Appendix A: Memorandum of UnderstandingBack to table of contents
[BOLD] = to be personalized
[UNDERLINED] = for agreements with PII
** = instructions
MEMORANDUM OF UNDERSTANDING
FOR THE SHARING OF [PERSONALLY IDENTIFIABLE/DE-IDENTIFIED] INFORMATION
This Memorandum of Understanding (MOU) is entered into by [DATA RECEIVER] and [DATA PROVIDER]. The purpose of this MOU is to share data and expertise between the two parties, while providing for the protection and confidentiality of the exchanged information. [DATA RECEIVER] will ensure that any agent, including employees and subcontractors, to whom it provides information under this MOU, executes a written agreement obligating the agent or subcontractor to comply with all the terms of this MOU.
Nothing in this MOU may be construed to allow either party to maintain, use, disclose, or share confidential or protected information in a matter not allowed under state or federal law or regulation.
2. Requested Information
[DATA PROVIDER] agrees to provide [DATA RECEIVER] with [**select one:** de-identified information OR personally identifiable information (“PII”)] as described below.
[**Enter description of the requested data, with as much detail as possible. It is recommended that Data Receiver specify data fields or variables requested, according to Data Provider’s data dictionary, if available. Also specify the scope of the data, including any inclusion/exclusion criteria, such as types of individuals or cases.**]
[**If PII, include the following language:** [DATA PROVIDER] shall obtain consent, authorization, or permission from the individuals that may be required by applicable state or federal laws and/or regulations prior to transmitting any PII pertaining to individuals in the data set.]
The above-described data shall be provided by [DATA PROVIDER] to [DATA RECEIVER] in the following format: [**indicate a format: csv file, excel file, relational database file(s), pdf records, etc.**].
The above-described data shall be provided at the following specified time(s): [**select one:** within a reasonable amount of time upon the execution of this MOU OR [list specific dates] OR upon request by [DATA RECEIVER]].
3. Data Transfer
[**If data request is for individuals specified by DATA PROVIDER:** [DATA RECEIVER] shall provide [DATA PROVIDER] with an encrypted electronic file containing unique identifiers of the requested individuals’ records or information. These unique identifiers shall be in the form of [**select one or more:** name, date of birth, Social Security number]. [DATA RECEIVER] will also provide the authentic copies of any signed authorizations in the same form as Exhibit A [**include agreed-upon authorization form as Exhibit A**], for each individual whose records are to be disclosed.]
[DATA PROVIDER] shall transmit the above-described records to [DATA RECEIVER] in accordance with this MOU. Any sensitive [or personally identifying information (“PII”)] shall be transmitted through a secure file transfer system.
4. Data Storage and Security
Both parties shall exercise reasonable and prudent procedures to protect such information, reports, returns, and other documents in their possession, including electronic versions thereof, from any unauthorized access and/or disclosure.
[**For high-security PII:** PII will be used solely to aid in the creation of a unique linking identifier. The unique linking identifier is not derived from PII or any elements thereof. [DATA RECEIVER] shall store PII separately from the remaining de-identified data set, which shall include the unique linking identifier as the only reference to the PII.]
[DATA RECEIVER] maintains and uses appropriate administrative, technical, and physical safeguards to preserve the integrity and confidentiality of and to prevent non-permitted use or disclosure of any information provided by [DATA PROVIDER]. [DATA RECEIVER]’s computers, networks, and file transfer mechanisms must be properly maintained (i.e., regular software patching will be conducted) and must run software that will protect against malicious code infecting and/or causing improper operation of computers and networks.
The parties agree that their agents, employees, and subcontractors with access to this data shall comply with all laws, regulations, and policies that apply to protection of the confidentiality of the data. [DATA RECEIVER] will not use or disclose information other than as permitted or required by this MOU or as required by state and federal law or as otherwise authorized by [DATA PROVIDER].
[DATA RECEIVER] may pass information to any of its agents, employees, or subcontractors for use in fulfilling the obligations of this MOU as long as they adhere to the conditions of this MOU. This includes, but is not limited to, data being sent directly to any agent, employee, or subcontractor to be used in data aggregation and quality assurance.
[**If PII:** No PII shall be included in any report, summary, data dashboard, or publication produced as a result of, or in conjunction with, the use of the data. The obligation to protect the privacy of PII is continuous and survives any termination, cancellation, expiration, or other conclusion of this MOU. [DATA RECEIVER] will mitigate, to the extent practicable, harmful effects of a use or disclosure of PII by [DATA RECEIVER] or its workforce in violation of the requirements of this MOU.]
[DATA RECEIVER] will report to [DATA PROVIDER], in writing, any use and/or disclosure of information that is not permitted by this MOU of which [DATA RECEIVER] becomes aware. Such report shall be made in the most expedient time possible and without unreasonable delay. This reporting obligation shall include breaches by [DATA RECEIVER], its agents, employees, and/or subcontractors.
6. Publicity and Publication
[DATA RECEIVER] may share publicly (in writing, online, verbally) any resulting aggregate summaries, reports, or publications, provided that such disclosures do not contain PII or confidential information.
7. Fees and Costs
[**Select one option:**
1. [DATA PROVIDER] will not charge [DATA RECEIVER] any fees for the work associated with the delivery of the data described in this MOU.
2. [DATA RECEIVER] will be responsible for fees and costs associated with the delivery of the data, as described in this MOU. Those fees are defined as [XXX]. If costs are anticipated to exceed the defined amount in excess of [XX]%, [DATA PROVIDER] shall provide notice to [DATA RECEIVER] before incurring such costs and modify this agreement accordingly.]
Any costs associated with [DATA RECEIVER]’s storage and maintenance of data are the responsibility of [DATA RECEIVER].
8. Ownership of the Data
Nothing in this MOU shall be construed as granting [DATA RECEIVER] any right, title, or interest in or to any license of any data. Ownership of the data remains that of the [DATA PROVIDER].
9. Term, Modification, and Termination
This MOU shall become effective on the date it is signed by both parties and shall remain in effect until [**Select one:** [Date] OR [Event] OR until modified or canceled by either party OR all PII provided by [DATA PROVIDER] is destroyed or returned to [DATA PROVIDER]].
This MOU may be modified at any time by written agreement of both parties.
Either party may cancel this MOU upon thirty (30) days written notice to the other party for any or no reason. In the event of a default under, or violation of, any of the provisions of this MOU by [DATA RECEIVER], [DATA PROVIDER] [**select one:**
1. may suspend the MOU and further disclosure of information to [DATA RECEIVER] until [DATA PROVIDER] is satisfied that corrective action has been taken and there will be no further violation. In the absence of prompt and satisfactory corrective action, the MOU will be terminated.
2. may terminate this MOU upon notice to [DATA RECEIVER].]
In the event that this MOU is cancelled or terminated, any data in the possession of [DATA RECEIVER], in whatever format it may be stored or maintained, shall remain subject to the terms and conditions of this MOU. The obligation of [DATA RECEIVER] to protect the confidentiality of the data is continuous and survives any termination, cancellation, expiration, or other conclusion of this MOU.
[**If PII:** Upon termination of the contract or upon written demand from [DATA PROVIDER], [DATA RECEIVER] agrees to immediately return or destroy, except to the extent infeasible, all PII received from, created by, or received by [DATA PROVIDER] including all such information disclosed to its agents, employees, and/or subcontractors.]
IN WITNESS WHEREOF the parties approve this MOU, effective upon last dated signature. The persons signing below have the right and authority to execute this MOU for their respective entities, and no further approvals are necessary to create a binding MOU.
By: _______________________ ____________
[DATA PROVIDER] Date
By: _______________________ ____________
[DATA RECEIVER] Date