Use Guidelines

 

Guiding Principles

  • Contracts: All contract signatures at UCSC are subject to the University’s policies. Please ensure that people added as signers to the routing are operating within their designated signatory authorization for contracts and agreements. An employee signer is prohibited from delegating signing authority via DocuSign to those who are not otherwise authorized delegated signatories. 
  • Form Ownership: Each campus form (and associated process) is managed by a campus office.  Do not assume a form may be handled via DocuSign without first confirming with the responsible office and obtaining the consent of the authoring and managing unit.
  • All staff, faculty, and students have the ability to sign documents through DocuSign using University credentials to access Single-Sign-On service. 
  • DocuSign has been approved for internal routing and legally-binding electronic signature collection, conditioned on the applicable designated signatory authority and any applicable University policy. 

DocuSign is Not a Records Retention System

  • DocuSign is not to be used as a repository for the purpose of retaining university records. The user must download or otherwise save the documents signed via DocuSign and save in accordance with the department’s records retention practices. 

  • Once envelopes are moved to the deleted folder, they are purged at midnight the same day and cannot be recovered.

  • If you have questions about long-term storage or campus records retention policies, please contact Diane Lallemand, Campus Records Manager


Data Classification

Each employee user is expected to understand and abide by the appropriate compliance requirements for the level of data they handle. Implementing a use case depends on what types of data are collected and what the department does with that data. For example, use cases may need to comply with FERPA, HIPAA, Section 508c, or UC policies.

  • Be aware of collecting and storing PII and other sensitive information. Any data collected through DocuSign must be securely stored and maintained as appropriate outside of the DocuSign system, and subsequently deleted from DocuSign.
  • If you anticipate utilizing collecting P4 or PII information on documents via DocuSign, please reach out to ITS_DocuSign_Help <its_docusign_help-group@ucsc.edu> in advance.
  • (Institutional Review Board) IRB should review use cases with their committee and the Office of Research Compliance Administration (ORCA). 
  • Do not collect data that you do not need. For every proposed question, think about why you need such information, how you will use the information, and whether it’s consistent with respondent expectations and data privacy laws.
  • Control who accesses the data. Keep track of who has access to what, and don’t share passwords. Data privacy is critical - access should be on a need-to-know basis.
  • Use the masking features or document visibility features to limit access to sensitive data as appropriate.

Opting Out of Conducting Business Electronically

  • Employees, including student employees, acting within the scope of their employment may not opt-out of conducting a transaction electronically with DocuSign.
  • Individuals and entities, excluding employees acting within the scope of their employment, may opt-out of conducting a transaction electronically by providing written notice of the decision to opt-out of conducting business with the University electronically per transaction. The written notice must be directed to the University employee responsible for the business relationship with the party. Users may refer to the system’s ERSD.

When Can't UCSC Docusign Be Used

  • Our implementation does not meet the needs for  FDA 21 CFR Part 11 in life sciences  Use cases that request this cannot be used with DocuSign.
  • DocuSign cannot be used with ITAR. (International Traffic). 
  • DocuSign cannot be used to document the handling or transporting of hazardous or toxic materials.
  • DocuSign cannot be used for court orders, notices, or other official court documents.
  • Consult with University counsel for international agreements.

Departmental DocuSign Accounts

  • A departmental account is under the UC Santa Cruz organization but is the department’s own DocuSign instance to configure and maintain.  If administrative setting changes are needed, the administrator of the account will submit the proposed changes for review by the ITS DocuSign team for feedback. The review will look at impacts on security, legal, and privacy and may require others to review.   
  • Exceptions to security configurations require the following approvals:
    • Security - Only the Chief Information Security Officer(CISO) can grant security exceptions.  A security exception is granted through the security review process. https://its.ucsc.edu/itsm/securityrev.html
    • Retention - Only the Campus Records Manager and/or legal counsel, as applicable, can grant exceptions to the setting and timing of automatic deletion in Docusign. 


 

See Also