Four templates are available to university personnel to authorize, thoroughly document, and memorialize grants of access to data. These items are authorized and referenced by University Policy UNIV 1.52, Responsible Use of Data, Technology, and User Credentials [pdf]. Each document supports State of South Carolina provisos 117.113 (2014) and 101.32 (2014), as authorized by SC Division of Information Security’s SCDIS-200 Information Security and Privacy Standards. Please note that certain terms used in UNIV 1.52 are defined and clarified in policy UNIV 1.51, Data and Information Governance [pdf].
The Chief Data Officer and Agency Privacy Liaison, General Counsel, Purchasing, and applicable Data Stewards are available for consultation in adapting any of these templates to specific purposes.
A Data Sharing Agreement is a data exchange approval process. Its purpose is to ensure that USC data is handled appropriately based on the data elements being shared, their classifications, and the method used to share them. Departments and Organizational Units (OU) use this process to request data access from data stewards.
Users must acknowledge they have received, read, and agree to follow this policy, related confidentiality and privacy provisions, standards, procedures, rules, and regulations pertinent to assets they are authorized to use. Users are required to complete a User Agreement for Responsible Use and Confidentiality of Data, Technology, and User Credentials prior to being authorized or granted access to data, technology, and user credentials (UNIV 1.52 ¶ II.A.1)
University organizational units that require internal exchange, transmission, or other sharing of data and information must establish and adhere to an Internal Data and Information Sharing Agreement prior to any sharing or transmission (UNIV 1.52 ¶ II.A.3)
University personnel responsible for sharing or transmitting university data or information concerning university Constituents, operations, or business processes with an external entity are responsible for ensuring an External Data and Information Sharing Certification is executed prior to any sharing or transmission (UNIV 1.52 ¶ II.A.4)
University employees purchasing or acquiring data and/or technology services, systems, and software are responsible for establishing a Contract Addendum for External Data and Systems Service Providers with vendors prior to initiating services. Such acquisitions may include hosted services from a third party which involve university data or business processes, as well as services through which Constituents submit their personal data to the vendor or service provider. The Contract Addendum must be included with solicitations, RFPs, contract approvals, and procurement documentation (UNIV 1.52 ¶ II.A.5)