Data Protection Addendum
This Data Protection Addendum (“Addendum”) is an add-on to the Purchasing Terms and Conditions found at http://www.procurement.virginia.edu/pagepterms. It is applicable only in those situations where the Selected Firm/Vendor provides goods or services under a Purchase Order which necessitate that the Selected Firm/Vendor create, obtain, transmit, use, maintain, process, or dispose of University Data (as defined in the Definitions Section of this Addendum) in order to fulfill its obligations to the University.
NOTE REGARDING PATIENT/HEALTH PLAN PARTICIPANT INFORMATION: If the Selected Firm/Vendor, through work with one of the University’s designated “health care components” identified here, will receive, create, or come into non-incidental contact with individually identifiable health information of UVA patients or UVA Health Plan participants -- “Protected Health Information” as that term is defined in regulations under the Health Insurance Portability and Accountability Act of 1996 ( “HIPAA”), at 45 C.F.R. Part 160.103 -- the Business Associate Addendum found at http://www.procurement.virginia.edu/pagebusinessadd applies in addition to this Data Protection Addendum. Where noted herein, certain sections of the Business Associate Addendum replace sections of this Data Protection Addendum as regards Protected Health Information (PHI).
This Addendum sets forth the terms and conditions pursuant to which University Data will be protected by the Selected Firm/Vendor during the term of the Parties Agreement and after its termination.
a. “End User” means an individual authorized by the University to access and use the Services provided by the Selected Firm/Vendor under this agreement.
b. “Protected University Data” includes all data defined as Highly Sensitive, Sensitive, or Internal Use data in UVA's IRM-003 Data Protection of University Information policy (http://uvapolicy.virginia.edu/policy/IRM-003) that is not intentionally made generally available by the University on public websites or publications, including but not limited to business, administrative and financial data, intellectual property, and patient, student, and personnel data.
c. “Securely Destroy” means taking actions that render data written on physical (e.g., hardcopy, microfiche, etc.) or electronic media unrecoverable by both ordinary and extraordinary means. These actions must meet or exceed those sections of the National Institute of Standards and Technology (NIST) SP 800-88, REV 1 guidelines relevant to data categorized as high security.
d. “Security Breach” means the unauthorized access, use or disclosure that compromises or threatens to compromise the confidentiality, integrity, or availability of University Data
e. “Services” means any goods or services acquired by the University of Virginia from the Selected Firm/Vendor.
f. “University Data” includes Protected University Data and any other information that is created, possessed or used by the University or is intentionally made generally available by the University on public websites or publications, including but not limited to business, administrative and financial data, intellectual property, and patient, student, and personnel data.
g. "Audit Trail" means a chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result.
2. Rights and License in and to the University Data
The parties agree that as between them, all rights including all intellectual property rights in and to University Data shall remain the exclusive property of the University, and Selected Firm/Vendor has a limited, nonexclusive license to use these data as provided in this agreement solely for the purpose of performing its obligations hereunder. This agreement does not give a party any rights, implied or otherwise, to the other’s data, content, or intellectual property, except as expressly stated in the agreement.
3. Data Privacy
a. Selected Firm/Vendor will use University Data only for the purpose of fulfilling its duties under this agreement and will not share such data with or disclose it to any third party without the prior written consent of the University, except as required by this agreement or as otherwise required by law.
b. Protected University Data will not be stored outside the United States without prior written consent from the University.
c. Selected Firm/Vendor will provide access to University Data only to its employees and subcontractors who need to access the data to fulfill Selected Firm/Vendor obligations under this agreement. Selected Firm/Vendor will ensure that employees who perform work under this agreement have read, understood, and received appropriate instruction as to how to comply with the data protection provisions of this agreement.
d. The following provision applies only if Selected Firm/Vendor will have access to the University’s education records as defined under the Family Educational Rights and Privacy Act (FERPA): The Selected Firm/Vendor acknowledges that for the purposes of this agreement it will be designated as a “school official” with “legitimate educational interests” in the University education records, as those terms have been defined under FERPA and its implementing regulations, and the Selected Firm/Vendor agrees to abide by the limitations and requirements imposed on school officials. Selected Firm/Vendor will use the education records only for the purpose of fulfilling its duties under this agreement for University’s and its End User’s benefit, and will not share such data with or disclose it to any third party except as provided for in this agreement, required by law, or authorized in writing by the University.
4. Data Security, Integrity, and Confidentiality
a. Selected Firm/Vendor will take reasonable measures, including audit trail, to protect University Data to ensure the integrity and availability of University Data against deterioration or degradation of data quality and authenticity. The Selected Firm will be responsible during the terms of this agreement, unless otherwise specified elsewhere in this agreement, for converting and migrating electronic data as often as necessary so that information is not lost due to hardware, software, or media obsolescence or deterioration.
b. Selected Firm/Vendor will store and process University Data in accordance with commercial best practices, including appropriate administrative, physical, and technical safeguards, and audit trail, to secure such data from unauthorized access, disclosure, alteration, and use. Such measures will ensure the confidentiality, integrity and availability of University Data, and be no less protective than those used to secure Selected Firm/Vendor’s own data of a similar type, and in no event less than reasonable in view of the type and nature of the data involved. Without limiting the foregoing, Selected Firm/Vendor warrants that all electronic University Data will be encrypted in transmission (including via web interface) in accordance with latest version of Federal Information Processing Standards Publication (FIPS) Publication 140-2
c. If the Selected Firm/Vendor stores, transmits, or processes Protected University Data as part of this agreement, the Selected Firm/Vendor warrants that the information will be stored in accordance with latest version of National Institute of Standards and Technology Special Publication 800-171 or the International Organization for Standardization and the International Electrotechnical Commission 27002 (ISO/IEC 27002).
d. Selected Firm/Vendor will use reasonable, appropriate industry-standard and up-to-date security tools and technologies in providing Services under this agreement.
5. Employee Background Checks and Qualifications
a. Selected Firm/Vendor shall ensure that its employees who will have potential access to University Data have passed reasonable and appropriate background screening and possess the qualifications and training to comply with the terms of this agreement.
6. Security Breach
a. Response. Upon becoming aware of a Security Breach, or of circumstances that are reasonably understood to suggest an actual or suspected Security Breach of University Data, Selected Firm/Vendor will immediately notify the University consistent with applicable state or federal laws, fully investigate the incident, and cooperate fully with the University’s investigation of and response to the incident. Except as otherwise required by law, Selected Firm/Vendor will not provide notice of an actual or suspected Security Breach directly to individuals whose Personally Identifiable Information was involved, regulatory agencies, or other entities, without prior written permission from the University.
b. Liability. If Selected Firm/Vendor must under this agreement create, obtain, transmit, use, maintain, process, or dispose of Protected University Data, the following provisions apply:
- In addition to any other remedies available to the University under law or equity, Selected Firm/Vendor will reimburse the University in full for all costs incurred by the University in investigation and remediation of any Security Breach caused by Selected Firm/vendor, including but not limited to providing notification to individuals whose Personally Identifiable Information was compromised and to regulatory agencies or other entities as required by law or contract; providing one year’s credit monitoring to the affected individuals if the Protected University Data exposed during the breach could be used to commit financial identity theft; and the payment of legal fees, audit costs, fines, and other fees imposed by regulatory agencies or contracting partners as a result of the Security Breach.
- In addition to any other insurance coverage required by another contract/agreement with the University, the Selected Firm/Vendor will for the duration of the term of the agreement, maintain at least $1 million Cyber Liability coverage with insurance companies that hold at least an A- financial rating with A.M. Best Company. In no event, should the Selected Firm/Vendor construe these minimum required limits to be their limit of liability to the University.
- The University must be named as an Additional Insured on the Cyber Liability Insurance, and the proper name is “The Commonwealth of Virginia, and the Rector and Visitors of the University of Virginia, its officers, employees and agents.” Upon the University’s request, the Selected/Firm Vendor will provide a Certificate of Insurance (COI).
7. Response to Legal Orders, Demands or Requests for Data
a. Except as otherwise expressly prohibited by law, Selected Firm/Vendor will:
- immediately notify the University of Selected Firm/Vendor’s receipt of any subpoenas, warrants, or other legal orders, demands or requests seeking University Data;
- consult with the University regarding its response;
- cooperate with the University’s reasonable requests in connection with efforts by the University to intervene and quash or modify the legal order, demand or request; and
- provide the University with a copy of its response.
b. If the University receives a subpoena, warrant, or other legal order, demand or request (including request pursuant to the Virginia Freedom of Information Act) seeking University Data maintained by Selected Firm/Vendor, the University will promptly provide a copy to Selected Firm/Vendor. Selected Firm/Vendor will promptly supply the University with copies of data required for the University to respond in a timely manner, and will cooperate with the University’s reasonable requests in connection with its response.
8. Data Transfer Upon Termination or Expiration
a. Upon termination or expiration of this agreement, Selected Firm/Vendor will ensure that all University Data are securely returned or destroyed as directed by the University in its sole discretion. Transfer to the University or a third party designated by the University shall occur within a reasonable period of time, and without significant interruption in service. Selected Firm/Vendor shall ensure that such transfer/migration uses facilities and methods that are compatible with the relevant systems of the University or its transferee, and to the extent technologically feasible, that the University will have reasonable access to University Data during the transition.
b. Upon termination or expiration of this agreement, and after any requested transfer of data, Selected Firm/Vendor must Securely Destroy all data in its possession and in the possession of any subcontractors or agents to which the Selected Firm/Vendor might have transferred University data. The Selected Firm/Vendor agrees to provide documentation of data destruction to the University.
c. Selected Firm/Vendor will notify the University of impending cessation of its business and any contingency plans. This includes immediate transfer of any previously escrowed assets and data and providing the University access to Selected Firm/Vendor’s facilities to remove and destroy University-owned assets and data. Selected Firm/Vendor shall implement its exit plan and take all necessary actions to ensure a smooth transition of service with minimal disruption to the University. Selected Firm/Vendor will also provide a full inventory and configuration of servers, routers, other hardware, and software involved in service delivery along with supporting documentation, indicating which if any of these are owned by or dedicated to the University. Selected Firm/Vendor will work closely with its successor to ensure a successful transition to the new equipment, with minimal downtime and effect on the University, all such work to be coordinated and performed in advance of the formal, final transition date.
a. The University reserves the right in its sole discretion to perform audits of Selected Firm/Vendor at the University’s expense to ensure compliance with the terms of this agreement. The Selected Firm/Vendor shall reasonably cooperate in the performance of such audits. This provision applies to all agreements under which the Selected Firm/Vendor must create, obtain, transmit, use, maintain, process, or dispose of University Data.
b. If the Selected Firm/Vendor must under this agreement create, access, obtain, transmit, use, maintain, process, or dispose of Protected University Data or financial or business data which has been identified to the Selected Firm/Vendor as having the potential to affect the accuracy of the University’s financial statements, Selected Firm/Vendor will at its expense conduct or have conducted, at least annually, a:
- security audit by a third party with audit scope and objectives deemed sufficient by the University, which attests the Selected Firm/Vendor’s security policies, procedures, and controls;
- vulnerability scan by a third party of Selected Firm/Vendor’s electronic systems and facilities that are used in any way to deliver electronic services under this agreement; and
- formal penetration test by a third party of Selected Firm/Vendor’s electronic systems and facilities that are used in any way to deliver electronic services under this agreement.
c. Additionally, the Selected Firm/Vendor will provide the University upon request the results of the above audits, scans and tests, and will promptly modify its security measures as needed based on those results in order to meet its obligations under this agreement. The University may require, at University expense, the Selected Firm/Vendor to perform additional audits and tests, the results of which will be provided promptly to the University.
a. Selected Firm/Vendor will comply with all applicable laws and industry standards in performing services under this agreement. Any Selected Firm/Vendor personnel visiting the University’s facilities will comply with all applicable University policies regarding access to, use of, and conduct within such facilities. The University will provide copies of such policies to Selected Firm/Vendor upon request.
b. Selected Firm/Vendor warrants that the service it will provide to the University is fully compliant with all state and federal laws, regulations, industry codes, and guidance that may be applicable to the service, which may include:
- any applicable national, federal, state or local law, rule, directive or regulation relating to the privacy of personal information, including, without limitation, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g, and its implementing regulations (“FERPA), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Privacy and Security Rules issued thereunder, the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), the Financial Modernization Act of 1999 (“Gramm-Leach-Bliley Act”), the Fair Credit Reporting Act as amended by the Fair and Accurate Credit Transactions Act, the Americans with Disabilities Act, and the Virginia Consumer Data Protection Act;
- Federal Export Administration Regulations, Federal Acquisitions Regulations, Defense Federal Acquisitions Regulations and Department of Education guidance.
c. If the Payment Card Industry Data Security Standard (PCI-DSS) is applicable to the Selected Firm/Vendor service provided to the University, the Selected Firm/Vendor agrees to:
- Store, transmit, and process University Data in scope of the PCI DSS in compliance with the PCI DSS; and
- Attest that any third-party providing services in scope of PCI DSS under this agreement will store, transmit, and process University Data in scope of the PCI DSS in compliance with the PCI DSS; and
- Provide either proof of PCI DSS compliance or a certification (from a recognized third-party security auditing firm), within 10 business days of the request, verifying Firm/Vendor and any third party who stores, transmits, or processes University data in scope of PCI DSS as part of the services provided under this agreement maintains ongoing compliance under PCI DSS as it changes over time; and
- Store, transmit, and process any University Data in scope of the PCI DSS in a manner that does not bring the University’s network into PCI DSS scope; and
- Attest that any third-party providing services in scope of PCI DSS under this agreement will store, transmit, and process University Data in scope of the PCI DSS in a manner that does not bring the University’s network into PCI DSS scope.
The Selected Firm/Vendor’s obligations under Section 8 shall survive termination of this agreement until all University Data has been returned or Securely Destroyed.