Data Sharing

Data Sharing

#Why is this Important
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
Similar to use of data provisions, an institution of higher education may want to consider data protection provisions that prohibit additional sharing of institution data, or provisions that otherwise limit a contracting third party's use of institution data based upon employee need to know. Again, since institutions might have other obligations regarding use or disclosure of data under federal, state, and local laws, including provisions regarding data sharing or requiring a non-disclosure agreement help protect the institution in case of a contractual breach.

Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(b); (b)(1); (b)(7); ( i); (u)
Appendix 2 NIST Sp. Pub. 800-53, Rev. 2; Control PS-6 (Access Agreements)

Prohibitions against data sharing vary from complete prohibitions, no sharing unless approved by the institution, to need to know sharing by contractor's employees, etc. May also require signing a non-disclosure agreement.

Criticality: Category 1, Category 2, and Category 3

Sample RFP Language:

  1. What administrative safeguards and best practices does the Proposer have in place to vet Proposer's and third-parties' staff members that would have access to the environment hosting all systems that would interact with the service proposed including any systems that would hold, process, or from which Institution data may be accessed to ensure need-to-know-based access.
  2. Describe the Proposer's password policy including password strength, password generation procedures, and frequency of password changes. If passwords are not used for authentication to the proposed system, describe what alternative controls are used to manage user access.
  3. How will users authenticate to the proposed system? What procedures and best practices does the Proposer have in place to ensure that user credentials are updated and terminate as required by changes in role, responsibilities, and employment status.
  4. Does the product provide the capability to use local credentials (i.e., federated authentication) for user authentication and login. If yes, describe how the product provides that capability.
  5. Does the product manage administrator access permissions at the virtual system level? If yes, describe how this is done.


Sample Contract Clauses:

  1. Except as otherwise specifically provided for in this Agreement, the [Vendor] agrees that Institution data will not be shared, sold, or licensed with any third-party, with the exception of approved sub-contractors, without the express approval of the Institution through a data letter agreement.
  2. The [Vendor] certifies that only employees of the company or approved contractors will be granted access to Institution data.
  3. [Vendor] shall represent, warrant and certify it will: Hold all Sensitive Data in the strictest confidence; Not release any Sensitive Data concerning an Institution student unless [Vendor] obtains Institution's prior written approval and performs such a release in full compliance with all applicable privacy laws, including FERPA.
  4. [Vendor] agrees to hold any and all Confidential Information obtained from the Institution, its students, faculty, staff, or other agents in the performance of this Agreement in strictest confidence, and shall not use or disclose such Confidential Information except as permitted or required by this Agreement or by law or as otherwise agreed to in writing by the Institution.
  5. Access to Institution Data must be strictly controlled and limited to [Vendor] staff assigned to this project on a need-to-know basis only.
  6. [Vendor] agrees to hold [term for sensitive data] in strict confidence. [Vendor] shall not use or disclose [term for sensitive data] received from or on behalf of Institution except as permitted or required by the Agreement or this Addendum, as required by law, or as otherwise authorized in writing by INstitution. [Vendor] agrees that it will protect the [term for sensitive data] it receives from or on behalf of Institution according to commercially acceptable standards and no less rigorously than it protects its own confidential information.
  7. [Vendor] agrees to hold Covered Data received from or created on behalf of Institution in strictest confidence. [Vendor] shall not use or disclose Covered Data except as permitted or required by the Agreement or as otherwise authorized in writing by Institution. If required by a court of competent jurisdiction or an administrative body to disclose Covered Data, [Vendor] will notify Institution in writing prior to any such disclosure in order to give Institution an opportunity to oppose any such disclosure. Any work using, or transmission or storage of, Covered Data outside the United States is subject to prior written authorization by the Institution.


common security items

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).