(1) If a public agency is requesting from another public agency category 3 or higher data, as defined in policy established in accordance with RCW 43.105.054, the requesting agency shall provide for a written agreement between the agencies that conforms to the policies of the office of cybersecurity.

(2) Nothing in this section shall be construed as limiting audit authorities under chapter 43.09 RCW.