering
• Audits show if you got the consent of all persons when required by your agreement
  • You must get a person’s consent before requesting their records from us
  • The audit determines if the Driver Record Release of Interest contained the required information and was properly executed

Subrecipient requirements

• A subrecipient is a business that gets our PPI from you
• If you share PPI, you must ensure that each subrecipient takes reasonable actions to prevent unauthorized disclosure and misuse
• If you share large amounts of PPI, you must regularly audit subrecipients for compliance with our:
  • Privacy and security requirements
  • Subrecipient requirements
• You must submit a list of all subrecipients to us each year (usually when you submit your annual statement of compliance)

Requirements for requesting information on a single person, vehicle, or boat

The following requirements apply to these e-Service data sharing agreements:

• Contracted plate search (CPS)
• Driver and plate search (DAPS)
• Driver information and adjudication system (DIAS)
• Other web services as added

Annual statement of compliance

Each year you must attest to your compliance with all requirements in the agreement. We'll ask you to submit a written statement.

Audits

We conduct all e-Service audits. We’ll bill you for the time we spend scheduling and reviewing audits. You must pay for the cost of all audits.

Data security audits

• We conduct these audits at our discretion
• A normal e-Service data security audit is equal to filling out a questionnaire and returning it to us
• We'll conduct a formal data security audit if there's significant risk in you securing PPI (we’ll always provide advance notice)
• Audits show if you comply with the privacy and security requirements

Permissible use audits

• We conduct these audits at our discretion
• A normal e-Service permissible use audit is equal to filling out a questionnaire and returning it to us
• We'll conduct a formal permissible use audit if there's significant risk in your use of PPI (we’ll always provide advance notice)
• Audits show if you comply with the privacy, security, subrecipient requirements, and other requirements such as insurance

Consent audits

• We conduct these audits at our discretion
• We’ll always provide advance notice
• Audits show if you got the consent of all persons when required by your agreement
  • You must get a person’s consent before requesting their records from us

Subrecipient requirements

• A subrecipient is a business that gets our PPI from you
• If you share PPI, you must ensure that each subrecipient takes reasonable actions to prevent unauthorized disclosure and misuse
• If you share large amounts of PPI, you must regularly audit subrecipients for compliance with our:
  • Privacy and security requirements
  • Subrecipient requirements
• You must submit a list of all subrecipients to us each year (usually when you submit your annual statement of compliance)

Related information

• Sample data sharing agreement
• Small business compliance guide