If an instructor wishes to utilize a software or technology service in their course for which the University does not have a site license, the software must be reviewed through a required risk management process. This process applies to all software and services of any dollar value, even if the students purchase the software or if the product is free.
Why are privacy and security reviews required when working with a vendor?
The University of Connecticut relies on partnerships with vendors to conduct business. At times, we may need to provide vendors with confidential or protected information, including FERPA-protected data such as grades. These reviews are meant to protect the institution and its data from security breaches, improper use of University data, and to ensure appropriate handling of data at contract termination.
What information is frequently shared in educational technology tools that need to be protected?
A variety of FERPA-protected data are commonly stored in educational technology tools, including grades, test/assignment scores, and courses taken. Whenever a software tool has access to FERPA-protected data, it is allowing private data to be seen by a company outside of UConn. As a university, it is our responsibility to ensure this data is protected. Having a privacy agreement in place with these companies is one way that UConn ensures the protection of FERPA-protected data.
How is a privacy and security review of a vendor triggered?
The process starts when an individual or department creates a requisition within HuskyBuy for a software or technology service purchase, even if there is no cost associated with acquiring the product/platform. The requester must complete the Software and IT Services Form. A representative from the requesting department (usually the administrative personnel who handles purchasing, but this could also be faculty or staff) would submit a zero-cost requisition from HuskyBuy.
This HuskyBuy user guide walks users through the process of submitting a requisition request, which starts the review and procurement process for the requested software.
While completing the process in Husky Buy, the department will identify if the software or technology service stores any FERPA-protected data or requires integration or data feeds from existing UConn datasets. If it does store FERPA-protected data or integrates, the department must complete the Security Vendor Review Request form. (That form will be sent to the requester as part of the review/procurement process.)
Often ITS becomes aware of the use of an educational software product when an instructor asks for an LTI to be added to HuskyCT. When this request is made, ITS checks to find out if the instructor has ensured that a privacy agreement is in place. Often it is not, so the agreement must be obtained prior to the LTI placement. This is done by the instructor’s department by putting in the zero-cost requisition and completing the Software and IT Services Form. This is done even if the product is paid for by the students or is free as the zero-cost requisition is simply triggering the request for review.
Once the Security Vendor Review Request is submitted, the product will be reviewed to determine if it contains FERPA-protected data. If it does not, there is no need for an agreement. If it does, the company will be contacted to start to process of getting them to sign the privacy agreement.
Who completes privacy and security reviews?
Privacy and Security staff in ITS and contracting staff in Procurement/Business Services work with the vendor to complete assessments and get contracts/agreements signed. During this process, staff work to analyze vendors’ responses and detect and work toward resolving any privacy or security risks. Ultimately, all of this is done to protect student privacy and while ensuring UConn follows the State of Connecticut’s privacy laws.
How long does it take for privacy and security reviews to be completed?
In general, Privacy and Security can launch review assessments within a few days, but agreements/contracts also need to be reviewed and signed by Procurement/Business Services. Completion of the assessment will largely depend on the vendor’s cooperation, and any level of risk detected. It may take several weeks for appropriate reviews to be completed, so we recommend that instructors plan for and submit requests months in advance of when they plan to begin using the software in their course.