When does the UC Data Security Appendix apply to my order?

The UC Data Security and Privacy Appendix (Appendix DS for short) is attached to purchase orders and contracts by Procurement Services whenever the supplier will have:

  1. Access to UC systems; and/or
  2. Access to the passing of UC-owned information (including research or trade secrets); and/or
  3. Access to data subject to FERPA (records that contain information directly related to a student and which are maintained by UC; see 34 CFR § 99.3 for more); and/or
  4. Access to confidential information that is subject to state or federal laws restricting use and disclosure of personally identifiable information (PII), student data & records, protected health information (PHI), or individual financial records.

What is Personally Identifiable Information?
The actual fields according to California law are:

  • An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
  • Social security number.
  • Driver’s license number or California identification card number.
  • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Medical information.
  • Health insurance information.
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
  • A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
  • For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
  • For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  • For purposes of this section, “health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

Anything else?
You may be asking about some gray areas, like what about name and address when combined? Consider whether a breach would cause a problem. If there were a breach of the information shared with your provider, might the individuals be personally defamed by the breach, or might the breach be a source of embarrassment to the university? Click here for more information about the protection classification definitions.

Why do we need Appendix DS?
The purpose of the Appendix DS is two-fold. One is to ensure a satisfactory security plan that has a reasonable chance of protecting our information. The second is what happens if something goes wrong. To err on the side of caution, we use Appendix DS when the UC is giving data to a service provider, or allowing them to use our systems.

What about personal information of individuals in the EEA and EU (GDPR)?
If your supplier will have access to, or will pass personal information of individuals in the EEA European Union (EU), our revised (5/2018) UC Appendix DS will address GDPR requirements. Your contracts analyst will reach out to your department to help address the GDPR requiements for your specific contract by filling out the Amendment 2 to the Appendix DS.
Click here for more information about when to use Amendment 2, what the GDPR considers personal information, and what are the EEA and EU.

What are Iaas and SaaS services?
IaaS - Infrastructure As A Service - this is a cloud (or off-site) HOSTING service from which we buy space on servers, virtual servers, network, and operating systems. Examples: DigitalOcean, Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod, Microsoft Azure

SaaS - Software As A Service - this is a cloud (or off-site) service from which we procure software functionality.  Also known as cloud application services. Run through the web browser. SaaS vendors also provide storage for the data that are generated by the software. Examples: Google Apps, Dropbox, Salesforce, Cisco WebEx, Concur, GoToMeeting



Any quetions? Contact:
Sam Horowitz - samh@ucsb.edu, or x5005
Doug Drury - doug.drury@ucsb.edu or x5036
Procurement - contracts@bfs.ucsb.edu

Unit or Topic: 

Procurement Services