The URL can be used to link to this page

Home My WebLink About25409AGREEMENT INFORMATION AGREEMENT NUMBER 25409 NAME/TYPE OF AGREEMENT FLORIDA DEPARTMENT OF HIGHWAY SAFETY & MOTOR VEHICLES DESCRIPTION DATA EXCHANGE MEMORANDUM OF UNDERSTANDING/ELECTRONIC ACCESS TO DRIVER INFORMATION/MATTER ID: 24-2557/#42 EFFECTIVE DATE ATTESTED BY TODD B. HANNON ATTESTED DATE 11/18/2024 DATE RECEIVED FROM ISSUING DEPT. 1/27/2025 NOTE COPY Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F HSMV HSMv-0301-25 FLHSMV FLORIDA DEPARTMENT OF HIGHWAY SAFETY AND MOTOR VEHICLES DATA EXCHANGE MEMORANDUM OF UNDERSTANDING This h1emorandurn of Understan-ding ( MOU) is made and entered into by and between City of Miami Police Department , hereafter referred to as the Requesting Party, and the Florida Department of Highway Safety and Motor Vehicles, hereafter referred to as the Providing Agency, collectively referred to as the Parties 1, Pur ose The Providing; Agency is a Government Entity whose primary duties include issuance of motor vehicle and driver licenses, registration and titling of motor vehicles, and enforcement of all Taws governing traffic, travel, and public safety upon Florida's public. highwayts. In carrying out its statutorily mandated duties and responsibilities, the Providing Agency collects and maintains Personal Information that identifies individuals. Based upon the nature of this information, the Providing Agency is subject to the various disclosure prohibitions and restrictions Contained in 18 U,S.C. §2721, the Driver's Privacy Protection Act (hereafter "DPPA"), sections 119 0712(2); 316.066, 324.242, and 501.171, Florida Statutes, and other statutory provisions. The Requesting Party is a Government Entity or Private Entity operating under the laws and authority of the state of Florida and/or operating under federal laws and is requesting Personal information and declares that it is qualified to obtain Personal Information under the exception number(s), listed in Attachment I, authorized by DPPA. This MOU is entered into for the purpose of establishing the conditions and limitations under which the Providing Agency agrees to provide electronic access to Driver License Information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, and/or Insurance Record Information to the Requesting Party. Data Exchange MOU w/ Crash (rev. 2/21/24) Page 1 of 27 Docusign Envelope ID. DEDABB08-61DB-41F5-889G-11A01GE9E46F The types of data requested and the applicable statutory fees if applicable, are agreed to by bath parties as indicated in Attachment II. The Requesting Party is receiving a 19-digit, a 4-digit, or 1 no social security number, pursuant to Chapter 119, Florida Statutes, or other applicable Taws. II. pefinitionl For the purposes of this MOU, the below -listed terms shall have the following meanings: A. Batch/ File Transfer Protocol (FTP}/Secure File Transfer Protocol (SFTP} An electronic transfer of data in a secure environment. B. Business Point -of -Contact - A person appointed by the Requesting Party to assist the Providing Agency with the administration of the MOLD. C. Consumer Complaint Point -of -Contact A person appointed by the Requesting Party to assist the Providing Agency with complaints from consumers regarding misuse of Personal Information protected under DPPA. D. Control Record - A record containing fictitious information that is included in data made available by the Providing Agency and is used to identify Inappropriate disclosure or misuse of data E. Crash Insurance Information - Insurance information, such as assurance company name, policy type, policy status, Insurance creation and expiration date, including insurance policy number, provided to the Requesting Party pursuant to section 324.242, Florida Statutes, on vehicles involved in a crash. F. Crash Report Information Information derived from crash reports submitted by the Investigating law enforcement agency to the Providing Agency and entered into a computerized database pursuant to section 316.066, Florida Statutes, which includes Personal Information and the employment street address, and the home and telephone Data Exchange MOU w/ Crash (rev. 2/21/24 F Page 2 of 2 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A01GE9E46F numbers of the Parties involved in the crash. G. Downstream Entity - Any individual, association, organization, or corporate entity who receives Driver License Information, Crash Report Information, Crash Insurance Information, and/or Insurance Record Information from a Third Party End User in accordance with UPPA and section 119.U/lt(t), Honda Statutes. Ff. Driver License Information - Driver license and identification card data collected and maintained by the Providing Agency. This data includes Personal Information Driver's Privacy Protection Act (DPPA} - The Federal Act (see,18 United States Code § 2721, et seq.) that prohibits release and use of Personal Information except as otherwise specifically permitted within the Act, J. Government Entity Any federal, state, county, county officer. of city government, including any court or law enforcement agency. R. Highly Restricted Personal Information - Information that includes, but is not limited to, medicdl or disability information and social security number. L. Insurance Record Information • Insurance information, such as Insurance company name, policy type, policy status, insurance creation and expiration date, but excluding insurance policy number, provided to the Requesting Party, pursuant to section 324.242, Florida Statutes. M. Motor Vehicle Information • Title and registration data collected and maintained by the Provfoing Agency for Vehicles and vessels. This information includes Personal Information. Al, Parties - The Providing Agency and the Requesting Party D. Personal Information - A5 described in section 119.0712(2}(b), Florida Statutes and 18 U.S.C. S.2725, information which includes, but is not limited to, the subject's driver identification number, name, address, (but not including the 5-digit zip code), date of Data Exchange MQU w/ Crash tirev 2/21/24) Page 3 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F birth, height, race, gender and medical or disability information. P. Private Entity - Any entity that is not a unit of government, including, but not limited to, a corporation, partnership, limited liability company, nonprofit organization or other legal entity or a natural person. Q. Providing Agency - The Department of Highway Safety and Motor Vehicles_ R. Requesting Party - Any entity type that is expressly authorized by section 119 0712(2), Florida Statutes and DPPA to receive Personal information and/or Highly Restricted Personal Information that requests information contained in a driver license or motor vehicle record from the Providing Agency through remote electronic access. 5.. Requesting Party Number A unique number assigned to the Requesting Party by the Providing; Agency that identifies the type of records authorized for release and the associated statutory fees for such records. T. Technical Contact - A person appointed by the Requesting Party to oversee the maintenance/operation of setting up of Web Service and Batch/FTP/SFTP processes. U, Third Party End User - Ar<y individual, association, organization, or corporate entity who receives Driver License Information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, and Insurance Record Information from the Requesting Party in accordance with DPPA and sections 119 0712(2), 316.066, and 324.242, Florida Statutes. V. Web Service - A service where the Requesting Party writes a call program to communicate with the Web Service of the Providing Agency to receive autho^zed motor vehicle and driver license data, III, Le¢at Authority: Restrictions on the Dissemination of fformatio _Provided bvshe Providine Agency A. The Providing Agency maintains computer databases containing information pertaining to Data Exchange MOU 'Al Crash ;rev 2/21/241 Page 4of27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F driver's licenses and motor vehicles pursuant to Chapters 316, 317. 319, 320, 322, 328, and section 324.242, Florida Statutes. The Driver License Information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, Insurance Record Information and vessel data contained in the Providing Agency's databases is defined as public, record pursuant to Chapter 119, Florida Statutes and, as such, are subject to public disclosure, unless otherwise exempted from disclosure or made confidential by law. B. As the custodian of the states Driver License Information, Motor Vehicle Information Crash Report Information, Crash Insurance Information, and Insurance Record Information, the Providing agency is responsible for providing access only to records and information permitted to be disclosed by law C. Under this MOU, the Requesting Party will be provided, via remote e'.ectron:c means, certain Driver License Information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, and Insurance Record Information, including Personal Information authorized to be released pursuant to OPPA and sections 119.0712(21, 316.066, or 324.242, Florida Statutes, 1). Highly Restricted Personal tn'orrnation shall only be released in accordance with OPPA ir'd Florida law. E. The Providing Party only may provide information derived from crash reports to the Requesting Party pursuant to section 316.066(2), Florida Statutes. Sixty days after the date a crash report is filed, the Providing Agency may provide Crash Report Information to entities eligible to access the crash report pursuant to section 316,O66(2].[bl. Florida Statutes, and in accordance with any of the permissible uses listed 3n 18 U.S.C. s. 2721(b) and pursuant to the resale and redisclosure requirements in 18 U.S.C. s. 2721(c). E. The Parties agree that all provisions herein concerning the protection, disclosure, or distributon of data provided by the Providing Agency to the Requesting Party shall survive the expiration or termination of this MOU, and that the Providing Agency reserves the right to enforce the provisions of this MOU after the MOU's expiration or termination, including obtaining injunctive relief, Data Exchange MOU Crash ;rev 2/21/241 Page 5 of 21 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A01GE9E46F G. This MOU is governed by the laws of the State of Florida and venue for any dispute arising from this MOU shall be exclusively in Leon County, Florida. IV. Statement of Worst A. The Prnvidmg Aganty agreac to 1 Provide the Requesting Party with the technical specifications, and Requesting Party Number if applicable, required to access data in accordance with this MOU and the access method being requested. 2 Allow the Requesting Party to electronically access Driver License Information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, and Insurance Record Information as authorized under this MOU, DPPA, and sections 1]9.0712j2), 316.066, and 324 242, Florida Statutes. 3. Collect all fees for providing the electronically requested data, pursuant to applicable Florida Statutes, rules and policies, including sections 320 05 and 322.20, Florida Statutes. The fee shall include all direct and indirect costs of providing remote electronic access, according to section L19.07(2i(c). Florida Statutes. 4. Collect aII fees due for electronic requests through the Automated Clearing House account of the banking institution which has been designated by the Treasurer of the State of Florida for such purposes. 5. Terminate the access of the Requesting Party for non-payment of required fees. The Providing Agency shall not be responsible for the failure, refusal, or inability of the Requesting Party to make the required payments, or interest on fate payments for periods of delay attributable to the action or inaction of the Requesting Party. Notify the Requesting Party at least thirty (3O) business days prior to changing any fee schedules, when it is reasonable and necessary to do 50, as determined by the Providing Agency. All fees are established by Florida law. Any changes in fees shall be effective on Data Exchange MOU w/ Crash (rev. 2/21/24) Page 6 ctf 21 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F the effective date of the corresponding law change. The Requesting Party may continue with this MOU, as modified, or it may terminate the MOU on accordance with Section XI., subject to the payment of all fees incurred prior to termination. 7. Perform all obligations to provide access under this MOU contingent upon an annual appropriation by the Legislature. 8. Provide electronic access to Driver License Information, Motor Vehicle Information. Crash Report Information, Crash Insurance Information, and insurance Record Information, pursuant to roles and times established other than schedured maintenance or periods of uncontrollable disruptions. Scheduled maintenance normally occurs Sunday mornings between the hours of 6.00 A.M. and 10:00 A.M.. Eastern Time 9. Provide a contact person for assistance with the implementation of this MOU 8. The Requesting Party agrees to: 1. Access or utilize all information provided by the Providing Agency pursuant to this MOU in strict compliance with DPPA and sections 119.0712(4 316,066, and 324.242, Florida Statutes. 2. Maintain the confidential and exempt status of all information provided by the Providing Agency pursuant to this MOU as required by DPPA and sections 119.0712(21, 316.066, and 124.242, Florida Statutes. 3 Ensure that any Third Party End Users and Downstream Users accessing or utilizing information obtained by the Requesting Party by, through, or as a result of this MOU shall du so strictly in compliance with DPPA and sections 119.0712121, 316.066, and 324.242, Florida Statutes. 4. Ensure that any Third Party End Users and Downstream Users accessing or utilizing information obtained by the Requesting Party by, through, or as a result of this MOU maintains the confidential and exempt status of such information as required by OPPA Data Exchange MOU wf Crash {rev 2/21/24) Page ./ cif 27 Docusign Envelope ID DEDABB08-61DB-41F5-889C-11A010E9E46F and sections 119.0712(2), 316.06,6, and 324 242, Florida Statutes S Ensure that Highly Restricted Personal Information, including that accessed by any Third Party End Users and Downstream Users by, through, or as a result of this MOU, only may be released as authorized by DPPA and Florida law. 6 Request access to Crash Insurance Information, including Vehicle identification Number, if authorized pursuant to this MOU only for vehicles actually involved in a crash or for vehicles of persons involved in a crash Access to Crash Insurance Information will be provided by the Providing Agency only upon the submission by the Requesting Party of the date of a specific crash, the associated crash report number, and evidence that the Requesting Party or a Third Party End User is the attorney of the person involved an a specific crash or a representative of the insurer of a person involved in a specific crash Use information provided pursuant to this MOU only for the expressed purposes as described in Attachment t of this MOU_ 8. Not misuse its Requesting Party Number to Obtain information pursuant to this MOU for any use which violates this MOU and the immediate termination of this MOU by the Providing Agency upon the discovery of any misuse by the Requesting Party of its Requesting Party Number. 9. Self -report to the Providing Agency all violations of the MOU within five (5) business days of discovery of such vrolationfs) The report shall Include a description, the time period, the number of records impacted. the harm caused, and all steps taken as of the date of the report to remedy or mitigate any injury caused by the violation 10. Accept responsibility for interfacing with any and all Third Party End Users. The Providing Agency will not interact directly with any Third Party End Users. Requesting Party shall not give Third Party End Users the name, email address, or telephone number of any Providing Agency employee without the express written consent of the Providing Agency In addition, the Requesting Party agrees to have controls in place to ensure Third Party End Users comply with all requirements of this MOU. Data Exchange MOU w/ trash (rev. 2/2I/241 Page got 7 7 Docusign Envelope ID: DEDABB08-61DB-41F5-889G-11A010E9E46F 11. Have controls in plane to ensure Third Party End Users who redrsdose FLHSMV data to Downstream Entities are subject to the terms and conditions of this MOU and that such Downstream Entities comply with this MOU, DPPA, and sections 119,0712(21, 316 066, and 324.242, Florida Statutes 12. Establish procedures to ensure that its employees and agents, including any contractors carrying out work on behalf of the Requesting Party or Third Party End Users and/or Downstream Entities, comply with Section V-, Safeguarding Information, and provide a copy of the procedures to the Providing Agency within ten f lO) business days of a request. 3 Not assign, sub -contract, or otherwise transfer its rights, duties, or obligations under this MOU without the express written consent and approval of the Providing Agency. 14. Use the information received from the Providing Agency only for the purposes authorized by this MOU, DPPA, and sections 119 071212). 316,066, and 324,242, Florida Statutes The Requesting Party shall not_ a. Redisclose the information received from the Providing Agency for bulk distribution for surveys, marketing or solicitations. b. Share or provide any information to another unauthorized entity, agency or person. 15. Protect and maintain the confidentiality and security of the data received from the Providing Agency in accordance with this MOU and applicable state and federal laws. 16. indemnify the Providing Agency and its employees from any and all damages arising from the Requesting Party`s negligent or wrongful use of information provided by the Providing Agency, to the extent allowed by law This provision is not applicable to federal governmental entities. 77. Fvr federal governmental entities: The Requesting Party agrees to promptly consider and adjudicate any and all claims that may arise out of this MOU resulting from the actions of the Requesting Party, duly authorized representatives, agents, or contractors of the Data Exchange MOU w/ Crash ire. 2l21/241 Page 9 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F Requesting Party, and to pay for any damage or iniury as may be required by federal law Such adjudication will be pursued under the Federal Tort Claims Act, 28 U..5.C, § 2671 et seq., the Federal Employees Compensation Act, 5 U.S.C.. § 8101 et seq., ar such other federal legal authority as may be pertinent is update user access/permissions upon reassignment or users within five (5) business days, 19 immediately inactivate user access/permissions following separation, negligent, improper, or unauthorized use or dissemination of any information. 20. For all records containing Personal Information released to a Third Party End User, maintain records identifying each person or entity that receives the Personal Information and the permitted purpose for which it will be used far a period of five (5) years. The Requesting Party shall provide such records or otherwise make such records available for inspection by the Providing Agency not later than five (5) business days after receipt of a request from the Providing Agency. 21. Pay all costs associated with electronic access of the Providing Agency's Inver License Information, Motor Vehicle Information. Crash Report Information, Crash insurance Information, and Insurance Record Information, The Requesting Party shall a, Maintain an account with a banking institution as required by the Providing Agency. b. Complete and sign the appropriate docurnent(s) to allow the Providing Agency's designated banking institution to debit the Requesting Party's designated account. c. Pay all fees due the Providing Agency by way of the Automated Clearing House account of the Providing Agency's designated banking institution. Collection of transaction fees from eligible and authorized Third Party End Users is the responsibility of the Requesting Party. 22. Notify the Providing Agency within five (5) business days of any changes to the name, address, telephone number or email address of the Requesting Party, its Paint -of -Contact Data Exchange MOU w/ Crash (rev. 2/21/24) Page I0 of 27 Docuslgn Envelope ID. DEDABB08-61 DB-41 F5-889C-11 A01 CE9E46F for Consumer Complaints, and/or its Technical Contact. The information Shall be e-rnailed to OataListingUnitOflhsmv.gay. Failure to update this information as required may adversely affect the timely receipt of Information from the Providing Agency. 23. Immediately notify the Providing Agency of any change of FTP/SFTP for the receipt of data under this MOU. Failure to update this Information as required may adversely affect the timely receipt of information from the Providing Agency. 24. Understand that this MVI❑U is subject to any restrictions, limitations or conditions enacted by the Florida Legislature, which may affect any or all terms of this MOU. The Requesting Party understands that it is obligated to comply with all applicable provisions of taw. 25 Timely submit Internal Control and Data Security Audits required by Section VII., A, and the statements required in Section VII., 6. and C. 26 A Requesting Party who has not previously received records from the Providing Agency shall utilize Web Services currently offered by the Providing Agency rather than batch/FTP/SFTP processes. Also, any Requesting Party using the FTP/SFTP processes agrees to transition to Web Services, where available, within six months {6) months of the Providing Agency's request. 27. Cooperate and ensure that its subcontractors, if any, cooperate with the Inspector c3 neral in any investigation. audit, inspection, review, or hearirg pursuant to section 20.055, Florida Statutes 28. If the Requesting Party, a Third Party End User, or Downstream Entity that receives data from ttie Requesting Party has a public facing website that allotiws an individual to obtain Driver License Information or Motor Vehicle Information, the following minimum requirements must be in place prior to the transmission of data: a. Safeguards to ensure information obtained through the website rs only disclosed to individuals authorized to receive it under 18 U.S.C. §2721{b). This includes internal controls to prevent or detect instances in which an individual attempts to purchase a Data Exchange MOU w/ Crash (rev. 2/21/24) Page 11 of 27 Docusign Envelope ID DEDABB08-61DB-41F5-889C-11A010E9E46F record other than their own or to verify that the requestor meets a DPPA exemption. b, If the Requesting Party intends to allow an individual to purchase their own transcript from the Requesting Party website utilizing the DPPA permissible use provided by 18 U.S.C. §2721(bI(13), a process to verify that the payment instrument used to authorize the purchase Is In the same name as the transcript being requested. c. Safeguards to ensure that information is provided through the website only for the expressed purposes as described in Attachment I of this MOU. d Use of Transport Layer Security version 1.2 or later for encryption of data in transit and in session State e Safeguards to ensure that the website is periodically scanned by a qualified external vendor for system vulnerabilities and all identified vulnerabilities are promptly remedied Safeguards to ensure that all systems that process Driver License Information or Motor Vehicle Information adhere to a formalized patch management process g. If the Requesting Party allows Third Party End Users or Downstream Entities to have a public facing website, the Requesting Party shall have controls in place to ensure the Third Party End User or Downstream Entity meets these requirements. v. Safeeuardinz Information A. The Parties shall access, disseminate. use and maintain all information received under this MOU in a manner that ensures its confidentiality and proper utilization in accordance with Chapter 119, Florida Statutes, sections 316.066 and 324.242, Florida Statutes, and DPPA. Information obtained under this MOU shall only be disclosed to persons to whom disclosure is authorized under Florida law and federal laws, My disclosure of information shall be in accordance with 18 U.S.C. §2721(c). In the event of a security breach, the Requesting Party agrees to comply with the provisions of section 501..171, Florida Statutes Data Exchange MOU w/ Crash (rev 2/21/24; Page 12 of 27 Docusign Envelope ID: DEDABB08-61 DB-41 F5-889C-11 A01 CE9E46F B. Any person who knowingly violates section 119.0712(2), Florida Statutes or section 316.066, Florida Statutes, may be subject to criminal punishment and civil liability, as provided in sections 119.10 or 316.066, Florida Statutes. In addition, any person who knowingly discloses any information in violation of OPPA may be subject to criminal sanctions, including fines, and civil liability. C. in an effort to ensure information is only used in accordance with Chapter 119, Florida Statutes, and DPPA, the Providing Agency may include Control Records in the data provided in an effort to identify misuse of the data D. The Requesting Party shall notify the Providing Agency of any of the following within five (S) business days: 1. Termination of any agreement/contract between the Requesting Party and any other state or State Agency due to non compliance with DPPA, data breaches, Or any state laws relating to the protection of driver privacy. The Requesting Party shall also notify the Providing Agency if any stdte or State Agency declines to enter into an agreement/contract with the Requesting Party to provide DPPA protected data. Any pending litigation alleging violations of DPP.\ or any law of any state relating to the protection of driver privacy. 3. Any instance where the Requesting Party is found guilty of liable by a court of competent jurisdiction for misuse of data under OPPA or under any law of any state relating to the protection of drover privacy, 4. Any instance where the owner, officer, or control person of the Requesting Party owned a majority interest in, or acted as a control person of, an entity that was found guilty or liable by a court of competent jurisdiction for misuse of data under OPPA or under any law of any state relating to the protection of driver privacy. A breach of security as defined by section 501.171, Florida Statutes. Data Exchange MOU w/ Crash (rev. 2/21/24i Page 13 of 2i Docusign Envelope ID: DEDABB08-61DB-41F5-889G-11A010E9E46F E. The Parties mutually agree to the following: 1. Information exchanged well not be used for any purposes not specifically authorized by this MOU and its attachments. Unauthorized use includes, but is not limited to, queries not related to a legitimate business purpose, personal use, and the dissemination, sharing, copying or passing or this or any unauthorized Information to unauthorized persons. 2. The Requesting Party will not be liable to the Providing Agency for any Driver license Information or Motor Vehicle Information lost, damaged, or destroyed as a result of the electronic exchange of data pursuant to this MOU, unless resulting from a negligent or wrongful act or omission of the Requesting Party 3. Information obtained from the Providing Agency will be Stored in a location that is phys,caily and logically secure from access by unauthorized persons. 4 The Requesting Party shall adopt cybersecurity standards that safeguard Department provided data, Department information technology and Department Information technology resources to ensure confidentiality, and integrity. The cybersecurity standards rnust be consistent with generally accepted best practices for cybersecurity, including the National Institute of Standards and Technology. Cybersecurity Framework, Florida Administrative Code 60GG-2, s 282.318, 282.3185, Florida Statutes and applicable agency security polities set forth in Attachment Ill. Access to the information received from the Providing Agency will be protected in such a way that unauthorized persons cannot view, retrieve, or print the information. 5. All personnel with access to the information exchanged under the terms of this MOU will be instructed about, and acknowledge in writing their understanding of, the confidential nature of the information. These written acknowledgements must be maintained in a current status by the Requesting Party and provided to the Providing Agency not later than ten (101 business days after a written request from the Providing Agency to review the written acknowledgments 6. All personnel with access to the information will be instructed about and acknowledge in Data Exchange MOU w/ Crash (rev. 2121/24i Page 14 of 27 Docuslgn Envelope ID: DEDABBQ8-61DB-41F5-889C-11A010E9E46F writing their understanding of the civil and criminal sanctions specified in state and federal law for unauthorized use of the data. These written acknowledgements must be maintained in a current status by the Requesting Party and provided to the Providing Agency not later than ten (10) business day after a written request from the Providing Agency to review the written acknov+ledgments. 7. All access to the information must be monitored on an ongoing basis by the Requesting Party In addition, the Requesting Party must complete an Annual Certification Statement to ensure proper and authorized use and dissemination of information and provide it to the Providing Agency pursuant to Section VIi. 8, below. All data received from the Providing Agency shall be encrypted during transmission to Third Party End Users using Transport layer Security (TLS] version 1.2 or higher encryption protocols. Alternate encryption protocols are acceptable only upon prior written approval by the Providing Agency. 9. By signing the MOU, the representatives of the Providing Agency and Requesting Party, on behalf of the respectrve Parties, attest and ensure that the confidentiality of the information exchanged will be maintained. VI. Third Party End Users Any agreement by the Requesting Party to provide Driver License Information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, or Insurance Record Information to a Third Party End User and any agreement by a Third Party End User to provide Driver License Information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, or Insurance Record Information to a Downstream, Entity shall A. Be in writing. 8. Include and incorporate this MOU by reference without any change to this MOD. C. Require the Third Party End user and any Downstream Entity to comply with DPPA and Data Exchange MOLT w/ clash 'rev 2/21/241 Page 15 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F sections 119.0712(2), 316.066, and 324.242, Florida Statutes D. Require the Third Party End User and any Downstream Entity to acknowledge in writing that, by receipt of Driver License Information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, or Insurance Record Information, such Third Party End User and Downstream Entity are subject to and must comply with DPPA, sections 119.0712(2), 316.066, and 324.242, Florida Statutes. E. Require the Requesting Party, Third Party End User, and any Downstream Entity to provide a copy of such agreement to the Providing Agency within ten (10) business days after a request by the Providing Agency for a copy of such agreement. The failure of a Requesting Party, Third Party End User, and Downstream Entity to timely provide a copy of such agreement to the Providing Agency when requested by the Providing Agency shall be cause for the immediate termination of this MOU by the Providing Agency. VII. Comoliance and Control Measures A. Internal Control and Data Security Audit - This MOU is contingent upon the Requesting Party having appropriate internal controls in place at all times to ensure that the information provided or received pursuant to this MOU is protected from unauthorized access, distribution, use, modification, or disclosure. The Requesting Party must submit to the Providing Agency an Internal Control and Data Security Audit from a currently licensed Certified Public Accountant (CPA), on or before the first anniversary of the execution date of this MOU or within one hundred twenty (120) days from receipt of a written request from the Providing Agency. Government agencies may submit the Internal Control and Data Security Audit from their Agency's Internal Auditor or Inspector General. The audit report shall be sent to the Providing Agency in the manner prescribed in Section xII, for Notices.. 1. The audit report shall: a. Indicate whether the internal controls governing the use and dissemination of personal data have been evaluated based an the requirements of this MOU (see item Data Exchange MOU w/ Crash (rev. 2/21/24) Page 16 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F 2 below}_ b. indicate whether those internal controls included data security policies/procedures in place for personnel to follow and data security procedures/policies in place to protect personal data. Indicate whether those data security procedures/policies have been approved by a Risk Management IT Security Professional, with credentials such as, but not limited to: CISA, CISSP, CISM, or CRISC d. Indicate whether any and all deficiencies/issues found during the audit have been corrected and measures enacted to prevent recurrence. e Include an op+neon on whether those internal controls are adequate to protect the personal data from unauthorized access, distribut;on, use, modification, or disclosure. 2. The audit must be based on the requirements of this MOU, Florida Administrative Code Rule 60GG•2, and the Providing Agency's External Information Security Policy (attachment 1111 Engagements that do not consider these specific criteria or do not render an independent auditor's opinion or conclusion will not meet the requirements for the Internal Control and Data Security Audit, The Parties agree that a SOC 2 Report, consulting service engagement, or other audit report type will not satisfy the requirements for the Internal Control and Data Security Audit if the SOC 2 Report, consulting service engagement, or other audit report does not specifically address each of the elements listed in Section VII,, A., 1, a„ b , c,, d., and e. 3. The Parties agree that an audit report which includes an audit period entirely outside the term of this MOU does not satisfy the requirements for the Internal Control and Data Security Audit 4. The Requesting Party is responsible for clearly specifying the above audit requirements to the CPA, or government agency auditor, before audit work commences. Data Exchange MOU w/ Crash (rev. 2/21/24) Page 17 of 27 Docusign Envelope ID: DEDABB08-61 DB-41 F5-889C-11A01 CE9E46F B. Annual Certification Statement - The Requesting Party shall submit to the Providing Agency an annual statement, utilizing Attachment IV, indicating that the Requesting Party has evaluated and certifies that it has adequate controls in place to protect the personal data from unauthorized access, distribution, use, modification, or disclosure, and is in full compliance with the requirements of this MOU and applicable laws. The Requesting Party shall submit this statement to the Providing Agency annually, not later than fifteen j15► business days after the anniversary of the execution date of this MOU (NOTE: During any year in which an internal Control and Data Security Audit is conducted and submitted to the Providing Agency, submission of the Internal Control and Data Security Audit may satisfy the requirement for submission of an Annual Certification Statement.) Failure to timely submit the annual certification statement may result in an immediate termination of this MOU. The annual certification statement shall be sent to the Providing Agency :n the manner prescribed in Section XII, for Notices. In addition, prior to expiration of th,5 fv10U. if the Requesting Party intends to enter into a new or replacement MOU, an annual certification statement attesting that appropriate controls remained in place during the final year of this MOU and are currently in place shall be submitted to the Providing Agency prior to the Providing Agency executing a new or replacement MOU for this MOU. C. Misuse of Personal Information — The Requesting Party must notify the Providing Agency in writing of any incident where it is suspected ur confirmed that Personal Information has been compromised as a result of unauthorized access, distribution, use, modification, or disclosure, by any means, within five (5) business days of such discovery. The statement must be provided on the Requesting Party's letterhead and include each of the following. a brief summary of the incident; the outcome of the review; the date of the occurrence(s); the number of records compromised: the name or names of personnel responsible; whether disciplinary action or termination was rendered; and whether or not the persons whose Personal Information was compromised were notified The statement shall also indicate the steps taken, or to be taken, by the Requesting Party to ensure that misuse of data does not contir.ue or recur. This statement shall be sent to the Providing Agency in the manner prescribed in Section XII, for Notices. (MOTE: If an incident involving breach of Personal Information did occur and the Data Exchange MOU w/ Crash (rev. 2/21/2d1 Page 18 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F Requesting Party did not notify the owner(5l of the compromised records, the Requesting Party must indicate why notice was not provided.) In addition, the Requesting Party shall comply with the applicable provisions of section 501 171, Florida Statutes, regarding data security and security breaches, and shall strictly comply and de solely responsible for adhering to the provisions regarding notice provided therein. 0. Consumer Complaints — The Requesting Party shall provide a point of,contact for consumer complaints. In the event the Providing Agency receives a consumer complaint regarding misuse of DPPA protected information, the Requesting Party shall review and investigate the complaint. The Requesting Party shall provide its findings to the Providing Agency not later than fifteen (15) business days from the date the Requesting Party receives notice of such a complaint from the Providing Agency Consumer Complaint Point -of -Contact Information: Name: Email: Alberto Fernandez 1879@miami-police.org Phone Number 305-603-6155 E. Control Records - In the event a Control Record inserted into data received by the Requesting Party is used in a manner that does not comply with DPPA or state law and upon the written request of the Providing Agency to the Requesting Party, the Requesting Party shall conduct an investigation of any Third Party End Users who obtained the record from the Requesting Party. As part of this provision, the Requesting Party shall also retain the authority to require Third Party End Users to investigate the Downstream Entities' handling and distribution of data subject to protection pursuant to DPPA and state law and to provide the results o$ the investigation to the Requesting Party. The Requesting Party shall provide the results of the investigation(s), together with all associated documents and information collected by the Requesting Party, Third Party Users and Downstream Entities, to the Providing Agency not later than fifteen (15) business days after receipt by the Requesting Party of the written request from the Providing Agency When the Providing Agency requests the results of such Data Exchange Mau wl Crash Irev 2i21/241 Page 19 of 27 Docusign Envelope ID: DEDABB08-61 DB-41 F5-889C-11A01 CE9E46F an investigation, the results of the investigation shall be sent to the Providing Agency in the manner prescribed in Section XII., for Notices. VIII. Liauid.ited Damages Unless the Requesting Party is a atAte agPnry the Prnvirfing AEPnry rptervPC the right to irflpnKP liquidated damages upon the Requesting Party. The imposition of liquidated damages by the Providing Agency i5 separate from and unrelated to any other applicable criminal or civil penalties authorized by law for violations of DPPA and sections 119.0712, 316.066, of 324.242. Florida Statutes. Failure by the Requesting Party to meet the established requirements of this MOU may result in the Providing Agency finding the Requesting Party to be out of compliance, and, all remedies provided in this MOU and under law. shall become available to the Providing Agency. A. General Liquidated Damages In the case of a breach or misuse of Information received pursuant to this MOU due to non- compliance with DPPA, sections 119.0712(2),. 316.066, 324.242, 501.171, Florida Statutes, or any other state laws designed to protect the privacy of a driver's Driver License information, Motor Vehicle Information, Crash Report Information, Crash Insurance Information, or insurance Record Information, the Providing Agency may impose upon the Requesting Party liquidated damages of up to $25.00 per record for each record involved in such breach or misuse. In imposing liquidated damages, the Providing Agency will consider various circumstances including, but not limited to: 1. The Requesting Party's history with complying with DPPA, sections 119.0712(21, 316.066, 324,242, and 501.171, Florida Statutes, or any other state Taws designed to protect a drivers privacy; 2 Whether the Requesting Party self -reported violations of this MOU to the Providing Data Exchange MOU w/ Crash rev. 2/21/24) Page 20 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F Agency prior to discovery by the Providing Agency; 3. Whether the Requesting Party violated this MOU over an extended period of tome; 4. Whether the Requesting Party's violation of this MOU directly or indirectly resulted in injury, and the. nati,rn and extant of thr► Inje,ry; The number of records involved or impacted by the violation of this MOUJ; 6. Whether, at the time of the violation, the Requesting Party had controls and procedures that were implemented and reasonably designed to prevent or detect violations of this MOU; and, 7. Whether the Requesting Party voluntarily made restitution or otherwise remedied or mitigated the harm caused by the violation of this MOU. In lieu of paying liquidated damages to the Providing Agency upon assessment of such damages by the Providing Agency, the Requesting Party may elect to temporarily suspend this MOU, contingent upon the Requesting Party submitting a written statement that the Requesting Party will not obtain information from the Providing Agency through remote electronic means until such time as the liquidated damages assessed by the Providing Agency are paid by the Requesting Party in full. Such statement shall be signed by the Requesting Party's authorized representative and shalt be submitted to the Providing Agency in the manner prescribed in Section XII, for Notices not later than five days after receipt of notice by the Requesting Agency that liquidated damages have been assessed. The Requesting Party agrees that the Providing Agency may refuse to enter a subsequent or replacement MOIJ with the Requesting Agency to allow the Requesting Party to access information available pursuant to this MOU through remote electronic means until the Requesting Party has paid all outstanding liquidated damages in full, The Requesting Party agrees that this subsection A shall survive the termination of this MOtJ. B. Corrective Action Plan (CAP) Data Exchange MOU w/ Crash {rev. 2/21/24) Page 21 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F 1 if the Providing Agency determines that the Requesting Party is out of compliance with any of the provisions of this MOU, including, without limitation thereto, submission of an Internal Control and Data Security Audit that does not meet the requirements set forth in Section VII.. and requires the Requesting Party to submit a CAP, the Providing Agency may require the Requesting Party to submit a Corrective Action Plan (CAP) within a specified timeframe. The CAP shall provide an opportunity for the Requesting Party to resolve deficiencies without the Providing Agency invoking more serious remedies, up to and including MOU termination. 2. In the event the Providing Agency identifies a violation of this kMOU, or other non- compliance with this MOU, the Providing Agency shall notify the Requesting Party of the occurrence in writing. The Providing Agency shall provide the Requesting Party with a timeframe for corrections to be made. 3 The Requesting Party shall respond by providing a CAP to the Providing agency within the timeframe specified by the Providing Agency. 4. The Requesting Party shall implement the CAP only after the Providing Agency's approval of the CAP. 5. The Providing Agency may require changes or a complete rewrite of the CAP and provide a specific deadline for submission of such changes or rewritten CAP. 6. If the Requesting Party does not meet the standards established in the CAP within the agreed upon timeframe, the Requesting Party shall be in violation of the provisions of this MOU and shall be subject to liquidated damages and other remedies including termination of the MOU. 7. Except where otherwise specified, liquidated damages of 525.00 per day may be imposed on the Requesting Party for each calendar day that the approved CAP is not implemented to the satisfaction of the Providing Agency. Data Exchange MOU w;! Crash rev 2/21/24) P.age 72 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F IX. Aereernent Term This MOU Shall take effect upon the date of last signature by the Parties and Shall remain in effect for three (3) years from this date unless terminated or cancelled in accordance with Section XI , Termination and Suspension. Once executed. this MOU supersedes all previous agreements between the Parties regarding the same subject matter_ X. Arnendrr,ents tnis MOU incorporates all negotiations, interpretations, and understandings between the Parties regarding the same subject matter and serves as the full and final expression of their agreement. This MOU may be amended by written agreement executed by and between both Parties. Any change, alteration, deletion, or addition to the terms set forth in this MOU, including to any of its attachments, must be by written agreement executed by the Parties in the same manner as this MOU was initially executed. If there are any conflicts in the amendments to this MOU, the last, executed amendment shall prevail, All provisions not an conflict with the amendments} shall remain in effect and are to be performed as specified in this MOU. XI. Termination and Svpgnnion A. This MOU may be unilaterally terminated for cause by either party upon finding that the terms and conditions contained herein have been breached by the other party. Written notice of termination shall be provided to the breaching party; however, prior -written notice is not required, and notice may be provided upon cessation of work under the agreement by the non -breaching party. 8. In addition, this MOU Is subject to unilateral suspension or termination by the Providing Agency without notice to the Requesting Party for failure of the Requesting Party to comply with any of the requirements of this MOU, or with any applicable state or federal laws. rules, or regulations, including, but not limited to, DPPPA, sections 119.0712(2), 316,066, 324,242 or 501.171. Florida Statutes, or any laws designed to protect driver privacy C. This MOU may also be cancelled by either party, without penalty, upon thirty 130} business Data Exchange MOU w/ Crash rev 2/21/24) Page 23 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F days advanced written notice to the other party. All obligations of either party under the MOU will remain in full force and effect during the thirty (301 business day notice period. D. This MOU may be terminated by the Providing Agency if the Requesting Party, or any of its majority owners, officers or control persons are found by a court of competent jurisdiction to have violated any provision of any state or federal laty governing the privacy and disclosure of Personal Information. This MOU may be terminated in the event any agreement/contract between the Requesting Party and any other state or State Agency is terminated due to non- compliance with DPPA or data breaches, or any state laws designed to protect driver privacy. The Requesting Party will have ten (10) days from any action described above to provide mitigating information to the Providing Agency If submitted timely, the Providing Agency will take the mitigation into account when determining whether termination of the MOU is warranted. XII. MIMI Any notices required to be provided under this MOU shall be sent via Certified U S. Mail and email to the following individuals: For the Providing Agency: Chief, Bureau of Records 2900 Apalachee Parkway Tallahassee, Florida 32399 Tel: (850) 617-2702 Fax: (850} 617.5168 E-mail:Datalistinitu nitPflhsmv_gov For the Requesting Party: Requesting Party's Business Point -of -Contact listed on the signature page XIII, Additional Database Access/Sub5eauent MOU's A. The Parties understand and acknowledge that this MOU entitles the Requesting Party to Data Exchange M01! w/ Crash irev 2/21/24) Page 24 of 27 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F receive specific information included within the scope and subject to the requirements of this MOU. Should the Requesting Party wish to obtain access to other Personal Information not provided hereunder, the Requesting Party will be required to execute a subsequent MOU with the Providing Agency specific to the additional information requested all MOU's granting access to Personal Information will contain the same clauses as are contained herein regarding audits, report submission, and the submission of Certification statements. 8. The Providing Agency is mindful of the costs that would be incurred if the Requesting Party was required to undergo multiple audits and to submit separate certifications, audits, and reports for each executed MOU. Accordingly, should the Requesting Party enter any subsequent MOU's with the Providing Agency for access to Personal Information while the instant MOU remains in effect. the Requesting Party may submit a written request, subject to the Providing Agency's approval, to submit one of each of the following covering all executed MOU's: Certifications; Audit; or to have conducted one comprehensive audit addressing internal controls for all then,existrng and effective MOU's with the Providing Agency. The Providing Agency shall have the sole discretion to approve or deny such request in whole or in part or to subsequently rescind any previously approved request based upon the Requesting Party's compliance with this MOU and/or any negative audit findings XIv. publicttecords Reouirernenti A. The Parties to this MOU re -cognize and acknowledge that any agency having custody of records made or received in connection with the transaction of official business remains responsible for responding to public records requests for those records in accordance with applicable law (specifically, Chapter 119, Florida Statutes) and that public records that are exempt or confidential from public records disclosure requirements will not be disclosed except as authorized by law B. If the Requesting Party is a "contractor" as defined in section 119.0701f 10j, Florida Statutes, the Requesting Party agrees to comply with the following requirements of Florida's public records laws: Data Exchange MOU w/ Crash [rev 2J21/241 Page. ?5 of ?7 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F 1. Keep and maintain public records required by the Providing Agency to perform the service. 2 Upon request from the Providing Agency's custodian of public records, provide the Providing Agency with a copy of the requested records or allow the records to be inspected or copied within a reasonable time at a cost that does not exceed the cost provided in inapter 119, Florida Statutes, or as otherwise provided Dy law. 3. Ensure that public records that are exempt or confidential and exempt from public records disclosure requirements are not disclosed except as authorized by law for the duration of the term of this MOU and following completion of the MOU if the Requesting Party does not transfer the records to the Providing Agency 4 Upon termination or expiration of the MOU, the Requesting Party agrees they shall cease disclosure or distribution of all data provided by the Providing Agency. In addition, the Requesting Party agrees that all data provided by the Providing Agency remains subject to the provisions contained in DPPA and sections 119.0712 and 501.171, Florida Statutes_ IF THE REQUESTING PARTY HAS QUESTIONS REGARDING THE APPLICATION OF CHAPTER 119, FLORIDA STATUTES, TO THE REQUESTING PARTY'S DUTY TO PROVIDE PUBLIC RECORDS RELATING TO THIS MOU, CONTACT THE CUSTODIAN OF PUBLIC RECORDS AT (850) 617-3101, OGCFiling@flhsmv.gov, OFFICE OF GENERAL COUNSEL, 2900 APALACHEE PARKWAY, and STE. A432, TALLAHASSEE, FL 32399- 0504. REMAINDER OF PAGE INTENTIONALLY LEFT BLANK Dal EIthanpe MQU w1 Cr.ith ►rev 2/21i 241 Pap,.:1!, of i i Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F IN WITNESS HEREOF, the Parties hereto, the date(s) indicated below. REQUESTING PARTY: City of Miami Police Department have executed this MOU by their duly authorized officials on Requesting Party Name 400 NM_ 2nd Ave. Street Address Suite Miami FL 33128 City State Zip Code BUSINESS POINT -OF -CONTACT: Alberto Fernandez Printed/Typed Name 1879@miami-police.org Official Requesting Party Email Address (305) 603-6155 / Phone Number / Fax Number PROVIDING AGENCY: Florida Department of Highway Safety and Motor Vehicles Providing Agency Name 2900 Apalachee Parkway Street Address Suite Tallahassee, Florida 32399 City State Zip Code Data Exchange MOU w/ Crash (rev. 2/21/24) BY: Signature of Authorized official Mai 'uel Mur pica Printed/Typed Name Chief of Police Title NOV f 2 2524 Date 41386@miami-police.org Official Requesting Party Email Address (305) 603-6100 Phone Number TECHNICAL POINT -Of -CONTACT: Alberto Fernandez Protect/Typed Name 1879@miami-police.org Official Requesting Party Email Address (305) 603-6155 / Phone Number / Fax Number BY: DocuSigned by: fW9,619Akithorized Official Elizabeth Miles Printed/Typed Name Chief, Bureau of Purchasing and Contracts Title January 8, 2025 Date Page 27 of 27 for Mark Hernandez Docusign Envelope ID. DEDABB08-61DB-41F5-889C-11A010E9E46F ATTACHMENT 1 FLORIDA DEPARTMENT OF HIGHWAY SAFETY AND MOTOR VEHICLES Request For Exempt Personal Information In A Motor Vehicle/Driver License Record The Drivers Privacy Protection Act, 18 United States Code sections 2721(("DPPA") makes personal information contained in motor vehicle or driver license records confidential and exempt from disclosure. Personal information in a motor vehicle or driver license record includes, but is not limited to, an individual's social security number, driver license or identification number, name, address and, medical or disability information. Personal information does not include information related to driving violations and driver status. Personal information from these records may only be released to Individuals or organizations that qualify under one of the exemptions provided in DPPA, which are listed on the back of this form. In lieu of completing this form, a request for information may be made in letter form (on company/agency letterhead, if appropriate) stating the type of information being requested, the DPPA exemption(s) under which the request is being made, a detailed description of the how the information will be used, and a statement that the information will not be used or redisclosed except as provided in DPPA. If the information i5 provided on letterhead it must include a statement that the information provided is true and correct, signed by the authorized official under penalty of perjury, and notarized. I am a representative of an organization requesting personal information for one or more records as described below. I declare that my organization is qualified to obtain personal information under exemption nurnber[s) 1 , as listed beginning on page 4 of this form. Pursuant to Section 316.066. F.S., Crash Report information is confidential and exempt. 60 days after the date a crash report is filed, Crash Report Information may be provided which includes personal information to entities who are eligible to receive it under Section 316.066 (2i, F.S., or in accordance with the Driver Privacy Protection Act. Crash Report information cannot be used for commercial solicitation of crash victims or knowingly disclosed to any third party for purposes of such solicitation Data Exchange MOU [rev. 2f21/2024) Attachment I Page 1 of 1 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F i understand that I shall not use or redisclose this personal information except as provided in DPPA and that any use or redisclosure in violation of these statutes may subject me to criminal sanctions and civil liability. Complete the following for each DPPA exemption being claimed. For access to Crash Report Information, please provide justification of your organization's eligibility under Section 316.066, F.S. below (attach additional page, if necessary): DPPA Exemption Claimed: Description of How Requesting Party Description of how Data will be Qualifies for Exemption: used; 1 Law Enforcement Agency To verify the driver license status of all employees of the agency. Data Exchange MOU (rev. 2/21f20241 Attachment I Page 2 of 5 Docusign Envelope ID: DEDABB08-61DB-41F5-889G-11A01GE9E46F Obtaining personal information under false pretenses is a state and federal crime. Under penalties of perjury, I declare that I have read the foregoing Request For Exempt Personal Information in A Motor vehicle/Driver license Record and that the facts stated in it are true and correct. _,) Chief of Police Signature oTut iorized Official Title Manuel Morales Printed Nam, �r (t.a. ' Date STATE OF COUNTY OF irl) I A. Sworn to (or affirmed] and subscribed before me this r av ofJker,,a,, 20jby 6\fiu-t-_ A,AAPfate.' Personally Known {/ OR Produced Identification City of Miami Police Departmli Name of Agency/Entity Type of Identification Produced NORY PUBLIC (print name Data Exchange MOD (rev. 2/21/2024) Attachment I Aruba K eonnick COMM: Hlf 496797 bOirtS.:Jun. 24, 202$ .' purr c - Stzie M; ita NOTARY PUBLIC (sign name) My Commission Expires; Page 3 of 5 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F Pursuant to section 119,0712(2), F. S., personal information in motor vehicle and driver license records can be released for the following purposes, as outlined in 18 United States Code, section 2721. Personal information referred to in subsection jai shall be disclosed for use in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations, recalls, or advisories, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers, and removal of non -owner records from the original owner records of motor vehicle manufacturers to carry out the purposes of titles 1 and IV of the Anti Car Theft Act of 1992, the Automobile Information Disclosure Act (15 U.S.C. 1231 et seq-), the Clean Air Act (42 U.S.C- 7401 et seq ], and chapters 301, 305, and 321-331 of title 49,and, subject to subsection Ia)(2). may be disclosed as follows. 1. For use by any government agency, including any court or law enforcement agency, in carrying out Its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions 2. For use in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions; motor vehicle product alterations, recalls, or advisories: performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, Including survey research; and removal of non -owner records from the original owner records of motor vehicle manufacturers. 3. For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only - (a) to verify the accuracy of personal Information submitted by the individual to the business or its agents, employees, or contractors; and (bl if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security Interest against, the Individual. 4 For use in connection with any civil, crimf ►al, administrative, or arbitral proceeding in any Federal, Data Exchange MOV Irev- 2/21/2024) Attachment I Page 4 of 5 Docusign Envelope ID. DEDABB08-61DB-41F5-889G-11A01GE9E46F State, or local court or agency or before any self -regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court. S. For use in research activities. and for use in producing statistical reports. so long as the personal information is not published, redisclosed, or used to contact individuals. 6. For use by any insurer or insurance support organization, or by a self -insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting. 7, For use in providing notice to the owners of towed or impounded vehicles. 8, For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection. 9, For use by an employer or its agent ar insurer to obtain ar verify information rtiat:ng to a holder of a commercial driver's license that is required under chapter 313 of title 49 10 For use in connection with the operation of private toll transportation facilities 11 For any other use in response to requests for individual motor vehicle records if the State has obtained the express consent of the person to whom such personal information pertains. 12. For bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains. 13_ For use by any requester, if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains. 14. For any other use specifically authorized under the law of the State that holds the record, If such use is related to the operation of a motor vehicle or public safety. Data Fx(hange MOU (rev. 2121/2024i Attachment I Page 5 of 5 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F DATA ACCESS SPECIFICATIONS - Attachment II Requesting Party: City of Miami Department Jobs and Processes Selected Statutory Fees (subiect to change Mode of Access Type of Data Requested by the Legislature) E DL Data {Driver License Information} t- $0.01/record, per s. 322.20, F S : No Charge E, MV Data (Motor Vehicle Information)L $0.01/record, per s. 320.05, F S. L No Charge Batch (FTP) DL Status (DSS600/605) (Dever ,,2 License Information 50.01, $O.S0/record, per s. 320.05, F.S.;$2,00/record not found, per s. 322.20, F.5 _r, No Char�Te Program/Job Name IP Address(es) Web Services Driver Transcript 1 �-+ 1 DL Transcript (3 Year) (old DTRO6OE ' $8-00; $2.00/record not found, per s. 322.20, F.S. D No Charge Web Service (Each service Driver C DL Transcript (7 Year or Complete) (old DTR060) $10.00; $2.00/record not found, per s 322.20, F,S No Charge accesses License Information) II Bulk Lookback (old DM5485} `"' $0,01/record or $2 00/record i not found, pers-No 322.20, F.S. __.. Charge , Public Access Web C DI. Status (Driver License I Information) T $D 50/ record, per s 320.05, F.5. f' No Charge Service C MV Record (Motor Vehicle Information) S0.50/ record, per s 3)0.05, €.S. Li No Charge E Insurance Record Information $0.50/ record, per s. 320,0S, F.S. i.• No Charge LParking Permit Record information 0 $0.50/ record, per s. 320.0S, F.S. J tdo Charge Data Exchange MOU (rev_ 2/21/2024] Attachment IC Page 1of2 Docusign Envelope ID. DEDABB08-61 DB-41 F5-889C-11A01 CE9E46F DATA ACCESS SPECIFICATIONS - Attachment II Mode of Access Type of Data Requested Statutory Fees )subject to change by the Legislature) Penny Vendor DL Web service DL update file of issuance/ purge records (old DF0292 ) (Driver License Information $0.01/record, per s. 322.20, F. S. 1 1 No Charge DI. Status Verification 1 ZDriver License Status Residency Verification Web E service $0.01, $0.50/record, per s. 320.05, F.S.; $2.00/record not found, per s. 322.20, F.S. El No Charge LINo Charge Other Web Services Na Charge Crash Report Information C No Charge Data Exchange MOU (rev. 2/21f20241 Attachment II Page 2 of 2 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F FLKSMV rtO*I «•G AV %*flTY MAKI Moro% VtWK►is Din. Korner tut,.or d.rec to+ ]1[A & .itr hoc IIIwry ly*1 Jiw.v rite.fir17199(64nl warm f P ur i jpv Data Acccss Application Prior to e.xecutinit the Memorandum of Understanding (MOLl It for Driver license atrd'or Motor Vehicle Data Exchange. the Requesting Party is required to complete this application. Please use additional pages as necessary, 1, In the mart ten t l i years, has any agreement/contract between the Requesting Party a.nd,ror:uty other StatefState .Agency been terminated due to non-com liance with DPPA. data breaches_ or any state laws relating to the protection of driver privacy? Yes °Nagar If yes, please explain and supply certified copies of the pertinent documents: 2. In the last ten t 10) years. has any State State Agency declined to enter into an agreeme.nticuntrait With h the Requesting Party to provide DPPA protected data? YesQ` iO tf ties. please explain: 3. Is there any pending litigation against the Requesting Party alleging violations of DPPA or any state law relating to the protection of driver privacy? Yes°Nap If yes, please explain and provide a certified copy of the pertinent court documents: 4. In the last tent 10) years. hat there been any instance where the Requesting Party has been found guilty or liable by a court of competent jurisdiction for misuse of data under DPPA or unbar any state law relating to the protection of driver privacy? Yes° Noe If yes. please explain and provide certified copies of the pertinent dkicu befits: (4I!,:3)Page 1 of4 Ser, ce • Ontegrgy • Courtesy • Profess. rtoksm • Innovdrrion • EAte rfxr An Equal Oppcxtunity Employer Docusign Envelope ID DEDABB08-61DB-41F5-889C-11A010E9E46F 5, In the last ten (101 yeah. has there been any instance where an owner. officer, cx con irnt person I of the Requesting Par wtio owned a majority interest in. of acted as a control person of. an entity that w a.s found guilty or liable by a court of competent jurisdiction for misuse of data under DPPA or under any state law relating to the protection of driver privacy? YesONo0 If yes, please explain and provide certified copies of the pertinent documents: d to the Iasi ten 110► +ears, has there been any breach of security as defined by Section 501.171. Florida Statutes? Yes('Noe If yes. provide details of each breach and discuss all safeguards implemented as a result of the breach of security: flow you will ensure that all pctsonnel with access to the inforntalion exchanged under the temts of the MMOU are instructed of, and acknowledge their understanding of. the confidential nature of the information.' User will be required to complete and sign a user agreement which explains the regulations and terms. 8. Does your company or agency have y public facing website that allows an individual to purchase driver license/motor vehicle information? YesO ' + If yes. please provide the URL: In addition. please indicate whether your agency has the following minimum requirements listed below in plaice: A. Safeguards to ensure information obtained through the website is only disclosed to individuals authorized to receive it tt»tiet IS U.S.C. 42721(e). This includes internal controls to prevent or detect instances in which an impostor attempts topurchase a record other than their own and/or to verify that the requester meets a DPPA exemption.afesO NOON A Please describe safeguards 1U1 _3)Page 2ofa ' Control Person. for these purposes. means the power. directly or indirectly, to direct the management or p►vlicies of* ceenpaay. .nether through the ov►ncrship of securities. by contract, Of olhcrwise. Any person that 1 i) is a director. general partner, or otlicer exerri;ing executive responsibility (err has ing similar status or functions}: tii) directly or indirectly has the right to sole 251'4 or more of a class at a ~eating secunty Oe has tlx power to sell or direct the sak of 25%o r more aril class of vvwrg serurieics: or till/ in the .ase of a partnership, has the nglit to receive upon dissolution. or has contributed. 25'. or mire of the capital, is presumed to control that Dampen•. Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A01GE9E46F it I)o you intend to allow individuals to purchase their own transcript from your public facing website. utilizing DPPA excerption number 13? lies° NNAO c. If the answer to the previous question is yes. do you have a process in place to verify that the payment instrument used to authorize the purchase is in the same name as thc transcript being requested' Yes°! cO\'A0 Please explain the process D. Do you only provide information through the tiwebsitc for the expressed purposes as described in Attachment 1 of this MOU? Ycsel No()NAQ E. Does the websiite utilize Transport Layer Security version 1.2 or later for encryption of data in transit and in session state? Yes() NOON. AQ Please explain- 1-. Is the website periodically scanned by a qualified external vendor for system vulnerabilities? Yes0 NOON• AC (i If the answer to the previous question is yes. are identified vulnerabilities promptly rcmcdiated" PlcaSe explain. q. Do all systems that process driver license? motor vehicle information adhere to a formalized patch management process? YeseNo 0 Please expl a ar . Systems on the police network are patched using Microsoft System Center Configuration manager and Microsoft Intune with includes Antivirus and system updates. These patches are deployed on a monthly basis and the Microsoft patches are automatically downloaded Urgent updates are deployed as soon as they are identified. rlli �il l}11e 13 01 Docusign Envelope ID: DEDABB08-61DB-41F5-889C-11A010E9E46F In addition, the following docwtuents are required: a_ A copy of your business license. b. A copy of your State of Florida corporation licensure or certification. c- If providing services on behalf of a government entity. provide the supporting documentation to show or prove you are entitled to the DPPA exemption claimed. For example. a letter from each entity confirming the type of service being provided and/or an agreement with an entity authorizing you to conduct services. penalty of perjury, 1 affirm that the information provided in this document is true and correct. Signature of Authorized Official .emori kierr141 PrintedTF-ped Name Cheer or Ponce Title Date City or Mery Paige Deportment NAME OF AGENCY/ENTITY STATE OF if COUNTY OF St, �xn to too affirmed) d subsc 'bed before me this day of , "thitr+.-• r,,, b} I'ersona1Ni known 1.:Kf1R Produced ldcntification❑ Tape of identiticaqon Produced NOTARY PUBLIC (print name) NOTARY PUBLIC (sign Hamel Mt, Commission Expires:layia-Or,2,_ (01/23) Page 4 of 4 Anasrta K 8onrrcn Comm HN 4987137 f4Ikta: Jun 24, 2028 Mxary Pottle • Shoed fbl6j Docusign Envelope ID: DEDABB08-61DB-41F5-889G-11A01GE9E46F FLHSMV •L'*!DA 11111CMlu7 WV"' AND WOTO• WINKLES Davit ammo/ E4 Ct4 re Director 7409 4,90.xhr Parkway 1346."u.a.o.ffor4Ca3Z3P O$ erwv.r,Nun..goy c4FRTRIc-ATION sT.ATE ft•:N F ndcr penalty of perjury l h.wc read the requirements contained in the Memorandum of Understanding Florida Administrative Codce, Rule Chapter 6CKiC_i-_ (Formerly 74-2, FAC), and the Department of Highway wafeiy and Motor Vehicles External tnformat on Security Policy and declare that the follnxti ing is true: The Requesting Party, City of Miami Police Department hereby certifies that the Requw.sting Party has appropriate internal controls in place to cn_surc that the data is protected from unauthorized access, distribution, rise, modification, or disclosure This includes pohci es procedures in place for both personnel to follow and data security procedures policies to protcc personal data. The data security procedures policies liaise been approved by a Risk Management IT Stcurity Professional, STATE OF ri. ct Cot or �10,34.-r S vii to (or aflir led) and subsert cd before me this t aay of JJrr`'t •k- 2tl)-Y, by aA Y-& /o-{Qj Personally Known IS -/OR Produced Identification ❑ Type of Identification Produced FL 1/- TARY Pt.'BLIC (print name) Signature v-t ( /Ld4r.LIc. 5 Panted Name Ctvet of Ptbee Title Date NAME OF AGENCY lRev_ 01(23) NOTARY PUBLIC (sign ni My Commission Expires: *ON &Bonnie* Oorn n.; HH 4E48797 Jun. 24.2028 Alan - surd y Ronan • Service • Integrity • Courtesy • Prodessiosnariam • lnaoranon • Excellence. • M Equal Opportunity Employer Docusign Envelope ID: DEDABB08-61DB-41F5-889G-11A01GE9E46F Florida Department of Highway Safety and Motor Vehicles Data Exchange Memorandum of Understanding CITY OF MIIAMI, a Florida Municipal Corporation r % Date: Arthur Nance V. City Manager Attest: Approved as to Form and Correctness: By: George . Wyng, I Attorney Approved 95 to Insurance Requirements: Date: By: Date: Ann -Marie Sharpe, Director of Risk Management