Choosing a Third Party Software
Per WAC 434-615-020, offices and departments at the UW can use cloud applications to store university records provided that the records are managed properly. Managing records properly includes the ability to respond to audits, public records requests, and litigation, retain records for their full retention period, and delete records at the end of their retention period. Storing records with an outside vendor does not absolve the University from responsibility for proper retention and treatment of its records. Additionally, RCW 42.56.010 defines a public record as any "information relating to the conduct of government or the performance of any governmental or proprietary function prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics." As a result, all UW data stored in a third party repository remains subject to potential disclosure upon request.
UW Records Management Services created this resource to offer some best practices for offices and departments who are contracting with and implementing cloud-based or other third party applications.
For help answering these questions, please contact us at 543-0573 or email@example.com. One of our staff can meet with you to go over these issues.
Third party vendors and cloud-based applications provide several unique and efficient solutions for modern offices. These include:
File storage and sharing applications which store files that you have created outside of the cloud so that the documents can be accessed by you and/or others via the internet. Examples (of varying suitability) include OneDrive for Business, Google Drive, Box, Dropbox, etc.
Productivity tools that allow you to create unique types of records and store them within the application itself. Examples of these include Trello, Slack, Jira, SurveyMonkey, Eventbrite, Facebook, Twitter, as well as a whole host of others.
Software as a Service (SAAS) databases and other structured content systems which store their information in the cloud. Examples include Salesforce, Airtable, Freshdesk, Workday, Terra Dotta, CastleBranch etc.
Regardless of if you are considering a cloud application or an on-premise software to organize your data, below are some of the issues you will need to address before committing yourself to a particular offering.
- What kind of information is the application going to contain?
- Business actions/decisions?
- Delegations or approvals?
- Communication with or information gathered from students or people outside the UW?
- Files documenting official University business?
- How long does the retention schedule specify such information needs to be kept?
Are you planning to scan and upload paper records? If so, your office must have an approved scanning policy before you can destroy the original paper documents.
Does the repository include a records management feature to implement retention periods? Is it customizable? Does it cost extra to enable these features?
Does deleting actually purge information from their servers or does it simply hide or “archive” the information? (Hiding data does not make the University any less responsible for it.)
- Who will be responsible for:
- Updating and maintaining accounts/permissions?
- Implementing an annual cleanup and deleting records at the end of their retention period?
- Facilitating the preservation of records of departing employees?
- Does the service provider have backups for their own use in case of lost data? Does the UW have access to those backups in case of lost or mistakenly deleted data or are they only for the provider’s disaster recovery purposes?
- Records identified as "Archival" on the legally approved retention schedule must be exported and transferred to the UW Archives. If you need to extract/export data from the repository, what format would the records be in? Would they be readable & useable with a common application or do they require a proprietary software to open, read, and understand? Will the vendor charge you to export the data?
- How are records organized? Will you be able to search to locate records? Will you be able to identify records that are past retention and eligible for deletion?
- Does the system let you retrieve information? How quickly could you produce records stored in the application in the event of an audit, public records request, or litigation? If you needed to extract the records from the repository, what format would the records be in? Would they be readable & useable with a common application or do they require a proprietary software to open, read, and understand?
- How easy is it to migrate the records and data from your current system to this new one you are procuring? Will the vendor assist with this migration?
- Will the new vendor charge you to retrieve any records or data from the system?
- Does the vendor offer live or recording training opportunities on the use or management of the system?
Privacy & Security
- Is the system FERPA compliant? Contact the Office of the University Registrar for clarity on the system's suitability to store student data.
- What are the privacy and security requirements for the information? Does the service provider meet those requirements? For example, Google Drive has some restrictions on use for classified research and student records and is not acceptable for records containing healthcare and/or credit card information. For more information, please contact the UW Privacy Office.
- Contact the UW Privacy Office for details on the appropriate collection and use of demographic data, academic data, Husky ID card data, youth data, social security number, as well as other federal or international regulations.
- Does the system allow you to delete information? How will you delete information? Manually? Using a query/search criteria? By configuring automated retention? Can you suspend automated retention for records subject to an audit, public records request, or legal hold?
- If you are using the system to conduct or collect research data, ensure you have the proper agreements signed based on your type of research.
- How are user accounts created? Can they be managed centrally within the UW department or does each user manage their own account?
- State Agencies in Washington like the UW must control who has access to their public records while stored with third party cloud service providers. UW retaining control of access satisfies the 'physical custody' requirements in WAC 434-615-020. Who will be responsible for dictating access to the system?
- Is staff turnover likely to cause problems accessing/managing the application? Is it tied to an individual’s email address or UW NetID credentials? Can a departmental or shared UW NetID be used to prevent control from being lost when an individual leaves the department?
- How are you planning to inform your users of their responsibilities? Are there other office policies or procedures that will be impacted by implementing this new cloud application?
Has all of the above information been reviewed by your department head? Have you received their approval to use this cloud application?
For applications where a contract between the University and the service provider needs to be negotiated, in addition to the above questions, the following requirements must also be addressed:
- You must go through UW Procurement Services when seeking out and negotiating the contract.
- The University must retain ownership of data and the service provider will only use the stored information for purposes necessary to and consistent with providing the contracted services.
- All information must be returned to the University’s custody in the event of contract dispute or termination, as well as the deletion of any back-ups and other copies retained by the service provider.
- If you have records covered by regulations such as HIPAA or FERPA, you will be required to have privacy agreements (e.g.., BAA, PDPA, DSPA, etc.) in place with the service provider. For more information on these types of agreements, please contact the UW Privacy Office.
- For all UW Medicine records, you must have a BAA and DSA in place with the service provider. For more information, refer to the UW Medicine IT Services page on Cloud Computing (NetID login required).
- The service provider must notify the UW in the event of an information security breach or other release of University information or any other incident which potentially threatens the security, integrity or availability of the stored records.
- The terms of the agreement should not require the University to indemnify the service provider against legal responsibility for their actions.
- What is the exit strategy? How much would it cost to get the data out of the repository completely at the end the contract period? What about doing it before the contract is up? What format would the data be in? How much time would be involved?
- How often are backups made? Where are they backed up to? Are these full backups or incremental?
- Regardless of if the data is stored in cloud repositories or on-premise systems, any period of disruption to access or disruption to the quality of data has detrimental impacts to UW business. What mitigation efforts are taken into account to avoid or mitigate disruptions?
- Bankruptcy or change in ownership: what mitigation planning is there to assist with migration from one system to another in the event of a vendor's bankruptcy, company takeover or just diminishment of services during a contract period?
Please note, cloud services are covered by the same rules regarding appropriate use that govern all other computing resources. For more information, refer to the UW’s Appropriate Use Guidelines.