Third Party Access to Sensitive Data

Home IT Security Awareness Third Party Access to Sensitive Data

If you are planning a contract that will provide a third party (e.g. contractors and consultants) with sensitive information, or access to UCSC systems or applications that contain sensitive information, it is strongly recommended that you ensure the vendor has read Appendix DS (Data Security) of their contractual terms and conditions.

By accepting a service contract with UCSC, the vendor has already received and is bound to the provisions contained in Appendix DS. This does not ensure, however, that they have read and understood this document and their obligations under it. One way to do this is to provide the vendor with a copy of Appendix DS before they begin work, and require them to read and sign it. This is an important educational step that can help ensure that sensitve UCSC information is protected appropriately.

Special note about HIPAA:
If you are planning a contract that will provide a non-UCSC party with access to electronic protected health information (ePHI) protected by federal HIPAA legislation, or access to UCSC systems or applications that contain this information, the contract must include a HIPAA Business Associate Agreement (BAA). Work with the UCSC Business Contracts Office to ensure that the contract includes this agreement.

If you have any questions regarding the information contained on this page, please contact the ITS Service Manager for Community and Compliance at 9-2779 or itpolicy@ucsc.edu.

Rev. 11/4/08