Use of Data

Use of Data

#Why is this Important
#Sample RFP Language
#Sample Contract Clauses

Why is this Important: It is important to specify the permitted uses and the impermissible uses of institution data, particularly since institutions of higher education might have other obligations regarding use of that data under federal, state, and local laws. In particular, the institution will want to use this type of clause to ensure that the party that it is contracting with does not use institution data for a purpose not otherwise permitted by the contract. Limiting use in this matter helps protect the university from liability should the contracting party use the data in an impermissible way.

ISO/IEC 27002:2005, Reference 6.2.3(b); ( i) (1); (k); (v)

Many clauses prohibit use of the data for any purpose other than that specified by the contract; clauses may allow modification of use upon advance written agreement of the originating institution.

Criticality: Category 1 and Category 2.

Sample RFP Language:

  1. What administrative safeguards and best practices does the Proposer have in place to vet Proposer's and third-parties' staff members that would have access to the environment hosting all systems that would interact with the service proposed including any systems that would hold, process, or from which Institution data may be accessed to ensure that Institution data and resources will not be accessed or used in an unauthorized manner.
  2. List all subcontractors that may have access to Institution data and their corresponding location.
  3. How will users authenticate to the proposed system? Does the proposed system allow for multiple security levels of access based on affiliation (e.g., staff, faculty, student), roles (e.g., system administrators, analysts, information consumers), and/or department? If yes, describe how the proposed system provides for multiple security levels of access.
  4. Does the product provide the capability to limit user activity based on user type or role (i.e., who can create records, delete records, create and save reports, run reports only, etc.)? If yes, describe how the product provides that capability. If no, describe what alternative functionality is provided to ensure that users have need-to-know based access to the product?
  5. What safeguards does the Proposer have in place to segregate Institution data from system and other customers' data to prevent accidental and/or unauthorized access to Institution data?
  6. What safeguards does the Proposer have in place to prevent the unauthorized use, reuse, distribution, transmission, manipulation, copying, modification, access, or disclosure of Institution data?


Sample Contract Clauses:

  1. The [Vendor] agrees that data provided to them during the provision of service shall be used only and exclusively to support the service and service execution and not for any other purpose. This shall include not examining data for targeted marketing either within the confines of the service or external to the service (e.g., keyword indexing). The [Vendor] may use aggregate statistics on service usage in order to enhance or optimize the functionality of the service. The phrase 'Institution data' includes data uploaded by users of the service and communications between the user, the Institution, and [Vendor].
  2. Uses of Institution data provided under this Agreement other than for the use as specifically detailed in this Agreement is strictly prohibited, unless such other use is subsequently specifically agreed to in writing by the parties.
  3. [Vendor] shall represent, warrant and certify it will: Not otherwise use or disclose Sensitive Data except as required or permitted by law; Safeguard Sensitive Data according to all commercially reasonable administrative, physical and technical standards (e.g., such standards established by the National Institute of Standards and Technology or the Center for Internet Security); Continually monitor its operations and take any action necessary to assure the Sensitive Data is safeguarded in accordance with the terms of this Agreement.
  4. Unless expressly permitted by the express advance written consent of an Institution official authorized to give such consent, [Vendor] and its employees, agents, contractors, and other persons associated with [Vendor] (collectively, the "[Vendor] Users") are only permitted to use, reuse, distribute, transmit, manipulate, copy, modify, access, or disclose the Institution Data to the extent necessary for [Vendor] to implement and maintain the System as set forth in this Agreement. [Vendor] and the [Vendor] Users shall hold the Institution Data in confidence and protect the Institution Data to the same extent and in at least the same manner as [Vendor] protects its own data, but in no case in a lesser manner than a reasonable degree of care under the circumstances.
  5. [Vendor] will be solely responsible for any unauthorized use, reuse, distribution, transmission, manipulation, copying, modification, access, or disclosure of Institution data and any non-compliance with the data privacy and security requirements by [Vendor] or [Vendor] users.
  6. No Institution Data may be outsourced or housed outside the United States of America without prior Institution authorization."


Core Language

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).