Date Published: October 2017
The privacy and security standards, as described in the 2004 Data and Technical Standards Notice, seek to protect the confidentiality of personal information while allowing for reasonable, responsible, and limited uses and disclosures of data. These privacy and security standards are based on principles of fair information practices and on security standards recognized by the information privacy and technology communities.
While the 2004 Data and Technical Standards Notice does not explicitly address issues of data ownership, it's important to remember that the CoC Program Interim Rule gives CoCs authority over and responsibility of HMIS. As a result, data ownership questions should be addressed by the CoC(s) through any HMIS governance, policies, and/or agreements in place between associated parties.
Existing HMIS policy recognizes the administrative responsibilities of HMIS Leads and System Administrators in 4.1.3(3) of the 2004 HUD Data and Technical Standards Notice, which establishes that Covered Homeless Organizations (CHOs) may use or disclose protected personal information (PII) from an HMIS to carry out administrative functions, including but not limited to legal, audit, personnel, oversight and management functions. There is an understanding that if the HMIS Lead role, and its accompanying functions and responsibilities, shift from one agency to another, the allowable disclosure for the purposes in 4.1.3(3) shift as well.