Sharing institutional data with third parties

Protect data shared with cloud services and other third parties.

When institutional data is to be shared with a third party (e.g., an information technology cloud provider), Policy DM-02 "Disclosing Institutional Information to Third Parties" requires the department involved to take proactive steps to be aware of and reduce the risks associated with sharing the information.

Responsibility: The Requester is responsible for marshalling the 3PA process.

  1. Submit a Software & Services Selection Process (SSSP) form; then, if directed by the SSSP...
  2. Seek Data Steward approval by submitting a Data Handling Request (DHR) to begin a Third-Party Assessment (3PA).
  3. If the Data Stewards require a UISO targeted risk assessment, obtain the appropriate higher Education Cloud Vendor Assessment Tool (HECVAT) from the 3rd party.
Grandfathered DHMs: To submit a request via an old already-in-progress version of the Data Handling Matrix (aka: "DHM"; the old Excel version of the DHR), simply email it to (The grandfather window expired on October 4th, 2019; moving forward, the Excel version of the DHM will not be accepted.)