3.6.1 Third Party Access and Business Agreements
Non-PLU parties (also known as vendors) may have access to or take possession of confidential PLU data only upon contractual agreement (commonly using the PLU Data Sharing Agreement) between the vendor and the university. Such agreements must
- specify the data to be accessed or transferred, how vendor (e.g. Ellucian, CBORD) access will be limited to this data alone or how only this data will be transferred to the vendor, the vendor’s security practices and transport measures to protect the data, and the time and means by which the vendor will relinquish access to or possession of the data; and
- be reviewed and signed by the Senior Senior Vice President and Chief Administration Officer for Administrative Services.
3.6.2 Hosted Services
Hosted services (also known as cloud services or software-as-a-service) may not utilize PLU authentication services (3.3.1), or use or retain restricted university data, unless both
- by contractual arrangement after review and endorsement by the I&TS Directors and the office of the Division of Administrative Services, and
- signed by the Senior Vice President and Chief Administration Officer for Administrative Services.
3.6.3 Administrative Access
In instances of both third party access to PLU-owned data and hosted services contracted by PLU, I&TS must be provided administrative access to all associated encryption and data stores.