Skip to Content

Division of Information Technology

Data Sharing Agreement

A Data Security Sharing Agreement is a data exchange approval process. It focuses on three security-related traits of data, including: data elements, their classifications, and the method of sharing. Departments and Organizational Units (OU) use this process to request data from data stewards.

Data Sharing Agreement Overview

Data sharing requests inform Data Stewards about key compliance issues. For example, they cover:

  • The sensitivity of data requested,
  • Any laws or regulations that apply,
  • The frequency and method that will be used to share the data, and
  • The security profile of the requesting system (or service).

With the information supplied in the Data Sharing Agreement, Data Stewards have the security info they need to make an informed, risk-based decision. 

The Data Sharing Agreement Process

This section describes the roles and their responsibilities in the Data Sharing Agreement Process.


There are five roles in the request process.

  1. Organizational Unit  - the university department requesting data
  2. DoIT Data Governance process facilitator
  3. University Information Security Office (UISO) - the university department that provides security and consulting services
  4. Data Steward - the role responsible for making security decisions for information under their charge
  5. General Counsel as needed


The Organizational Unit will:

1. Identify the appropriate Data Steward

This roster of data stewards [PDF] will help you identify the right individual. For example, the Data Steward responsible for Student Records is the Registrar.

2. Determine the classification of the data involved.

Data can fall into one of four classification levels: Public, Internal, Confidential, and Restricted. The data's classification [pdf] will help you determine the classification levels.

3. Prepare or acquire from the vendor a SOC2 or HECVAT form.

4. Request a Security Risk Assessment from the UISO. 

5. Append the results of the Security Risk Assessment to the Data Sharing Agreement.

6. Complete and submit the Data Sharing Agreement to DoIT for registration and data steward approvals. 

7. Continue with the work or work request when all data stewards have been approved. 

The University Information Security Office will:

  1. Review key elements of the Data Sharing Agreement including:
    1. Vendor–SOC2 and/or HECVAT
    2. Data elements
    3. Frequency and method of sharing
  2. Return a risk assessment for the request

The Data Steward will:

  1. Review the request
  2. Make an approval decision
  3. Record the decision on the Data Sharing Agreement
  4. Communicate their decision to the OU

DoIT will:

  1. Register the Data Sharing Agreement in ServiceNow
  2. Set it up for annual review in ServiceNow

Challenge the conventional. Create the exceptional. No Limits.