This article describes the need and use of the University's Standards for Safeguarding Information when University data is accessed by third-parties. This can take the form of a rider, often Rider C, or a stand-alone Safeguarding Data Agreement.
Detailed Information
Background/Policy
According to University of Maine Information Security Policy, University information must be protected appropriately by UMS faculty, staff, employees, contractors, consultants, business partners and anyone who accesses or possesses UMS information assets. Prior to allowing confidential and restricted data as defined by the Data Classification APL (APL VI-I) to be accessed, stored, or transmitted, by contractors, consultants, business partners or other outside entities, those entities must agree to appropriately safeguard data.
Agreements
For most cases the University's Safeguarding Data Agreement will be used. As part of en existing contract this often appears as Rider C. If there is no separate contract such as instances where a service such as cloud-based software is purchase through with merely an invoice, or if the University doesn't pay directly for the software , then the stand-alone Safeguarding Data Agreement should be used.
Requirements
A Safeguarding Data Agreement (SDA) is needed when a third-party uses or has the ability to access any Confidential or Restricted Information.
- This includes Student Information which is protected under FERPA, Financial Aid Information protected under GLBA, as well as other regulatory compliance programs.
- An SDA is also needed when students are required to log on to a system (except when completely anonymous, their identity may be shared which would necessitate protection under FERPA for students who may select to have their information suppressed.
- If HIPAA protected health information is involved, a business associate agreement may be used along with an SDA or instead of an SDA depending on the situation.
Agreement to safeguarding data does is only one stage of the security review. Other vetting of contractor controls is needed for restricted data or systems where large volumes of data is accessed, stored or transmitted.
Format
A word document is used because some contractors may choose to red-line the document. Changes will be reviewed by the Information Security Office with consultation from the Office of General Counsel when needed. Contractors may offer to provide their own safeguarding agreement. This option is used as a last resort as that requires cross-referencing required clauses.
Environment
This applies to outside entities accessing University data such as contractors, consultants, or business partners.