Contract Language for Third Party Access to Sensitive Data
Data security contract language (Appendix DS):
If you are planning a contract that will provide a non-UCSC third party with sensitive information, or access to UCSC systems or applications that contain sensitive information, it is strongly recommended that you ensure the vendor has read and understands Appendix DS, which is part of their contractual terms and conditions.
By accepting a service contract with UCSC, the vendor has already received and is bound to the provisions contained in Appendix DS. This does not ensure, however, that they have read and understood this document and their obligations under it. One way to do this is to provide the vendor with a copy of Appendix DS before they begin work, and require them to read and sign it. This is an important educational step that can help ensure that sensitve UCSC information is protected appropriately.
In most cases, the vendor should also read UCSC's Acceptable Use Policy and read and sign the Access to Information Statement prior to being granted access to UCSC information, systems or applications.
Special note about HIPAA:
If you are planning a contract that will provide a non-UCSC party with access to electronic protected health information (ePHI) protected by federal HIPAA legislation, or access to UCSC systems or applications that contain this information, the contract must include a HIPAA Business Associate Agreement (BAA). Work with the UCSC Business Contracts Office to ensure that the contract includes this agreement.
Special note about credit card data (PCI):
If you are planning a contract that will provide a non-UCSC party with access to credit card data, or access to UCSC systems or applications that store, process or transmit this information, the contract must include special PCI terms and conditions. Work with the UCSC Business Contracts Office to ensure that the contract includes this attachment.
If you have any questions regarding the information contained on this page, please contact the ITS Service Manager for Policy and Compliance at 9-2779 or firstname.lastname@example.org.
ITS Staff: See KB0018044 (login required) for additional requirements for third parties (contractors, consultants, etc.) in staff-like roles.