Requirements for Supplier Access to Sensitive Data (P3-P4)

In some cases, a third party, such as a supplier, may need to access sensitive data (P3-P4) to fulfill their role for the university. It is important for Unit Heads and Unit Information Security Leads to select a supplier who can meet UCSC’s security requirements, include appropriate provisions in the supplier contract, and ensure completion of all necessary documents.

Ensure a Supplier Meets UCSC Requirements

Before selecting a supplier, understand how potential suppliers will meet compliance requirements and protect UCSC:

Include Appropriate Contract Provisions

Once a supplier has been selected, include provisions in the supplier contract that ensure security, compliance, and privacy, such as:

  • Appropriate agreements and appendices that protect UCSC.
  • Appendix DS, when the supplier will access UCSC Institutional Information and/or IT Resources.
  • Other types of agreements that pertain to specific data types, such as a Business Associate Agreement (BAA) and the General Data Protection Regulation (GDPA).

Unit Head and Unit Information Security Lead (UISL) Responsibilities

Unit Heads and Unit Information Security Leads (UISL) have important and distinct responsibilities to ensure that supplier contracts meet UCSC requirements.

Unit Heads must:

  • Identify and inventory Institutional Information and IT Resources managed by the unit.
  • Ensure that supplier agreements incorporate Appendix DS and other relevant contract documents to protect UC data and resources.
  • Manage supplier contracts to confirm security requirements are met and review/update agreements based on changes in services or data/resource classification.

Unit Information Security Leads (UISL) must:

  • Engage with the supplier in advance of the contract process to fully understand the goods/services to be provided.
  • Facilitate completion of required materials (such as Appendix DS), coordination with Campus Subject Matter Experts, and the supplier agreement.
  • Coordinate efforts to ensure the supplier is secure and compliant.

Appendix Data Security (Appendix DS)

Appendix Data Security (DS) must be included as part of the contractual terms and conditions when a non-UCSC party will access, collect, process or maintain UCSC Institutional Information and/or access IT Resources. It is important that the supplier understands Appendix DS security requirements and their obligations under it. Appendix DS aligns with the UC IS-3 Electronic Information Security Policy and requires the supplier to comply with all regulatory requirements that apply to the Institutional Information or IT Resources the supplier will access.

In most cases, the supplier should also read UCSC's Acceptable Use Policy and read and sign the Access to Information Statement prior to being granted access to UCSC information, systems, or applications.

Keep in mind that supplier security and compliance should be reassessed when:

  • There are major changes at the supplier.
  • Classification of Institutional Information or IT Resources change.

General Data Protection Regulation (GDPR)

If a supplier contract is subject to the European Economic Area (EEA) General Data Protection Regulation (GDPR), the contract must include a GDPR Appendix. Contact the UCSC Real Estate & Contract Services office at businesscontracts@ucsc.edu to ensure that the contract includes this agreement.

Health Insurance Portability and Accountability Act (HIPAA)

If a supplier contract will provide a non-UCSC party with access to electronic protected health information (ePHI) protected by federal HIPAA legislation, or access to UCSC systems or applications that contain this information, the contract must include a HIPAA Business Associate Agreement (BAA).Contact the UCSC Real Estate & Contract Services office at businesscontracts@ucsc.edu to ensure that the contract includes this agreement.

Credit Card Data (PCI)

If you are planning a contract that will provide a non-UCSC party with access to credit card data, or access to UCSC systems or applications that store, process, or transmit this information, the contract must include special PCI terms and conditions. Contact the UCSC Real Estate & Contract Services office at businesscontracts@ucsc.edu to ensure that the contract includes this attachment.

Get Help

If you have any questions regarding the information contained on this page, please contact the Information Security Policy and Compliance Manager at ispolicy@ucsc.edu.

ITS Staff: See KB0018044 (login required) for additional requirements for third parties (contractors, consultants, etc.) in staff-like roles.