(1)(a) The lead organization must require data requestors to submit data management plans with the data request application. Data management plans must comply with the Washington state office of chief security officer standards.

(b) Additional organizations that are involved in using the data in the data requestors' projects must also provide the information required in the data management plan for their organizations.

(2) Data management plans must provide detailed information including, but not limited to, the following:

(a) Physical possession and storage of the data files, including details about the third-party vendor and personnel handling the data; the facilities, hardware and software that will secure the data; and the physical, administrative and technical safeguards in place to ensure the privacy and security of the released data.

(b) Data sharing, electronic transmission and distribution, including the data requestor's policies and procedures for sharing, transmitting, distributing and tracking data files; physical removal and transport of data files; staff restriction to data access; and use of technical safeguards for data access (e.g., protocols for passwords, log-on/log-off, session time out and encryption for data in motion and at rest).

(c) Data reporting and publication, including who will have the main responsibility for notifying the lead organization of any suspected incidents where the security and privacy of the released data may have been compromised; how DMPs are reviewed and approved by the data requestor; and whether the DMPs will be subjected to periodic updates during the DUA period for the released data.

(d) Completion of project tasks and data destruction, including the data requestor's process to complete the certificate of destruction form and the policies and procedures to:

(i) Dispose of WA-APCD data files upon completion of its project.

(ii) Protect the WA-APCD data files when staff members of project teams (as well as collaborating organizations) terminate their participation in projects. This may include staff exit interviews and immediate termination of data access.

(iii) Inform the lead organization of project staffing changes, including when individual staff members' participation in projects is terminated, voluntarily or involuntarily, within twenty-one calendar days of the staffing change.

(iv) Ensure that the WA-APCD data and any derivatives or parts thereof are not used following the completion of the project.