Outsourcing & Service Provider Management
7. Privacy Impact Assessment
Are Users and IT Support Staff in this Unit aware and held accountable for conducting Privacy Impact Assessments?
Control or Process Description
Are Privacy Impact Assessments conducted for all new or substantially modified projects. A “project” refers to any system, process, program or activity that supports University business.
Why is this Essential?
It is the project owners responsibility to conduct a Privacy Impact Assessment (PIA), working in collaboration with the PrISM team. PIA requests should be submitted as early as possible within a project when enough is know to submit the request. This should be around the business case stage and before a contract is signed. The PIA will usually be completed around the time of the project going live.
Reference Links
Information Security Standards – U1 Security Classification of UBC Electronic InformationInformation Security Standards – U9 Outsourcing and Service Provider Management
Information Security Standards – U11 Securing Internet of Things (IoT) Devices
Information Security Standards – M11 Development and Modification of Software Applications
Privacy Matters @UBC - Personal Information, How to protect personal information online
Privacy Matters @UBC – PIA
Instructions
To learn how to initiate a PIA , visit Privacy Matters @UBC – PIA
What is Acceptable?
The importance of assessing privacy/information security risk is part of the unit's culture. Staff are educated and encouraged to "prepare for" and "complete" Privacy Impact Assessments.
8. Security & Confidentiality Agreement
"Are Users and IT Support Staff in this Unit held accountable for obtaining a Security and Confidentiality Agreement (SACA) before any Service Provider is granted access to Medium, High or Very-High risk UBC Electronic Information and Systems?"
Control or Process Description
The Administrative Head of Unit should set a clear expectation that SACAs be put in place where required.
Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA.
Why is this Essential?
Signed SACAs both set clear expectations with vendors on their responsibilities relating to UBC information and systems as well a transfer some legal responsibility in the event of a breach not caused by UBC.
Reference Links
Information Security Standards – U9 Outsourcing and Service Provider ManagementOffice of the University Counsel/ Protection of Privacy/ Security and Confidentiality Agreements
Instructions
Service Providers must sign a Security and Confidentiality Agreement (SACA) prior to being granted access to Medium, High or Very High Risk Information. The Administrative Head of Unit of Unit may request the Office of the University Counsel to grant a waiver of the requirement for a SACA where the primary contract with the Service Provider contains equivalent privacy and security language. Doctors, lawyers, accountants, auditors, psychologists and other professionals who are bound by a duty of confidentiality do not need to sign a SACA.
What is Acceptable?
The Administrative Head of Unit must be comfortable that the unit is aware of this requirement and in most circumstances will request a SACA.
For any individual vendor either a SACA is signed, or a waiver is obtained from University Counsel where equivalent privacy and security language exists.