Ordinance No. 14,585ORDINANCE NO. 14,585
AN ORDINANCE OF THE CITY COUNCIL OF THE CITY OF BAYTOWN, TEXAS,
REPEALING ORDINANCE NO. 14,503, PASSED ON SEPTEMBER 10, 2020, WHICH
AUTHORIZED AN INFORMATION SHARING ACCESS AGREEMENT WITH
THE U.S. DEPARTMENT OF HOMELAND SECURITY/FEDERAL EMERGENCY
MANAGEMENT AGENCY, FEDERAL INSURANCE AND MITIGATION
ADMINISTRATION; AUTHORIZING AND DIRECTING THE CITY MANAGER TO
EXECUTE AND THE CITY CLERK TO ATTEST TO AN INFORMATION SHARING
ACCESS AGREEMENT WITH THE U.S. DEPARTMENT OF HOMELAND
SECURITY/FEDERAL EMERGENCY MANAGEMENT AGENCY, FEDERAL
INSURANCE AND MITIGATION ADMINISTRATION; AND PROVIDING FOR THE
EFFECTIVE DATE THEREOF.
*************************************************************************************
BE IT ORDAINED BY THE CITY COUNCIL OF THE CITY OF BAYTOWN, TEXAS:
Section 1: That the City Council of the City of Baytown, Texas, hereby repeals Ordinance
No. 14,503, passed on September 10, 2020, which authorized an Information Sharing Access Agreement
with the U.S. Department of Homeland Security/Federal Emergency Management Agency, Federal
Insurance and Mitigation Administration.
Section 2: That the City Council of the City of Baytown, Texas, hereby authorizes and directs
the City Manager and City Clerk of the City of Baytown to execute and attest to an Information Sharing
Access Agreement with the U.S. Department of Homeland Security/Federal Emergency Management
Agency, Federal Insurance and Mitigation Administration. A copy of said agreement is attached hereto,
marked Exhibit "A" and incorporated herein for all intents and purposes.
Section 3: This ordinance shall take effect immediately from and after its passage by the City
Council of the City of Baytown.
INTRODUCED, READ, and PASSED by the affirmative vote of the City Council of the City of
Baytown, this the 17`h day of November, 2020.
BRANDON CAPETIL O, M or
APPROVED AS TO FORM:
KAnN L. HORNER, City Attorney
R:%Karen Homer DocumentsTiles'City Council`•0rdinances\2020 November Minformation Sharing Access Agreement.docx
Exhibit "A"
Agreement No./Title:
DEPARTMENT OF HOMELAND SECURITY
Federal Emergency Management Agency
INFORMATION SHARING ACCESS AGREEMENT (ISAA)
BETWEEN
THE DEPARTMENT OF HOMELAND SECURITY/FEDERAL EMERGENCY MANAGEMENT
AGENCY (DHS/FEMA)
AND
The City of Baytown Texas
1. INTRODUCTION. The U.S. Department of Homeland Security/Federal Emergency Management Agency (DHS/
FEMA)and The City of Baytown (Baytown)
(hereinafter referred to as "Recipient Entity"), hereinafter collectively referred as the `Parties," voluntarily enter into
this Information Sharing Access Agreement (ISAA) (alternatively "Agreement") to govern the collection, use,
access, disclosure, security, and retention of the Personally Identifiable Information (PII) dataset(s) described
herein.
2. PURPOSE AND BACKGROUND. The purpose of this Agreement is to document the safeguarding requirements
for PII dataset(s) shared by FEMA with Recipient Entity to facilitate floodplain management, CRS
and hazard mitigation activities in Baytown and service areas.
a. Recipient Entity is a(n) A local community that participates in the NFIP
Recipient Entity requires access to PII dataset(s) concerning NFIP policy, claim and repetitive
loss and severe repetitive loss
,as documented in Appendix A, to NFIP data will be used for floodplain management, CRS
and hazard mitigation activity, assisting to make SD determinations and buyouts
E.g. "NFIP Pivot is used to account for flood insurance policies and claims under the National Flood Insurance Program."
FEMA Form 109-2-1-1 (8/20) Page 1 of 9
Agreement No./Title:
3. AUTHORITIES. (Must be verified by program legal counsel]
a. ❑ Robert T. Stafford Disaster Relief and Emergency Assistance Act, as amended, Pub. L. No. 93-288 (1974),
(codified at 42 U.S.C. §§ 5121-5207) (Stafford Act) ® National Flood Insurance Act of 1968, Pub. L. No.
90-448, Title XIII (1968) (42 U.S.C. 4001 et seq.) (NFIA) ❑
b. Privacy Act of 1974, as amended, 5 U.S.C. § 552a (Privacy Act);
c. ❑ DHS/FEMA 008 -Disaster Recovery Assistance Files System of Records (DRA), 78 Fed. Reg. 25,282 (Apr.
30, 2013) (DRA SORN) ® DHS/FEMA 003 —NFIP Files System of Records, 79 FR 28747 (May 19, 2014)
(NFIP Files SORN) ❑
i. Routine use
d. The E-Government Act of 2002, Public Law 107-347, §208;
4. DEFINITIONS.`
a. BREACH (synonymous with "PRIVACY INCIDENT"): The loss of control, compromise, unauthorized
disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized
user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses
personally identifiable information for an other than authorized purposed.
b. INCIDENT (synonymous with IT SECURITY INCIDENT): An occurrence that (1) actually or imminently
jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an
information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security
procedures, or acceptable use policies.
c. PERSONALLY IDENTIFIABLE INFORMATION: means information that can be used to distinguish or trace an
individual's identity, either alone or when combined with other information that is linked or linkable to a specific
individual.
5. RECIPIENT RESPONSIBILITIES. The Recipient Entity's responsibilities under this ISAA are as follows:
a. Maintain appropriate administrative, technical, and physical safeguards to ensure the security and
confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity
which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom
information is maintained;
b. Maintain the PII dataset(s) provided by FEMA to the Recipient Entity separately or in a manner in which it is
easily segregable from the entity's other information;
i. This does not refer to individual PII data elements which the Recipient Entity independently collects,
verifies, documents, or incorporates in its records and/or systems separately from FEMA PII datasets for
programs or services not addressed in this Agreement;
2 See Handbook for Safeguarding Sensitive PII, Privacy Policy Directive 047-01-007, Revision 3, December 4, 2017.
FEMA Form 109-2-1-1 (8/20) Page 2 of 9
Agreement No./Title:
c. Submit a written request to FEMA for any information request pursuant to this ISAA;
d. Each time PH is requested under this ISAA, indicate the specific purpose and use of the PH and the specific
routine use under which the PH is being requested;
e. Use the PH provided pursuant to this ISAA only for the purpose(s) identified in this ISAA and consistent with the
applicable Routine Use(s);
f. Restrict access to PH datasets provided by FEMA under this ISAA to authorized personnel and to entities
under contract by the requestor (direct contractors) performing functions consistent with the purpose of this
ISAA on behalf of Recipient Entity;
g. Retain the original dataset for only so long as necessary for the purposes of this agreement, but in any case,
no longer than 1
h. Instruct all individuals with access to PH provided pursuant to this ISAA regarding the confidential nature of the
information, the safeguard requirements of this Agreement, and the applicable criminal penalties and civil
remedies specified in federal and state laws against unauthorized disclosure of the PH covered by this
Agreement;
i. In a timely manner, take appropriate action with regard to any request made by FEMA for access, additions,
changes, deletions, or corrections of PH and in a timely manner, notify FEMA of any data errors that it
discovers;
j. The Recipient Entity shall ensure no Matching Program, as that term is defined in 5 U.S.C. § 552a(a)(8), will
occur using the PH datasets shared under this agreement unless a separate Computer Matching Agreement is
in place.
k. If at any time during the term of this ISAA any part of the PII dataset provided under this Agreement, ceases to
be required by Recipient Entity for purpose(s) identified in this ISAA, or upon termination of the ISAA,
whichever occurs first, within fourteen (14) days thereafter, promptly notify FEMA and securely return the PI to
FEMA, or, at FEMA's written request destroy, un-install and/or remove all copies of such PH in the Recipient
Entity's possession or control, and certify in writing to FEMA that such tasks have been completed.
FEMA RESPONSIBILITIES. FEMA's responsibilities under this ISAA are as follows:
a. Share with Recipient Entity only the PH dataset(s) documented in Appendix A to this ISAA;
b. Transmit or allow access to the information documented in Appendix A to the Recipient Entity in password
protected format via encrypted email or via a FEMA-OCIO approved secure information technology (IT) portal,
interface, or transfer tool;
Ensure that FEMA information provided to Recipient Entity is accurate, complete, and up-to-date as reasonably
necessary;
d. Keep a record of the date, nature, and purpose of each disclosure of PH to Recipient Entity under this ISAA, to
include the written request for information.
e. FEMA shall not take any adverse action or limit any of its Federal benefits as a result of this sharing of
information.
FEMA Form 109-2-1-1 (8/20) Page 3 of 9
Agreement No./Title:
THIRD PARTY ACCESS
a. Ownership of PII Dataset(s). Notwithstanding any other provision of this Agreement, the PII dataset(s)
obtained by Recipient Entity from FEMA shall remain under the control of FEMA, and Recipient Entity will not
further disclose PII dataset(s) provided by FEMA to outside third parties without express consent from FEMA
or the individuals to whom the PII pertains.
i. This does not refer to individual PII data elements which the Recipient Entity independently collects,
verifies, documents, or incorporates in its records and/or systems for programs or services not addressed
in this Agreement.
b. Open Access/Freedom of Information Requests. The Recipient Entity shall withhold PII provided by FEMA
under this agreement from any open records or Freedom of Information Act (FOIA) response to the extent
allowed by law. The Recipient Entity shall provide notice of any request for and/or disclosure of PII provided by
FEMA under this agreement in response to open records or FOIA requests.
c. ® At this time, Recipient Entity has not indicated an intent to share FEMA PII with third -party contractors. If
Recipient Entity utilizes a contractor in connection with its performance of its obligations under the ISAA and
Recipient Entity intends to provide such contractor with access to FEMA PII, Recipient Entity shall not share
data until notice of the identity of such contractor and the extent of the role that such contractor will play in
connection with the purpose of this ISAA has been provided to and approved by FEMA.
d. All contractors granted access by FEMA to any FEMA PII must agree in writing with Recipient Entity to: (a)
abide by the terms and conditions in this ISAA, including without limitation, provisions relating to compliance
with the protection of FEMA PII and Notice of Privacy Incident; (b) restrict use of FEMA survivor/registrant PII
only to the performance of services to Recipient Entity in connection with Recipient Entity's performance of its
obligations under this ISAA, and (c) certify in writing, upon completion of the performance of services by a
contractor, that the contractor has immediately un-installed, removed, and/or destroyed all copies of FEMA
survivor/registrant PII within 30 days of the contractor's performance of services to Recipient Entity.
FEMA Form 109-2-1-1 (8/20) Page 4 of 9
Agreement No./Title:
PRIVACY INCIDENT PROCEDURES
a. Notice of Privacy Incident. If the Recipient Entity, or its contractors, suspect, discover or are notified of a
suspected or confirmed Privacy Incident relating to FEMA PII, the Recipient Entity shall immediately, but in no
event later than twenty-four (24) hours from suspicion, discovery or notification of the suspected or confirmed
Privacy Incident, notify the FEMA Privacy Officer at (202) 212-5100 or FEMA-Privary{a)fema.dhs.gov.
b. Privacy Incident Handling. In the event of a Privacy Incident emanating from this ISAA, FEMA will
investigate the Privacy Incident pursuant to DHS standard procedures and will consult Recipient Entity to
diagnose, mitigate and manage the Incident. The Recipient Entity will be responsible for carrying out all
necessary measures to remedy the effects of the Privacy Incident.
c. ® [Select this clause if Entity is a State/Local/Territorial/Tribal Government Agency]
Remediation. In the event of a Privacy Incident and/or IT Security Incident emanating from this ISAA,
FEMA will investigate the Privacy Incident and/or IT Security Incident pursuant to DHS standard procedures
and will consult with Recipient Entity in order to diagnose, mitigate, and manage the Privacy Incident and/or
IT Security Incident. The Recipient Entity will be responsible for carrying out all reasonable and necessary
measures to remedy the effects of a Privacy Incident/Breach, when its actions are responsible for the
Privacy Incident/Breach, which may include:
i. Notification to the affected individuals, the public, media, and/or other government entities;
ii. Removing information from an Internet or Intranet page;
iii. Training and awareness for staff on best practices to Safeguard PII;
iv. Disciplinary or corrective action, including counseling for employees.
NOTE: any personnel subject to corrective or disciplinary action arising out of a privacy incident
must not be identified or identifiable in the Privacy Incident reporting;
v. Revisions to policies and procedures to minimize or eliminate the use of PII when possible;
vi. and/or Any other remediation effort(s) as agreed upon by the Parties.
d. Penalties. If the Recipient Entity or one of its employee/agents willfully discloses any PII to a third party not
authorized to receive it, FEMA will revoke the Recipient Entity's access to FEMA PII.
FEMA Form 109-2-1-1 (8/20) Page 5 of 9
Agreement No./Title:
GENERAL TERMS.
Entire Agreement. This ISAA constitutes the entire Agreement between the Parties with regard to information
sharing. However, if this ISAA is used to supplement a contract between the Parties, to the extent there is any
conflict between a term of this ISAA and a term in other acquisition documentation, the term of the underlying
acquisition, including the Homeland Security Acquisition Regulations (HSAR) Safeguarding of Sensitive
Information (MAR 2015) and Information Technology Security and Privacy Training (MAR 2015) clauses will
supersede.
b. Effective Date, Duration,and Termination. This ISAA will become effective upon the signature of both
Parties and will remain in effect for 1
or the lifetime of the acquisition period, whichever is shorter. However, FEMA will only provide the information
identified in Appendix A for the disaster period of assistance or, if applicable, for the period of time specified in
the Routine Use, whichever is longer. Either party may terminate this Agreement upon written notice to the
other party.
c. Modification. This ISAA may be modified upon the mutual written consent of the Parties.
d. Counterparts. This ISAA, when executed in any number of counterparts and by different Parties on
separate counterparts, each of which counterparts when so executed and delivered shall be deemed to be an
original, and all of which counterparts taken together shall constitute but one and the same Agreement.
e. Severability. Nothing in this ISAA is intended to conflict with current law, regulation or FEMA directives. If a
term of this ISAA is inconsistent with such authority, then that term shall be invalid, but the remaining terms and
conditions of this ISAA shall remain in full force and effect.
No Private Right. This ISAA is an internal Agreement between FEMA and the Recipient Entity. It does not
create nor confer any right or benefit that is substantive or procedural, enforceable by any third party against
the Parties, the United States, or other officers, employees, agents, or associated personnel thereof. Nothing in
this ISAA is intended to restrict the authority of either party to act as provided by law, statute, or regulation, or
to restrict any party from administering or enforcing any laws within its authority or jurisdiction. Accordingly, the
terms of this Agreement do not constitute or imply the grant, by the United States of America, of any other
consent, accord, satisfaction, advice, or waiver of its rights, power or authority.
g. Funding. This ISAA is not an obligation or commitment of funds, nor a basis for transfer of funds. Each
party shall bear its own costs in relation to this ISAA. Expenditures by each party will be subject to its
budgetary processes and to availability of funds pursuant to applicable laws, regulations, and policies. The
Parties expressly acknowledge that this in no way implies that Congress will appropriate funds for such
expenditures.
h. Issue Resolution. FEMA and Recipient Entity understand that during the course of this ISAA, they may have
to resolve issues such as: scope, interpretation of provisions, unanticipated technical matters, and other
proposed modifications. Both Parties agree to appoint their respective points of contact to work in good faith
towards resolution of such issues. [See Appendix B for points of contacts.]
Auditing/Reporting: The Parties will coordinate to prepare a report/audit summarizing Recipient Entity and
its contractor's (if applicable) compliance with the privacy, redress, and security requirements set forth in this
Agreement, to include accounting for all disclosures of FEMA PII. FEMA shall be provided copies of Recipient
Entity self -audits. As part of this responsibility, the Recipient Entity further agrees to conduct its own annual
audits of compliance with the terms of this Agreement, and to provide the results of these audits to
John Bowman FEMA Region 6
FEMA Form 109-2-1-1 (8/20) Page 6 of 9
Agreement No./Title:
APPROVED BY:
DEPARTMENT OF HOMELAND SECURITY / FEDERAL EMEGENCY MANAGEMENT AGENCY
FEMA Signatory Date
Jeffrey M. Jackson
Name
Deputy Assistant Administrator
Title
Federal Insurance
Program Name
FEMA
THE RECIPIENT ENTITY:
Recipient Signatory Date
Richard L. Davis
Name
City Manager
Title
The City of Baytown Texas
Full Entity Name
FEMA Form 109-2-1-1 (8/20) Page 7 of 9
Agreement No./Title:
Appendix A — Hs/FEMA-003 National Flood Insurance Proqram Files May 19, 2014 79 FR 28747
, Routine use
N, 0, R, T . The following lists the
specific data elements in the FEMA PH dataset(s) that will be shared by FEMA with the Baytown
The Baytown will only receive the Pll data that is necessary to meet the routine use:
• Policyholder Name (Routine Uses I and N only)
• Property Address
• Date of Loss
• Building Characteristics
• Coverages (building, contents)
• Premium and fees
• Claims amount paid (building, contents, ICC)
• Non-PII data elements as necessary, requested, and available
FEMA Form 109-2-1-1 (8/20) Page 8 of 9
Agreement No./Title:
Appendix B — Administrative points of contacts for this agreement (Limit of five)
a. The FEMA point of contact is as follows:
Name: John Bowman
Title: Floodplain Management and Insurance Specialist
Phone: +1 (940) 898-5556
Email Address: JohnE . Bowman@ fema . dhs . qov
b. The Recipient Entity point of contact is as follows:
Name: Frank O. Simoneaux, Jr., P.E
Title: Dir of Public Works & Engineering / Floodplain Mgr
Phone:+1 (281) 420-5312
Email Address: frank.simoneaux@baytown.org
c. The Recipient Entity point of contact is as follows:
Name: Matthew Johnson, P.E.
Title: Interim City Engineer
Phone:+1 (281) 420-7119
Email Address: matthew. Johnson@baytown.o
d. The Recipient Entity point of contact is as follows:
Name: Juan Macias, P.E., CFM
Title: Engineer
Phone:+1 (281) 420-3869
Email Address: juan.macias@baytown.org
e. The Recipient Entity point of contact is as follows:
Name:
Title:
Phone:
Email Address:
f. The Recipient Entity point of contact is as follows:
Name:
Title:
Phone:
Email Address:
FEMA Form 109-2-1-1 (8/20) Page 9 of 9