Update!! HRP wants our research community to be aware of the following. The enterprise license for the Qualtrics survey tool was extended for one last year on the UCI campus. With the last contractual negotiation for the enterprise license, the vendor did not agree to the terms in UC’s Appendix DS[1]. This means that Qualtrics is not approved for the collection of P3/P4 data. See below. What Is P3 or P4 Data? Definitions and additional information about protection levels is located on the security team’s data classification website. Some examples (not comprehensive) are included below.
I do have this data. What do I do now? If you no longer need to collect P3/P4 data, please be sure to close out your survey, extract the necessary data that you need, store it in a secure location, delete the project and the data from Qualtrics, then notify your IT support team where you have stored the data. This is to keep our sensitive data inventory up to date. If you need to continue to collect P3/P4 data, you will need to work with your IT support team to fill out a security exception request form at https://www.security.uci.edu/program/exception/ and submit to securityrisk@uci.edu“>securityrisk@uci.edu If you have any questions, as noted above, please work directly with your IT support team. |
Here is a quick overview of what vendors agree to when signing Appendix DS:
- Agree to protect our data and not sell it or use it for other purposes without our permission
- Have a documented security plan that we can evaluate
- Have some evidence that they are following their own security plan
- Tell us if they make major changes to their security plan, security posture, or have any significant security vulnerabilities in their environment
- Agree to return and/or delete our data when the contract ends
- Tell us (if they are legally allowed to do so) if there are any legal requests for our data
- Tell us if our data is breached, work with us to investigate, and bear notification and other costs as appropriate. A breach can also be grounds for termination.
- Agree not to install backdoors or other illicit code in software or systems
- Agree to perform appropriate background checks on employees that have access to our systems or data