(1) The lead organization must develop a standard data use agreement. The authority must approve the final form of the DUA, and all substantial changes to the form.

(2) At a minimum, the DUA shall include the following provisions:

(a) A start date and end date. The end date must be no longer than the length of the project for which the data is requested. The DUA may provide for the ability to extend the end date of the agreement upon good cause shown.

(b) The application for data should be incorporated into the DUA and attached as an exhibit to the agreement. There should be an affirmative provision that data provided for one project cannot be used for any other project or purpose.

(c) Data can be used only for the purposes described in the request. The data recipient agrees not to use, disclose, market, release, show, sell, rent, lease, loan or otherwise grant access to the data files specified except as expressly permitted by the DUA, confidentiality agreement if any and the approval letter.

(d) With respect to analysis and displays of data, the data recipient must agree to abide by Washington state law and rules, and standards and guidelines provided by the lead organization.

(e) A requirement for completion of an attestation by an officer or otherwise authorized individual of the data requestor that the data requestor will adhere to the WA-APCD's rules and lead organization policies regarding the publication or presentation to anyone who is not an authorized user of the data.

(f) A requirement that all requestor employees and all other individuals who access the data will sign a confidentiality agreement prior to data release. The confidentiality requirements should be set out in the DUA and include the consequences for failure to comply with the agreement.

(g) A requirement that any new employee who joins the organization or project after the data requestor has received the data and who will have access to the data must sign a confidentiality agreement prior and passed required privacy and security training prior to accessing the data.

(3) The authority or lead organization may audit compliance with data use agreements and confidentiality agreements. The requestor must comply and assist, if requested, in any audit of these agreements.

(4) Breach of a data use agreement or confidentiality agreement may result in immediate termination of the data use agreement. The data requestor must immediately destroy all WA-APCD data in its possession upon termination of the data use agreement. Termination of the data use agreement is in addition to any other penalty or regulatory action taken or that may be taken as a result of the breach.