Classifying Contracts by Risk
Campus contracting offices work with sponsoring departments to classify contracts according to privacy and data security risk. The criteria for “high-risk” contracts will evolve over time to ensure that the level of review stays commensurate with the level of risk as things evolve over time.
Currently, the criteria for high risk agreements includes those that:
- Present novel or controversial privacy issues or call for privacy practices in conflict with UC’s own policies/standards/practices; or,
- Use non-standard credit card payment acceptance solutions for payments into UC’s own financial accounts; or,
- Involve individually identifiable health information ; or,
- Involve information classified as Protection Level 2 or higher where the counterparty will not accept Appendix DS and UCB Information Security and Privacy policies absent material revision; or,
- Have been flagged by the responsible contracting office, Office of Legal Affairs or Information Security and Policy as presenting unique privacy or data security risks that would not be adequately addressed through the use of standard terms and conditions.