Information for Buyers and Customers
You can help us promote good information security on campus by asking the following question of your customers:
Does the solution you are purchasing process, store, reproduce, or transmit personally identifiable
information, including any one of the following:
- Social security number
- Drivers license number
- California identification number
- Financial account number, credit or debit card number, in combination with any
required security code, access code, or password that would permit access to an
individual’s financial account
- Medical information
- Health insurance information
If so, please be aware that the solution must comply with the Minimum Security Standards for Electronic
Information. For more information see “Before sourcing your technology...” or contact IT Policy at firstname.lastname@example.org.
Cloud computing, hosted solutions, etc.
Buyers, please inform your customers of the following when purchasing applications and services hosted outside of UC Berkeley:
In most cases, the vendor has access to your data, communications, account information, etc. Don’t expect that the vendor’s privacy,
security, or business continuity protections will meet UC standards. Some ground rules and important pointers:
- Don’t use external information systems or services for anything that you’re not prepared to disclose or lose. It is best to assume
that whatever information goes to or through the service may become public. This includes records of activities of those using the
service, such as who used the service, what they used it for and when, etc.
to do with the information you and others provide. This includes who they may provide information to and who they will allow to access it.
- Don’t use external information systems or services to collect personal information without ensuring that all
appropriate campus policies are met. Please contact IT Policy
at email@example.com for more information.
- Don’t expect to get your information back if the company has a disruption in service, is acquired, or goes out of business.
Keep local copies/backups of any critical data or records just to be safe.
- Don’t expect to be informed if law enforcement or the government requests or subpoenas information from the vendor or service provider.
This is true even if a UC-approved agreement is in place. While some organizations will try to direct the requester to you/the University
first, there is no guarantee that this will happen, and the vendor may even be forbidden from disclosing the request. This means that your
privacy and the privacy of everyone using the product or service is dependent on the outside organization.