Third Party Software Best Practices

Repositories

File storage and sharing applications which store files that you have created outside of the cloud so that the documents can be accessed by you and/or others via the internet. Examples (of varying suitability) include OneDrive for Business, Google Drive, Box, Dropbox, etc.

Tools

Productivity tools that allow you to create unique types of records and store them within the application itself. Examples of these include Trello, Slack, Jira, SurveyMonkey, Eventbrite, Facebook, Twitter, as well as a whole host of others.

Hybrids

Software as a Service (SAAS) databases and other structured content systems which store their information in the cloud. Examples include Salesforce, Airtable, Freshdesk, Workday, Terra Dotta, CastleBranch etc.

• What kind of information is the application going to contain?
  • Business actions/decisions?
  • Delegations or approvals?
  • Communication with or information gathered from students or people outside the UW?
  • Files documenting official University business?
• How long does the retention schedule specify such information needs to be kept?

• Are you planning to scan and upload paper records? If so, your office must have an approved scanning policy before you can destroy the original paper documents.

• Does the repository include a records management feature to implement retention periods? Is it customizable? Does it cost extra to enable these features?

• Does deleting actually purge information from their servers or does it simply hide or “archive” the information? (Hiding data does not make the University any less responsible for it.)

• Who will be responsible for:
  • Updating and maintaining accounts/permissions?
  • Implementing an annual cleanup and deleting records at the end of their retention period?
  • Facilitating the preservation of records of departing employees?
• Does the service provider have backups for their own use in case of lost data? Does the UW have access to those backups in case of lost or mistakenly deleted data or are they only for the provider’s disaster recovery purposes?
• Records identified as "Archival" on the legally approved retention schedule must be exported and transferred to the UW Archives. If you need to extract/export data from the repository, what format would the records be in? Would they be readable & useable with a common application or do they require a proprietary software to open, read, and understand? Will the vendor charge you to export the data?

• How are records organized? Will you be able to search to locate records? Will you be able to identify records that are past retention and eligible for deletion?
• Does the system let you retrieve information? How quickly could you produce records stored in the application in the event of an audit, public records request, or litigation? If you needed to extract the records from the repository, what format would the records be in? Would they be readable & useable with a common application or do they require a proprietary software to open, read, and understand?
• How easy is it to migrate the records and data from your current system to this new one you are procuring? Will the vendor assist with this migration?
• Will the new vendor charge you to retrieve any records or data from the system?
• Does the vendor offer live or recording training opportunities on the use or management of the system?

• Is the system FERPA compliant? Contact the Office of the University Registrar for clarity on the system's suitability to store student data.
• What are the privacy and security requirements for the information? Does the service provider meet those requirements? For example, Google Drive has some restrictions on use for classified research and student records and is not acceptable for records containing healthcare and/or credit card information. For more information, please contact the UW Privacy Office.
• Contact the UW Privacy Office for details on the appropriate collection and use of demographic data, academic data, Husky ID card data, youth data, social security number, as well as other federal or international regulations.
• Does the system allow you to delete information? How will you delete information? Manually? Using a query/search criteria? By configuring automated retention? Can you suspend automated retention for records subject to an audit, public records request, or legal hold?
• If you are using the system to conduct or collect research data, ensure you have the proper agreements signed based on your type of research.

• How are user accounts created? Can they be managed centrally within the UW department or does each user manage their own account?
• State Agencies in Washington like the UW must control who has access to their public records while stored with third party cloud service providers. UW retaining control of access satisfies the 'physical custody' requirements in WAC 434-615-020. Who will be responsible for dictating access to the system?
• Is staff turnover likely to cause problems accessing/managing the application? Is it tied to an individual’s email address or UW NetID credentials? Can a departmental or shared UW NetID be used to prevent control from being lost when an individual leaves the department?

• How are you planning to inform your users of their responsibilities? Are there other office policies or procedures that will be impacted by implementing this new cloud application?

• Has all of the above information been reviewed by your department head? Have you received their approval to use this cloud application?

• You must go through UW Procurement Services when seeking out and negotiating the contract.
• The University must retain ownership of data and the service provider will only use the stored information for purposes necessary to and consistent with providing the contracted services.
• All information must be returned to the University’s custody in the event of contract dispute or termination, as well as the deletion of any back-ups and other copies retained by the service provider.
• If you have records covered by regulations such as HIPAA or FERPA, you will be required to have privacy agreements (e.g.., BAA, PDPA, DSPA, etc.) in place with the service provider. For more information on these types of agreements, please contact the UW Privacy Office.
• For all UW Medicine records, you must have a BAA and DSA in place with the service provider. For more information, refer to the UW Medicine IT Services page on Cloud Computing (NetID login required).
• The service provider must notify the UW in the event of an information security breach or other release of University information or any other incident which potentially threatens the security, integrity or availability of the stored records.
• The terms of the agreement should not require the University to indemnify the service provider against legal responsibility for their actions.
• What is the exit strategy? How much would it cost to get the data out of the repository completely at the end the contract period? What about doing it before the contract is up? What format would the data be in? How much time would be involved?

• How often are backups made? Where are they backed up to? Are these full backups or incremental?
• Regardless of if the data is stored in cloud repositories or on-premise systems, any period of disruption to access or disruption to the quality of data has detrimental impacts to UW business. What mitigation efforts are taken into account to avoid or mitigate disruptions?
• Bankruptcy or change in ownership: what mitigation planning is there to assist with migration from one system to another in the event of a vendor's bankruptcy, company takeover or just diminishment of services during a contract period?