Data Protection FAQs

This is a set of questions (under development) that an organization should be asking of potential vendors related to protection and security of its data. 

Questions You Should Be Asking About Data Protection and Privacy

• What is the privacy policy?
  • Under what circumstances can it be modified?
  • How will I be notified of modifications? Will I be proactively contacted, or will I be responsible for monitoring a webpage?
• How does the organization protect my data in transit?
  • does it use SSL (https://)?
• How does the organization protect my data while in its data center (aka "at rest")?
  • is it encrypted?
  • is it housed in systems in the United States? Without exception?
  • How is access managed? E.g. who has access, and under what circumstances?
  • what controls are in place to ensure only appropriate staff are able to decrypt it, and under what circumstances?
    • normal use for intended purposes
    • in response to subpoena or other lawful judicial order (e.g. discovery process)?
• How long has this organization been in business?
• What information is available about its stability and long-term business prospects?
• What if this organization goes out of business - what happens to my data?
  • Is there a data escrow plan in place?
• What if this organization is acquired - what happens to my data?
  • What happens to my agreement(s) with the organization under new ownership or management? 
• How long can an organization hold data about me after the end of our official business relationship?
  • what processes are in place to protect data after the relationship ends?
• Can an organization use my information or pass it on without my consent?
• There is inaccurate information held on my file. What can I do?
• How do I get information (including medical records) held about me corrected?
• How do I get an organization to stop using my data?
• How do I get information held about me deleted?

* What is a privacy notice?

Contractual Examples

• RFP for North Carolina Department of Public Instruction (NCDPI) - "Identity and Access Management Managed Service for the North Carolina Education Cloud"
  • (In particular under Section VII - Terms and Conditions and Supplemental Terms and Conditions, p. 72, Items 24, 26 referencing Confidentiality of State Data and FERPA)