This is a set of questions (under development) that an organization should be asking of potential vendors related to protection and security of its data.
Resources of Interest
|
---|
- What is the privacy policy?
- Under what circumstances can it be modified?
- How will I be notified of modifications? Will I be proactively contacted, or will I be responsible for monitoring a webpage?
- How does the organization protect my data in transit?
- does it use SSL (https://)?
- How does the organization protect my data while in its data center (aka "at rest")?
- is it encrypted?
- is it housed in systems in the United States? Without exception?
- How is access managed? E.g. who has access, and under what circumstances?
- what controls are in place to ensure only appropriate staff are able to decrypt it, and under what circumstances?
- normal use for intended purposes
- in response to subpoena or other lawful judicial order (e.g. discovery process)?
- How long has this organization been in business?
- What information is available about its stability and long-term business prospects?
- What if this organization goes out of business - what happens to my data?
- Is there a data escrow plan in place?
- What if this organization is acquired - what happens to my data?
- What happens to my agreement(s) with the organization under new ownership or management?
- How long can an organization hold data about me after the end of our official business relationship?
- what processes are in place to protect data after the relationship ends?
- Can an organization use my information or pass it on without my consent?
- There is inaccurate information held on my file. What can I do?
- How do I get information (including medical records) held about me corrected?
- How do I get an organization to stop using my data?
- How do I get information held about me deleted?
* What is a privacy notice?
Contractual Examples
- RFP for North Carolina Department of Public Instruction (NCDPI) - "Identity and Access Management Managed Service for the North Carolina Education Cloud"
- (In particular under Section VII - Terms and Conditions and Supplemental Terms and Conditions, p. 72, Items 24, 26 referencing Confidentiality of State Data and FERPA)