(1) The chief information officer, working with the advisory board, shall oversee the implementation of the interdepartmental data protocol, which at a minimum shall include protocols and procedures to be used by state agencies in data processing, including but not limited to collecting, storing, manipulating, sharing, retrieving, and releasing data. In implementing the interdepartmental data protocol, the chief information officer and the advisory board shall monitor compliance with the timelines by which the state agencies shall implement the interdepartmental data protocol.
(2) The interdepartmental data protocol shall be designed to enable each state agency to accurately and efficiently collect and share data with the other state agencies. At a minimum, the interdepartmental data protocol shall be designed to ensure that data collected by different state agencies can be matched and discrepancies in the data processing reconciled to accurately identify data pertaining to the same record without allowing any permanent sharing of personal identifying information among state agencies without express authorization from the executive directors of the originating and receiving state agencies.
(3) The protocols and procedures included in the interdepartmental data protocol by which state agencies may share data and by which a state agency may release data to a political subdivision or to a nongovernmental entity or an individual shall, at a minimum:
(a) Establish the circumstances under which and the reasons for which a state agency may share information with another state agency, with a political subdivision, or with a nongovernmental entity or an individual;
(b) Establish the format in which a state agency may release data to a political subdivision, a nongovernmental entity, or an individual;
(c) Ensure compliance with all state and federal laws and regulations concerning the privacy of information, including but not limited to the federal "Family Educational Rights and Privacy Act of 1974", 20 U.S.C. sec. 1232g, and the federal "Health Insurance Portability and Accountability Act of 1996", 42 U.S.C. sec. 1320d to 1320d-9; and
(d) Ensure that a state agency does not permanently share personal identifying information with another state agency without express authorization from the executive directors of the originating and receiving state agencies or with a political subdivision, a nongovernmental entity, or an individual, other than the individual who is the subject of the information.
(4) Notwithstanding any provision of this section to the contrary, the interdepartmental data protocol shall not nullify any memoranda of understanding existing as of January 1, 2008, nor prohibit the creation of memoranda of understanding after said date, between or among state agencies concerning data sharing or any other data sharing practices.
(5) Notwithstanding any provision of this section to the contrary, the interdepartmental data protocol shall not prohibit the release to or sharing of data with nongovernmental entities or individuals if the release or sharing is otherwise required, permitted, or allowed by the provisions of part 2 of article 72 of this title or other state or federal law, or if the release or sharing occurs pursuant to contract or other agreement with a state agency.