Why is this Important:
In contracts it is particularly important to clearly define terms that may have multiple meanings, particularly if the term used might encompass a class or classes of data. A good definition ensures that neither party is mistaken about language used in the contract.
Completely define the data that is to be protected. (Includes data criticality; also includes an enumeration of the data that is considered personally identifiable.) Keep in mind that an enumeration of what data is personally identifiable might depend on federal, state, and/or local law or regulation. (The same holds true for the type of protection that might be required for personally identifiable information.) Consider defining extent of University ownership of that data.
Sample RFP Language:
The following language should the lead-in paragraph to an Information Security section.
- For the purpose of this RFP, Confidential records or information are defined as any and all information owned by Institution - created, received from or on behalf of Institution, or accessed in the course of performing the [service] - of which collection, disclosure, protection, and disposition is governed by state or federal law or regulation, particularly information subject to [Enter Applicable Laws here.] This information includes, but is not limited to, [Enter list of applicable data items in here].
- For the purpose of this RFP, Institution records [data] are defined as any and all data created, received from or on behalf of Institution, or accessed in the course of performing the [service] including, but not limited to, [Enter list of applicable data items in here]. Institution records also include all information, including personally identifiable information, derived from other Institution records.
Sample Contract Clauses:
- For purposes of this addendum, Confidential Information is defined as any and all information whose collection, disclosure, protection, and disposition is governed by state or federal law or regulation, particularly information subject to the Family Educational Rights and Privacy Act (FERPA), the Gramm-Leach-Bliley Act (GLBA), or [insert state law code sections here as applicable]. This information includes, but is not limited to, Social Security Numbers, student records, financial records regarding students (or their parents or sponsors), financial and personal information regarding Institution employees, and other personally identifiable information identified by law.
- Define "Confidential Institution Data" as any data or information owned by Institution that [Vendor] creates, obtains, accesses (via records, systems, or otherwise), receives (from Institution or on behalf of the Institution), or uses in the course of its performance of the contract which include, but not be limited to: social security numbers; credit card numbers; any data protected or made confidential or sensitive by the Family Educational Rights and Privacy Act, as set forth in 20 U.S.C. §1232g ("FERPA"), the Health Insurance Portability and Accountability Act of 1996 and the federal regulations adopted to implement that Act (45 CFR Parts 160 & 164 "the HIPAA Privacy Rule"), collectively referred to as "HIPAA", the Gramm-Leach-Bliley Act, Public Law No: 106-102, or any other applicable federal or [State] law or regulation.
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).