§ 7–231.04. Security of vital statistics system.
To ensure the security of the vital statistics system, the Registrar shall:
(1) Take measures to deter the fraudulent use of vital records;
(2) Administer and maintain the security of personnel, physical environments, electronic systems, and preservation methods;
(3) Perform data assurance and record matching activities to protect the confidentiality and security of vital records and prevent their fraudulent use;
(4) Apply the responsibilities of this section to any authorized partner with access to the vital statistics system;
(5) Authenticate each user of the vital statistics system or its components, and verify that the user requires access based on the user's official duties;
(6) Authorize an authenticated user of the vital statistics system to access specific components of the vital statistics systems necessary for the user's official roles and duties;
(7) Establish separation of duties between staff roles that may be susceptible to fraud or misuse and routinely perform audits of staff work to identify fraud or misuse within the vital statistics system;
(8) Require each authenticated and authorized user to maintain a specified level of training related to security and provide a written acknowledgment of security policies, procedures, and penalties;
(9) Validate data provided in reports submitted for registration through site visits or with independent sources outside the registration system at a frequency specified by the Registrar to maximize the integrity of collected data;
(10) Require each authenticated user to protect personally identifiable information and adhere to protocols that provide for audits of use and protocols for breach identification and notification;
(11) Receive reports of death if the decedent was born in the District, or from the U.S. Department of Defense or the U.S. Department of State if the decedent was a United States citizen, a resident of the District, and the death occurred outside the United States;
(12) Provide secure workplace, storage, and technology environments with limited role-based access; and
(13) Administer and maintain overt, covert, and forensic security measures for certifications, verifications, and automated systems that are part of the vital statistics system.