Requirements for Third-Party Access to Sensitive Data
On This Page:
- Ensure a Supplier Meets UCSC Requirements
- Include Appropriate Contract Provisions
- Unit, Unit Head and Unit Information Security Lead (UISL) Responsibilities
- Appendix Data Security (Appendix DS)
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Credit Card Data (PCI)
- Get Help
In some cases, a third party, such as a supplier, may need to access sensitive data (P3-P4) to fulfill their role for the university. It is important for Unit Heads and Unit Information Security Leads to select a supplier who can meet UC Santa Cruz’s security requirements, include appropriate provisions in the supplier contract, and ensure completion of all necessary documents.
Ensure a Supplier Meets UCSC Requirements
Before selecting a supplier, understand how potential suppliers will meet compliance requirements and protect UCSC:
- Consult with ITS to clarify security requirements.
- Engage Procurement Services to identify the appropriate purchasing processes.
- Contact Privacy & Information Practices for privacy requirements.
- Contact the Digital Accessibility and Equity Lead.
- Contact Risk Services to understand cybersecurity insurance requirements.
Include Appropriate Contract Provisions
Once a supplier has been selected, include provisions in the supplier contract that ensure security, compliance, and privacy, such as:
- Appropriate agreements and appendices that protect UCSC.
- Appendix DS, when the supplier will access UCSC institutional information and/or IT resources.
- Other types of agreements that pertain to specific data types, such as a Business Associate Agreement (BAA) and the General Data Protection Regulation (GDPR).
Unit, Unit Head and Unit Information Security Lead (UISL) Responsibilities
Units, Unit Heads and Unit Information Security Leads (UISL) have important and distinct responsibilities to ensure that supplier contracts meet UCSC requirements.
Units must:
- Complete a vendor risk assessment for suppliers accessing, processing, or storing P3-P4 data.
- Comply with the applicable UC Minimum Security Standard.
- Report any observed supplier security lapses to ITS and ensure that suppliers promptly report any breaches or information security incidents to ITS.
- Follow UC records retention requirements contained in UC’s Records Management Polices (RMP).
Unit Heads must:
- Identify and inventory institutional information and IT resources managed by the unit.
- Ensure that supplier agreements incorporate Appendix DS and other relevant contract documents to protect UC data and resources.
- Manage supplier contracts to confirm security requirements are met and review/update agreements based on changes in services or data/resource classification.
Unit Information Security Leads (UISL) must:
- Engage with the supplier in advance of the contract process to fully understand the goods/services to be provided.
- Facilitate completion of required materials (such as Appendix DS), coordination with Campus Subject Matter Experts, and the supplier agreement.
- Coordinate efforts to ensure the supplier is secure and compliant.
Appendix Data Security (Appendix DS)
Appendix Data Security (DS) must be included as part of the contractual terms and conditions when a non-UCSC party will access, collect, process or maintain UCSC institutional information and/or access IT resources. It is important that the supplier understands Appendix DS security requirements and their obligations under it. Appendix DS aligns with the UC IS-3 Electronic Information Security Policy and requires the supplier to comply with all regulatory requirements that apply to the Institutional Information or IT resources the supplier will access.
In most cases, the supplier should also read UCSC's Acceptable Use Policy and read and sign the Access to Information Statement prior to being granted access to UCSC information, systems, or applications.
Keep in mind that supplier security and compliance should be reassessed when:
- There are major changes at the supplier.
- Classification of institutional information or IT resources change.
General Data Protection Regulation (GDPR)
If a supplier contract is subject to the European Economic Area (EEA) General Data Protection Regulation (GDPR), the contract must include a GDPR Appendix. Contact UCSC Real Estate & Contract Services to ensure that the contract includes this attachment.
Health Insurance Portability and Accountability Act (HIPAA)
If a supplier contract will provide a non-UCSC party with access to electronic protected health information (ePHI) protected by federal HIPAA legislation, or access to UCSC systems or applications that contain this information, the contract must include a HIPAA Business Associate Agreement (BAA). Contact UCSC Real Estate & Contract Services to ensure that the contract includes this attachment.
Credit Card Data (PCI)
If you are planning a contract that will provide a non-UCSC party with access to credit card data, or access to UCSC systems or applications that store, process, or transmit this information, the contract must include special PCI terms and conditions. Contact UCSC Real Estate & Contract Services to ensure that the contract includes this attachment.
Get Help
- If you have any questions regarding the information contained on this page, contact the ITS Support Center.
- ITS Staff: See KB0018044 (login required) for additional requirements for third parties (contractors, consultants, etc.) in staff-like roles.