Data Sharing Agreement Overview
Data sharing requests inform Data Stewards about key compliance issues. For example, they cover:
- The sensitivity of data requested,
- Any laws or regulations that apply,
- The frequency and method that will be used to share the data, and
- The security profile of the requesting system (or service).
With the information supplied in the Data Sharing Agreement, Data Stewards have the security info they need to make an informed, risk-based decision.
The Data Sharing Agreement Process
This section describes the roles and their responsibilities in the process. A flow of the process can be found here.
There are five roles in the request process.
- Organizational Unit - the university department requesting data
- DoIT Data Governance process facilitator
- University Information Security Office (UISO) - the university department that provides security and consulting services
- Data Steward - the role responsible for making security decisions for information under their charge
- General Counsel as needed
The Organizational Unit will:
1. Identify the appropriate Data Steward
This roster of data stewards [PDF] will help you identify the right individual. For example, the Data Steward responsible for Student Records is the Registrar.
2. Determine the classification of the data involved.
Data can fall into one of four classification levels: Public, Internal, Confidential, and Restricted. The data's classification [pdf] will help you determine the classification levels.
3. Prepare or acquire from the vendor a SOC2 or HECVAT form.
4. Request a Security Risk Assessment from the UISO using the Service Catalog item.
5. Append the results of the Security Risk Assessment to the Data Sharing Agreement.
6. Complete and submit the Data Sharing Agreement to DoIT for registration and data steward approvals using the Service Catalog item.
7. Continue with the work or work request when all data stewards have been approved.
The University Information Security Office will:
- Review key elements of the Data Sharing Agreement including:
- Vendor–SOC2 and/or HECVAT
- Data elements
- Frequency and method of sharing
- Return a risk assessment for the request
The Data Steward will:
- Review the request
- Make an approval decision
- Record the decision on the Data Sharing Agreement
- Communicate their decision to the OU
- Register the Data Sharing Agreement in ServiceNow
- Set it up for annual review in ServiceNow