1. A. B c. 2. Data Usage All information and databases associated with the (System) are the property of the TDCJ and shall not be given, sold, or used for any other purpose outside of the (System) without express written consent from the TDCJ. TDCJ information, data and information resources shall only be used for the purpose of this Agreement. Third party usage of data is prohibited unless authorized by the TDCJ Executive Director or designee, or the Data Management Office, and the Office of the Chief Information Security Officer. Data Disclosure A. B c. 3. A. A third-party vendor ("Contractor") will not disclose TDCJ data or content or any information about the TDCJ except as compelled by a court or administrative body or required by any law or regulation. The Contractor shall give notice to the TDCJ, if any disclosure request is received for TDCJ data or content, so the TDCJ may file an objection with the court or administrative body. The Contractor has no authority to respond to public information requests and shall not respond to such requests on behalf of TDCJ or to matters pertaining to TDCJ. Data Classification/Record Retention In accordance with Texas Government Code 2054.161, the Contractor shall make available to the TDCJ all data produced from or used in this (System) as determined appropriate for data security and applicable retention requirements under Texas Government Code Sections 441.185 and 441.187 for each classification. B. C. 4. A. B. c. D. E. F. The Contractor shall maintain and dispose of data, information, and records in accordance with the retention requirements specified by the TDCJ and using established and approved techniques and methods based on the level of confidentiality. If the data format is audio or video, it shall be maintained, retained and accessible at the same audio/video quality as it was recorded. Data Protection/Data Privacy The Contractor shall ensure the protection and privacy of TDCJ information, data, and information systems by: Implementing security controls based on the dlassification of the data and what the TDCJ determines is proportionate with the Agency's risk under the Contract and based on the sensitivity and confidentiality of the data. Complying with the information security requirements and the individual TDCJ information policy requirements maintained in the Information Resources Security Program (IRSP), TDCJ's security policy based on NIST 800-53, and the Security Requirements within this Agreement. Adhering to privacy requirements and regulations for confidential, sensitive, and regulated data to include Personal Identifying information (PII) or Sensitive Personal information (SPI) as defined in the Texas Business and Commerce Code 521.002(a)(1) and 521.002(a)(2). Student education data as defined under the Family Educational Rights and Privacy Act (FERPA) 20 U.S.C. § 1232g. Federal Tax Information (FTI), FICA, tax information per IRS Publication 1075 (IRS-1075)(Rev. 11. 2021). Payment card information data as defined in the Payment Card Industry Data Security Standard (PCI DSS) v2.0.
