New technologies continue to provide unique opportunities to enhance teaching, learning and collaboration. Office productivity software, shared disk space, project management software, hosted email, survey tools, even high-performance computing clusters are now available with little more than a web-browser and an internet connection. These and countless other hosted services empower individuals to get more done, faster.
With these services come serious issues that must be understood and considered before placing Penn data in the hands of a third party. A closer look at these issues and solutions will go far in minimizing your risk of data loss, service outages, foreign government access, inadequate technical support, non-compliance and other concerns.
The following tools and guidance help you navigate when it is permissible and advisable to share Penn data with others:
- Know the Risks. In March of 2010, Penn issued an Almanac guidance entitled Cloud Computing: Opportunities Used Safely regarding the use of Penn data with cloud vendors. The guidance also describes instances where it is unlawful to share Penn data. For example, sharing student records or HIPAA-protected data without appropriate contact language is not permissible. The guidance explains information security risk areas such as your data being unavailable when you need it, confidential data being breached due to poor security practices, compliance with export controls laws, and other important considerations.
- Use Due Diligence in Selecting Vendors. Conduct due diligence regarding the privacy and security safeguards of the third party:
- Consult the Penn Data Risk Classification.
- Ask the vendor to complete the Vendor Security Technical Assessment of Risk (V-STAR) tool.
- Vet the third party and the agreement appropriately based on the sensitivity of the data.
- Take Vendor Security Technical Assessment of Risk (V-STAR) online training on Workday Learning to learn how to evaluate vendors' answers on the V-STAR tool.
If you need additional guidance, contact the Privacy Office (privacy@upenn.edu) or the Office of Information Security (security@isc.upenn.edu).