What We Do
In recognition that campus units increasingly rely on partners and suppliers to handle institutional information, the privacy and data security (PDS) contracts review program helps campus units ensure such contracts (i) more effectively manage PDS risks, (ii) meet the requirements of campus policies in those domains, and (iii) comply with applicable PDS laws. The program applies a tiered, risk-based approach to accomplish these objectives: contracts are classified into two risk tiers with lower risk contracts being handled via a set of standard terms and higher risk contracts undergoing more rigorous review involving outside privacy and data security counsel to address unique requirements.
Why We Do It
The University increasingly looks to its partners and suppliers to deliver a variety of services where another entity handles institutional information. Such services include both technology offerings and more traditional services (e.g., audits, HR processing, etc.) that entail handling of sensitive institutional information. While the institutional information may be in the custody of another entity, the University nonetheless remains responsible for ensuring that data will be handled in accordance with applicable law and for ensuring it will be appropriately protected. While contract negotiations may not be the only opportunity to establish requirements for privacy and data security, those negotiations are often the point at which the University has the greatest influence over partner/supplier behavior and often will be the only opportunity to ensure compliance with applicable laws.
Fundamentally, the program helps assure parity of privacy and information security risk between internal service providers and those outside the University, which enables innovation, helps reduce costs, and ensures the University meets its commitment to appropriately protecting institutional information. The program therefore benefits the University as a whole, the sponsoring unit, and the subjects of any institutional information involved. Specific benefits of the program include:
- Review by attorneys with specialized knowledge and experience in practice privacy and data security law able to apply privacy and data security policies/standards for unique and high-risk arrangements;
- Identification of “hidden” privacy risks with significant potential impact on the University;
- Assurance that appropriate University stakeholders will be able to make an informed risk management decision based on an accurate understanding of privacy and data security risk;
- Meeting UC and campus privacy and data security policies and standards in complex arrangements not adequately by standard terms and conditions.
How to Get Started
Sponsoring departments should work with the responsible campus contracting office (typically, Supply Chain Management or Business Contracts and Brand Protection) to initiate an engagment. For questions about PDS contract reviews, please email email@example.com.