If you or someone you know is in need of assistance, please visit our Help for Texans Page.
INSTRUCTIONS FOR USING
THE TDHCA INFORMATION SECURITY AND
PRIVACY AGREEMENT
(Amended April 9, 2020)
The purpose of the TDHCA Information Security and Privacy Agreement (ISPA) is to ensure the security and privacy of Protected Information of individuals and businesses who benefit from Department Programs. The requirement to enter into an ISPA is found in the Department rules at 10 TAC §1.24 (“Rule”). You can read the entire Rule on the Texas Secretary of State website at: https://www.sos.state.tx.us/tac/index.shtml. Capitalized terms in these instructions are defined in the ISPA.
WHO NEEDS TO EXECUTE THE ISPA:
A “Contractor,” as the term is used here, is any entity that enters a written agreement1 with the Department that results in the creation of, or access to Protected Information. Please see the legal definition of Contractor in the Rule for a complete description.
Example 1: For an entity that is a Contractor on account of having an existing CMTS filing agreement, it is the owner of the development that must sign the ISPA. An owner need only sign one ISPA to cover all of its TDHCA-monitored properties. The owner may, for clarity, add an addendum to the ISPA listing all of its current TDHCA-monitored properties. A property management company should not sign an ISPA unless it is also the owner.
Example 2: For an entity that is a Contractor on account of having a Subrecipient2 agreement with the Department, it is an authorized agent of the Community Action Agency, local government, or other Subrecipient type, that must sign the ISPA.
Example 3: For an entity that is a Contractor on account of having a Vendor3 agreement with the Department, it is an authorized agent of the consultant, law firm, IT services company, or other Vendor type, that must sign the ISPA.
An executable form of the ISPA may be downloaded HERE.
1 The term, “written agreement” takes its plain and ordinary meaning in these instructions and the ISPA. It should not be confused with the same term used in US Housing & Urban Development regulations and guidance.
2 See 10 TAC §1.24(a)(16) (“An organization with whom the Department contracts, and entrusts to administer federal or state programs or funds, including but not limited to, units of local government, non-profit and for-profit corporations, administrator, community action agencies, collaborative applications, sub-grantees, developers, owners, land banks, participating mortgage lenders, and non-profit owner-builder housing providers. This includes an Affiliate of a Subrecipient.”)
3 See 10 TAC §1.24(a)(17) (“ A person or organization that supplies goods or services, properly procured under relevant laws, to the Department.”)
HOW DO I KNOW IF MY CONTRACT GIVES ME ACCESS TO PROTECTED INFORMATION?
All of the types of Protected Information are defined in 10 TAC §1.24(b) (Definitions). They are listed here for convenience. Please refer to the rule for more detailed descriptions of each information type:
- Criminal History Records Information
- Financial Statements of a Tax Credit Applicant
- Non-Public Personal Information
- Personal Identifying Information
- Personal or Business Financial Information
- Protected Health Information
- Sensitive Personal Information
- Victims of Violence Information
- Weatherization Assistance Program (WAP) Application and Participant Information
(For help in clarifying whether information you create or access pursuant to your contract with the Department falls into one of the above categories, call Cynthia Guillen at (512) 475-3811.)
TO WHOM SHOULD THE EXECUTED ISPA BE RETURNED?
To Cynthia Guillen at Cynthia.Guillen@tdhca.texas.gov. We will return a fully executed copy you.
- WHEN IS THE DEADLINE FOR SUBMITTING AN EXECUTED ISPA TO THE DEPARTMENT?
- Contractors with written agreements currently in effect should have already submitted a signed ISPA. If not, please do so promptly.
- Contractors with Contracts that become effective after July 29, 2019:
No later than the date the new contract is fully executed
NOTE: AN ISPA IS EFFECTIVE AS LONG AS YOU HAVE ACCESS TO ANY DEPARTMENT PROTECTED INFORMATION. IF YOU ENTER INTO AN ADDITIONAL CONTRACT WITH THE DEPARTMENT WHILE THE CURRENT ISPA IS IN EFFECT, THERE IS NO NEED TO EXECUTE ANOTHER ISPA TO COVER YOUR ACTIVITIES UNDER THE NEW CONTRACT