Data Security Agreement
1. When should I use the Data Security Agreement?
A Data Security Agreement shall be used when one or more of the following scenarios occur with a contractor:
a. University transfers confidential data to the contractor’s offsite location.
b. The contractor accesses University systems containing confidential data.
c. The contractor provides hardware or software support for University systems and has incidental access to confidential data.
d. The contractor provides hardware and/or software system preconfigured to store or process confidential data. Reconfiguration may be constrained by the technical limitations of the hardware or software that is supplied by a contractor.
2. How and when do I incorporate the DSA into contract negotiations?
a. The Data Security Agreement may be a stand-alone agreement or an addendum to an existing or new contract for the purchase of goods or services.
b. When possible, a draft DSA should be included by the Purchasing Department in all solicitations: Request for Proposal (RFP), Request for Quote (RFQ), etc.
c. If proceeding on a sole-source basis, the DSA should be introduced at the earliest possible time during negotiations.
d. If utilizing a cooperative purchasing agreement, review the information security terms therein and complete a separate DSA.
3. What are my responsibilities in regards to the DSA?
A Data Security Agreement may only be signed by University employees with explicit written authority to sign Agreements on behalf of the University. The following roles and responsibilities apply to this strategy and the Data Security Agreement:
a. University Departments are responsible for implementing this strategy and notifying Purchasing Services about the need for a Data Security Agreement (see Attachment B: Data Security Agreement Process). Departments are responsible for contacting the Data Custodian responsible for the information subject to the DSA. Departments are also responsible for managing the vendor relationship for the life of the contract, and communicating the need for the Contractor to fulfill the University requirements.
b. Data Trustees and Data Custodians are responsible for the University’s business decisions related to Data Security Agreements.
c. Purchasing Services provides acquisition expertise in combination with knowledge of best contracting and materials management practices related to contracts and Data Security Agreements that involve the purchase of products or services.
d. The Office of the CISO is responsible for developing and implementing a University-wide information security program, policies and standards, and advising Executive Heads of organizations on risk management strategies.
e. The University Division of the Attorney General’s Office provides legal advice for the University.
4. What information should be included in the Disclosure of University Data section?
The purpose of this section is to ensure that University data will only be shared with parties that have a legitimate business need under the contract. The DSA should detail the nature of data (e.g., confidential data) exchanged, the volume of data, and reason for use or disclosure.
5. What information should be included in the Use or Storage of, or Access to, University Data section?
The purpose of this section is to ensure that University data will only be accessed in the manner set forth in the contract. The DSA should outline protections against inappropriate use and disclosure. Be sure to also address the return or destruction of the data after its intended use.
6. How do I address the Safeguarding University Data section?
This clause is among one of the most important in the DSA. Within this section of the agreement, the requirements for using and handling the information are discussed.
a. System Security:
The purpose of this section is to ensure that the systems used to store, transmit, or process University data are configured in a secure manner. The DSA should describe the minimum best practices and suggest the level of care necessary in configuring such systems.
b. System Maintenance and Support:
The purpose of this section is to ensure that systems used to store, transmit, or process University data are maintained and supported adequately. Systems should be patched in a timely manner, changes need to be properly communicated and remote access should be accomplished in a secure manner.
c. Data Protection:
The purpose of this section is to ensure that University data is not accessed or disclosed to unauthorized parties. University data is subject to many laws and regulations that the contractor needs to be aware of.
7. What responsibilities are required by the Oversight clause?
It is vital that systems used to store, transmit, or process University data be audited on a regular basis. The University expects the contractor to perform this, but reserves the right to request an audit.
8. What should be addressed in the Data Breach section?
It is vital that potential data breaches be communicated to University in a timely manner. University data is subject to many laws and regulations and specific actions may be required. The University expects the contractor to be aware of the regulations governing the particular set of data and support these efforts, and it is important to include contract terms related to both parties' duties in the event of a breach . Be sure to specifically describe notification requirements of security incidents that may lead to a breach of confidential data. In addition, make sure to discuss indemnification of the University against penalties, claims or damages arising from a security breach.
9. What does "No Surreptitious Code" mean?
The purpose of this section is to ensure that there are no features or vulnerabilities that could inadvertently disclose University data or reduce the security of a system used to store, transmit, or process that data.
10. Can the University control Compelled Disclosure?
The purpose of this section is to ensure that whenever possible, the University is able to decide how to respond to a request for access to University data —meaning the University should be informed of all requests made to the Contractor regarding the University’s data.
11. How should I address Termination Procedures?
The purpose of this section is to ensure that upon termination of the contract, University data is returned to University in a secure and agreed upon manner. Also, use the DSA to describe the return or destruction of confidential data after its intended use.
12. What does “Survival; Order of Precedence” mean?
The purpose of this section is to ensure that the provisions of the Data Security Agreement do not conflict with the contract in order to safeguard University data. To do so, clearly state whether the DSA or contract terms take precedence in the event of a breach or when making data-related decisions. It would be best if the two documents were mirror images of one another when discussing the items addressed in the DSA.
13. What definitions are used in the DSA?
These terms are defined for emphasis, or in addition to terms defined in University Administrative Policy Statement 2.4, Information Security and Privacy Roles, Responsibilities, and Definitions.
14. What if I have a question regarding acquisition, materials management or contracting?
UW Purchasing Services is best equipped to handle such questions.
15. What if I have a question of a legal nature i.e., “Can I do this under the law?”
The Executive Head of the organization should address questions to the Office of the Attorney General.
16. What if I have a question regarding requirements for information security?
Information security questions from units within UW Medicine should be directed to UW Medicine IT Services Security. Otherwise, questions should be directed to the Office of the CISO.
17. Does the DSA mean I don’t need a Business Associates Agreement (BAA)?
No, if a BAA is indicated, you must use a BAA as well, and ensure that the terms in each do not conflict with each other.
18. What is the difference between a DSA and a BAA?
The DSA is required when business partners, contractors, vendors, or other outside parties are given access to University confidential data.
19. Why do I need both a BAA and a DSA?
The BAA ensures that the Business Associate agrees to protect patient information on behalf of the University. It is a regulatory requirement.
The DSA contains more specific terms involving the safeguarding of UW confidential data (including patient information), the reporting of breaches, and the disposal/return of that data.
20. What happens after a contract is signed?
Departments are responsible for managing the vendor relationship for the life of the contract, and communicating the need for the contractor to fulfill the University requirements.
21. Can I use the DSA for exploration/testing of software and services?
Yes, and you are encouraged to do so. The DSA does not need to be reserved for only signed contracts. IT should be used any time confidential data leaves the University.
22. If the DSA is modified, who should review it?
If the contracting organization is a unit within UW Medicine, the DSA should be reviewed by UW Medicine IT Services Security. Otherwise, it should be reviewed by the Office of the CISO. If the DSA is not modified, it does not have to be reviewed.