The URL can be used to link to this page

Home My WebLink AboutFEMA information sharing access Agreement Agreement No./Title: DEPARTMENT OF HOMELAND SECURITY Federal Emergency Management Agency INFORMATION SHARING ACCESS AGREEMENT (ISAA) BETWEEN THE DEPARTMENT OF HOMELAND SECURITY/FEDERAL EMERGENCY MANAGEMENT AGENCY (DHS/FEMA) AND The City of Central Point Oregon 1. INTRODUCTION. The U.S. Department of Homeland Security/Federal Emergency Management Agency(DHS/ FEMA)and The City of Central Point (hereinafter referred to as"Recipient Entity"), hereinafter collectively referred as the"Parties,"voluntarily enter into this Information Sharing Access Agreement(ISAA)(alternatively"Agreement")to govern the collection, use, access, disclosure, security, and retention of the Personally Identifiable Information (PII)dataset(s) described herein. 2. PURPOSE AND BACKGROUND. The purpose of this Agreement is to document the safeguarding requirements for PII dataset(s)shared by FEMA with Recipient Entity to Comply with the CRS program requirements Activity 501 a. Recipient Entity is a(n) City Recipient Entity requires access to PII dataset(s)concerning Repetitive Loss data as documented in Appendix A, to conduct outreach '.o owners of Repetitive 1055 Properties and p'ar :r.i:igat-on ;ro;ects 1 E.g. "NFIP Pivot is used to account for flood insurance policies and claims under the National Flood Insurance Program." FEMA Form 109-2-1-1 (8/20) Page 1 of 9 Agreement No./Title: 3. AUTHORITIES. (Must be verified by program legal counsel] a. ❑ Robert T. Stafford Disaster Relief and Emergency Assistance Act, as amended, Pub. L. No. 93-288(1974), (codified at 42 U.S.C. §§5121-5207) (Stafford Act) ❑ National Flood Insurance Act of 1968, Pub. L. No. 90-448, Title XIII (1968)(42 U.S.C.4001 et seq.) (NFIA) ❑ b. Privacy Act of 1974, as amended, 5 U.S.C. §552a(Privacy Act); c. ❑ DHS/FEMA 008-Disaster Recovery Assistance Files System of Records(DRA), 78 Fed. Reg. 25,282(Apr. 30, 2013) (DRA SORN) ❑ DHS/FEMA 003—NFIP Files System of Records, 79 FR 28747 (May 19,2014) (NFIP Files SORN) i. Routine use d. The E-Government Act of 2002, Public Law 107-347, §208; 4. DEFINITIONS.2 a. BREACH (synonymous with "PRIVACY INCIDENT"): The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where(1)a person other than an authorized user accesses or potentially accesses personally identifiable information or(2)an authorized user accesses personally identifiable information for an other than authorized purposed. b. INCIDENT(synonymous with IT SECURITY INCIDENT):An occurrence that(1)actually or imminently jeopardizes,without lawful authority,the integrity, confidentiality, or availability of information or an information system; or(2)constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. c. PERSONALLY IDENTIFIABLE INFORMATION: means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. 5. RECIPIENT RESPONSIBILITIES. The Recipient Entity's responsibilities under this ISAA are as follows. a. Maintain appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained; b. Maintain the PII dataset(s)provided by FEMA to the Recipient Entity separately or in a manner in which it is easily segregable from the entity's other information; i. This does not refer to individual PII data elements which the Recipient Entity independently collects, verifies, documents, or incorporates in its records and/or systems separately from FEMA PII datasets for programs or services not addressed in this Agreement; 2 See Handbook for Safeguarding Sensitive PII, Privacy Policy Directive 047-01-007, Revision 3, December 4, 2017. FEMA Form 109-2-1-1 (8/20) Page 2 of 9 Agreement No./Title: c. Submit a written request to FEMA for any information request pursuant to this ISAA; d. Each time PII is requested under this ISAA, indicate the specific purpose and use of the PII and the specific routine use under which the P11 is being requested; e. Use the PII provided pursuant to this ISAA only for the purpose(s)identified in this ISAA and consistent with the applicable Routine Use(s); f. Restrict access to PII datasets provided by FEMA under this ISAA to authorized personnel and to entities under contract by the requestor(direct contractors) performing functions consistent with the purpose of this ISAA on behalf of Recipient Entity; g. Retain the original dataset for only so long as necessary for the purposes of this agreement, but in any case, no longer than Three years • h. Instruct all individuals with access to PII provided pursuant to this ISAA regarding the confidential nature of the information,the safeguard requirements of this Agreement, and the applicable criminal penalties and civil remedies specified in federal and state laws against unauthorized disclosure of the PII covered by this Agreement; i. In a timely manner,take appropriate action with regard to any request made by FEMA for access,additions, changes, deletions, or corrections of PII and in a timely manner, notify FEMA of any data errors that it discovers; j. The Recipient Entity shall ensure no Matching Program, as that term is defined in 5 U.S.C. §552a(a)(8),will occur using the PI1 datasets shared under this agreement unless a separate Computer Matching Agreement is in place. k. If at any time during the term of this ISAA any part of the PII dataset provided under this Agreement, ceases to be required by Recipient Entity for purpose(s) identified in this ISAA, or upon termination of the ISAA, whichever occurs first,within fourteen(14)days thereafter, promptly notify FEMA and securely return the PII to FEMA, or, at FEMA's written request destroy, un-install and/or remove all copies of such PII in the Recipient Entity's possession or control, and certify in writing to FEMA that such tasks have been completed. 6. FEMA RESPONSIBILITIES. FEMA's responsibilities under this ISAA are as follows: a. Share with Recipient Entity only the PII dataset(s) documented in Appendix A to this ISAA; b. Transmit or allow access to the information documented in Appendix A to the Recipient Entity in password protected format via encrypted email or via a FEMA-OCIO approved secure information technology(IT)portal, interface, or transfer tool; c. Ensure that FEMA information provided to Recipient Entity is accurate, complete, and up-to-date as reasonably necessary; d. Keep a record of the date, nature, and purpose of each disclosure of PII to Recipient Entity under this ISAA, to include the written request for information. e. FEMA shall not take any adverse action or limit any of its Federal benefits as a result of this sharing of information. FEMA Form 109-2-1-1 (8/20) Page 3 of 9 Agreement No./Title 7. THIRD PARTY ACCESS a. Ownership of PII Dataset(s). Notwithstanding any other provision of this Agreement,the PII dataset(s) obtained by Recipient Entity from FEMA shall remain under the control of FEMA, and Recipient Entity will not further disclose PII dataset(s) provided by FEMA to outside third parties without express consent from FEMA or the individuals to whom the PII pertains. i. This does not refer to individual PII data elements which the Recipient Entity independently collects, verifies,documents, or incorporates in its records and/or systems for programs or services not addressed in this Agreement. b. Open Access/Freedom of Information Requests. The Recipient Entity shall withhold PII provided by FEMA under this agreement from any open records or Freedom of Information Act(FOIA)response to the extent allowed by law.The Recipient Entity shall provide notice of any request for and/or disclosure of PII provided by FEMA under this agreement in response to open records or FOIA requests. c. ® At this time, Recipient Entity has not indicated an intent to share FEMA PII with third-party contractors. If Recipient Entity utilizes a contractor in connection with its performance of its obligations under the ISAA and Recipient Entity intends to provide such contractor with access to FEMA PI1, Recipient Entity shall not share data until notice of the identity of such contractor and the extent of the role that such contractor will play in connection with the purpose of this ISAA has been provided to and approved by FEMA. d. All contractors granted access by FEMA to any FEMA P11 must agree in writing with Recipient Entity to: (a) abide by the terms and conditions in this ISAA, including without limitation, provisions relating to compliance with the protection of FEMA PII and Notice of Privacy Incident; (b)restrict use of FEMA survivor/registrant P11 only to the performance of services to Recipient Entity in connection with Recipient Entity's performance of its obligations under this ISAA, and (c) certify in writing, upon completion of the performance of services by a contractor,that the contractor has immediately un-installed, removed, and/or destroyed all copies of FEMA survivor/registrant PII within 30 days of the contractor's performance of services to Recipient Entity. FEMA Form 109-2-1-1 (8/20) Page 4 of 9 Agreement No./Title 8. PRIVACY INCIDENT PROCEDURES a. Notice of Privacy Incident. If the Recipient Entity, or its contractors, suspect, discover or are notified of a suspected or confirmed Privacy Incident relating to FEMA PII,the Recipient Entity shall immediately, but in no event later than twenty-four(24) hours from suspicion, discovery or notification of the suspected or confirmed Privacy Incident, notify the FEMA Privacy Officer at(202)212-5100 or FEMA-Privacy@ferna.dhs.gov. b. Privacy Incident Handling. In the event of a Privacy Incident emanating from this ISAA, FEMA will investigate the Privacy Incident pursuant to DHS standard procedures and will consult Recipient Entity to diagnose, mitigate and manage the Incident.The Recipient Entity will be responsible for carrying out all necessary measures to remedy the effects of the Privacy Incident. c. ® (Select this clause if Entity is a State/Local/Territorial/Tribal Government Agency] Remediation. In the event of a Privacy Incident and/or IT Security Incident emanating from this ISAA, FEMA will investigate the Privacy Incident and/or IT Security Incident pursuant to DHS standard procedures and will consult with Recipient Entity in order to diagnose, mitigate, and manage the Privacy Incident and/or IT Security Incident.The Recipient Entity will be responsible for carrying out all reasonable and necessary measures to remedy the effects of a Privacy Incident/Breach,when its actions are responsible for the Privacy Incident/Breach,which may include: i. Notification to the affected individuals,the public, media, and/or other government entities; ii. Removing information from an Internet or Intranet page; iii. Training and awareness for staff on best practices to Safeguard PII; iv. Disciplinary or corrective action, including counseling for employees. 1. NOTE: any personnel subject to corrective or disciplinary action arising out of a privacy incident must not be identified or identifiable in the Privacy Incident reporting; v. Revisions to policies and procedures to minimize or eliminate the use of PII when possible; vi. and/or Any other remediation effort(s)as agreed upon by the Parties. d. Penalties. If the Recipient Entity or one of its employee/agents willfully discloses any PII to a third party not authorized to receive it, FEMA will revoke the Recipient Entity's access to FEMA PII. FEMA Form 109-2-1-1 (8/20) Page 5 of 9 Agreement No.lTitle: 9. GENERAL TERMS. a. Entire Agreement. This ISAA constitutes the entire Agreement between the Parties with regard to information sharing. However, if this ISAA is used to supplement a contract between the Parties,to the extent there is any conflict between a term of this ISAA and a term in other acquisition documentation, the term of the underlying acquisition, including the Homeland Security Acquisition Regulations(HSAR) Safeguarding of Sensitive Information (MAR 2015)and Information Technology Security and Privacy Training (MAR 2015) clauses will supersede. b. Effective Date, Duration,and Termination. This ISAA will become effective upon the signature of both Parties and will remain in effect for Three Years or the lifetime of the acquisition period,whichever is shorter. However, FEMA will only provide the information identified in Appendix A for the disaster period of assistance or, if applicable,for the period of time specified in the Routine Use,whichever is longer. Either party may terminate this Agreement upon written notice to the other party. c. Modification. This ISAA may be modified upon the mutual written consent of the Parties. d. Counterparts. This ISAA,when executed in any number of counterparts and by different Parties on separate counterparts, each of which counterparts when so executed and delivered shall be deemed to be an original, and all of which counterparts taken together shall constitute but one and the same Agreement. e. Severability. Nothing in this ISAA is intended to conflict with current law, regulation or FEMA directives. If a term of this ISAA is inconsistent with such authority,then that term shall be invalid, but the remaining terms and conditions of this ISAA shall remain in full force and effect. f. No Private Right.This ISAA is an internal Agreement between FEMA and the Recipient Entity. It does not create nor confer any right or benefit that is substantive or procedural, enforceable by any third party against the Parties,the United States, or other officers,employees, agents, or associated personnel thereof. Nothing in this ISAA is intended to restrict the authority of either party to act as provided by law, statute, or regulation, or to restrict any party from administering or enforcing any laws within its authority or jurisdiction.Accordingly,the terms of this Agreement do not constitute or imply the grant, by the United States of America, of any other consent, accord, satisfaction, advice, or waiver of its rights, power or authority. g. Funding. This ISAA is not an obligation or commitment of funds, nor a basis for transfer of funds. Each party shall bear its own costs in relation to this ISAA. Expenditures by each party will be subject to its budgetary processes and to availability of funds pursuant to applicable laws, regulations, and policies.The Parties expressly acknowledge that this in no way implies that Congress will appropriate funds for such expenditures. h. Issue Resolution. FEMA and Recipient Entity understand that during the course of this ISAA, they may have to resolve issues such as: scope, interpretation of provisions, unanticipated technical matters, and other proposed modifications. Both Parties agree to appoint their respective points of contact to work in good faith towards resolution of such issues. [See Appendix B for points of contacts.] i. Auditing/Reporting: The Parties will coordinate to prepare a report/audit summarizing Recipient Entity and its contractor's(if applicable) compliance with the privacy, redress, and security requirements set forth in this Agreement,to include accounting for all disclosures of FEMA PII. FEMA shall be provided copies of Recipient Entity self-audits.As part of this responsibility,the Recipient Entity further agrees to conduct its own annual audits of compliance with the terms of this Agreement, and to provide the results of these audits to Scc:t Van oft, Raglan 1C Floud _ua ran a I-161 s= FEMA Form 109-2-1-1 (8120) Page 6 of 9 Agreement No./Title: APPROVED BY: DEPARTMENT OF HOMELAND SECURITY/FEDERAL EMEGENCY MANAGEMENT AGENCY FEMA Signatory Date Name Title Program Name FEMA THE RECIPIENT ENTITY: (1-C' C �1 3ca/aa Recipient Signatory Dat Chris Clayton Name C;ty Manager Title Ci:y of Central Pont Full Entity Name FEMA Form 109-2-1-1 (8/20) Page 7 of 9 Agreement No.ITitle Appendix A- DHS - 2014-0028 , Routine use M,`,T The following lists the specific data elements in the FEMA PII dataset(s)that will be shared by FEMA with the city of Central Point The City of Central Point will only receive the PII data that is necessary to meet the routine use: Complete repetitive loss reccrds for the jurisdiction ct Central point Oregon to include any and all AW 501 forms FEMA Form 109-2-1-1 (8/20) Page 8 of 9 Agreement No/Title: Appendix B—Administrative points of contacts for this agreement(Limit of five) a. The FEMA point of contact is as follows: Name: Scott Van Hoff Title: Regional Flood Insurance Liaison Phone: -] (425) 892-4152 Email Address: scott.vanhc`f@fema.dhs.gov b. The Recipient Entity point of contact is as follows: Name: Chris Clayton Title: City Manager Phone: +1 (541) 423-1018 Email Address: chirs.clayron@centralpointoregon.gov c. The Recipient Entity point of contact is as follows: Name: Stephanie Holtey, CFM Title: Planning Director Phone: +1 (541) 423-1031 Email Address: stephanie.holtey@centralpointoregon.gov d. The Recipient Entity point of contact is as follows: Name: Justin Gindlesperger; CF4, AICP Title: Community Planner 11- Phone: +1 1Phone: +1 (541) 423-1C37 Email Address: Justin.gindlesperger@centralpo_ntoregon.gcv e. The Recipient Entity point of contact is as follows: Name: Title: Phone. Email Address: f. The Recipient Entity point of contact is as follows: Name: Title: Phone: Email Address: FEMA Form 109-2-1-1 (8/20) Page 9 of 9