When institutional data is to be shared with a third party (e.g., an information technology cloud provider), Policy DM-02 "Disclosing Institutional Information to Third Parties" requires the department involved to take proactive steps to be aware of and reduce the risks associated with sharing the information.

Responsibility: The Requester is responsible for marshalling the 3PA process.

1. Submit a Software & Services Selection Process (SSSP) form; then, if directed by the SSSP...
2. Seek Data Steward approval by submitting a Data Handling Request (DHR) to begin a Third-Party Assessment (3PA).
   • Guidance: "Third-Party Assessment (3PA) Quick Reference Guide"
3. If the Data Stewards require a UISO targeted risk assessment, obtain the appropriate higher Education Cloud Vendor Assessment Tool (HECVAT) from the 3rd party.
   • Guidance: "Third-Party Assessment (3PA) Quick Reference Guide"

Grandfathered DHMs: To submit a request via an old already-in-progress version of the Data Handling Matrix (aka: "DHM"; the old Excel version of the DHR), simply email it to sassess@iu.edu. (The grandfather window expired on October 4th, 2019; moving forward, the Excel version of the DHM will not be accepted.)