(1) The authority provides data only after the data recipient, as defined by this chapter, has signed a nondisclosure agreement. The authority may prohibit access to or use of the data by a data recipient who violates the nondisclosure agreement.

(2) Data recipients must keep data confidential by:

(a) Accessing, using, and disclosing information only in accordance with this section and consistent with applicable statutes, regulations, and policies;

(b) Having a public policy purpose to access and use the confidential information according to chapter 43.71C RCW;

(c) Protecting all confidential information against unauthorized use, access, disclosure, or loss by employing reasonable security measures, including physically securing any computers, documents, or other media containing confidential information and viewing confidential information only on secure workstations in nonpublic areas;

(d) Destroying all confidential information when it is no longer needed to perform authorized activities; and

(e) Adhering to the confidentiality requirements in this section after the data recipient is no longer an authorized data recipient under RCW 43.71C.100.

(3) Data recipients must not:

(a) Disclose any confidential information, as defined by WAC 182-51-0100, or otherwise publicly release the confidential information;

(b) Use or disclose any confidential information for any commercial or personal purpose, or any other purpose that is not authorized in chapter 43.17C RCW;

(c) Attempt to identify people who are the subject of the confidential information;

(d) Discuss confidential information in public spaces in a manner in which unauthorized individuals could overhear;

(e) Discuss confidential information with unauthorized individuals, including spouses, domestic partners, family members, or friends;

(f) Have any conflicts of interests under the ethics in public service act that would prevent the data recipient from accessing or using confidential information; and

(g) Share information received according to this chapter with any person who is not authorized to receive confidential information as specified by this chapter.