MFA on VPN

Multi-factor Authentication Required for myVPN Starting July 22, 2024 - Learn More

CSP - AHoU - PIA SACA

 
Outsourcing & Service Provider Management

7. Privacy Impact Assessment

Are Users and IT Support Staff in this Unit aware and held accountable for conducting Privacy Impact Assessments?


Control or Process Description​

Are Privacy Impact Assessments conducted for all new or substantially modified projects. A “project” refers to any system, process, program or activity that supports University business.


Why is this Essential?

It is the project owners responsibility to conduct a Privacy Impact Assessment (PIA), working in collaboration with the PrISM team. PIA requests should be submitted as early as possible within a project when enough is know to submit the request. This should be around the business case stage and before a contract is signed. The PIA will usually be completed around the time of the project going live.


Reference Links​
Information Security Standards – U1 Security Classification of UBC Electronic Information
Information Security Standards – U9 Outsourcing and Service Provider Management
Information Security Standards – U11 Securing Internet of Things (IoT) Devices
Information Security Standards – M11 Development and Modification of Software Applications
Privacy Matters @UBC - Personal Information, How to protect personal information online
Privacy Matters @UBC – PIA

Instructions​

To learn how to initiate a PIA , visit Privacy Matters @UBC – PIA


What is Acceptable?

The importance of assessing privacy/information security risk is part of the unit's culture. Staff are educated and encouraged to "prepare for" and "complete" Privacy Impact Assessments.




8. Security & Confidentiality Agreement

"Are Users and IT Support Staff in this Unit held accountable for obtaining a Security and Confidentiality Agreement (SACA) before any Service Provider is granted access to Medium, High or Very-High risk UBC Electronic Information and Systems?"


Control or Process Description​

The Administrative Head of Unit should set a clear expectation that SACAs be put in place where required.

Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA.


Why is this Essential?

Signed SACAs both set clear expectations with vendors on their responsibilities relating to UBC information and systems as well a transfer some legal responsibility in the event of a breach not caused by UBC.


Reference Links​
Information Security Standards – U9 Outsourcing and Service Provider Management
Office of the University Counsel/ Protection of Privacy/ Security and Confidentiality Agreements

Instructions​

Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA.


What is Acceptable?

The Administrative Head of Unit must be comfortable that the unit is aware of this requirement and in most circumstances will request a SACA.

For any individual vendor either a SACA is signed, or a waiver is obtained from University Counsel where equivalent privacy and security language exists.





UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Chats Two speech clouds. Facebook The logo for the Facebook social media service. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Telephone An antique telephone. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Twitter The logo for the Twitter social media service. Youtube The logo for the YouTube video sharing service. Bell Warning