Contract Language for Third Party Access to Sensitive Data

Ensure a Supplier meets UC requirements

Ideally do these steps up front, before making a selection:

  • Engage ITS
    • Coordination with services that support Supplier solution
    • Consultation with Information Security to clarify security requirements
  • Engage Procurement Services
    • They can help identify the appropriate purchasing processes
  • Select a Supplier that meets compliance requirements
    • Have a good understanding of how potential Suppliers will protect UC
    • Applies to all sourcing methods (e.g. Request for Proposals (RFP), Limited Bid, sole source)

Once Supplier selection is made:

  • Include Security, Compliance and Privacy in your Supplier contract plan
    • Include the appropriate agreements and appendices to protect UC
    • Appendix DS is required when the supplier will access UC Institutional Information and/or IT Resources
    • Other types of agreements may be needed for specific data types. (e.g. BAA, GDPR)

Roles and Responsibilities

Unit Head

  • Identify and inventory Institutional Information and IT Resources managed by the Unit
  • Ensure that Supplier agreements incorporate Appendix DS and other relevant contract documents to protect UC data and resources
  • Manage Supplier contracts to confirm security requirements are met and review/update agreements based on changes in services or data/resource classification

Unit Information Security Lead (UISL)

  • Engage with Supplier in advance of contract process to fully understand goods/services to be provided
  • Facilitate Appendix DS process: completion of required materials, coordination with campus SMEs and Supplier agreement
  • Coordinate efforts to ensure Supplier is secure and compliant

Data security contract language (Appendix DS):
If you are planning a contract where a non-UCSC third party will access, collect, process or maintain UC Institutional Information and/or access IT Resources, the Appendix Data Security (DS), must be included as part of the contractual terms and conditions.

It is important that the supplier understand Appendix DS security requirements and their obligations under it.  Appendix DS aligns with the UC IS-3 Electronic Information Security Policy, and requires the supplier comply with all regulatory requirements that apply to the Institutional Information or IT Resources the supplier will access.

In most cases, the vendor should also read UCSC's Acceptable Use Policy and read and sign the Access to Information Statement prior to being granted access to UCSC information, systems or applications.

Keep in mind that supplier security and compliance should be reassessed when:

  • There are major changes at the Supplier
  • Classification of Institutional Information or IT Resources change

Special note about GDPR:
If you are planning a contract with a Supplier that will be subject to the European Economic Area (EEA) General Data Protection Regulation (GDPR), the contract must include a GDPR Appendix. Work with the UCSC Business Contracts Office to ensure that the contract includes this agreement.  GDPR resources (login required)

Special note about HIPAA:
If you are planning a contract that will provide a non-UCSC party with access to electronic protected health information (ePHI) protected by federal HIPAA legislation, or access to UCSC systems or applications that contain this information, the contract must include a HIPAA Business Associate Agreement (BAA). Work with the UCSC Business Contracts Office to ensure that the contract includes this agreement. HIPAA resources.

Special note about credit card data (PCI): 
If you are planning a contract that will provide a non-UCSC party with access to credit card data, or access to UCSC systems or applications that store, process or transmit this information, the contract must include special PCI terms and conditions. Work with the UCSC Business Contracts Office to ensure that the contract includes this attachment. PCI resources.

Getting Help:
If you have any questions regarding the information contained on this page, please contact the Information Security Policy and Compliance Manager at 9-2779 or itpolicy@ucsc.edu.

ITS Staff: See KB0018044 (login required) for additional requirements for third parties (contractors, consultants, etc.) in staff-like roles.