Information for Buyers and Customers

Data Security

You can help us promote good information security on campus by asking the following question of your customers.

Does the solution you are purchasing process, store, reproduce, or transmit personally identifiable information, including any one of the following:

  • Social security number
  • Drivers license number
  • California identification number
  • Financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Medical information
  • Health insurance information

If so, please be aware that the solution must comply with the Minimum Security Standards for Electronic Information. For more information see Before Sourcing Technology or contact IT Policy at itpolicy@berkeley.edu.

Cloud computing, hosted solutions, etc.

Buyers, please inform your customers of the following when purchasing applications and services hosted outside of UC Berkeley:

In most cases, the vendor has access to your data, communications, account information, etc. Don’t expect that the vendor’s privacy, security, or business continuity protections will meet UC standards. Some ground rules and important pointers:

  • Don’t use external information systems or services for anything that you’re not prepared to disclose or lose. It is best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, what they used it for and when, etc.
  • Check out the company’s privacy policy — there should be a link to it somewhere on their website. Know what the vendor is going to do with the information you and others provide. This includes who they may provide information to and who they will allow to access it. What permissions have you granted by accepting their agreement/Terms of Use?
  • Don’t use external information systems or services to collect personal information without ensuring that all appropriate campus policies are met. Please contact IT Policy at itpolicy@berkeley.edu for more information.
  • Don’t expect to get your information back if the company has a disruption in service, is acquired, or goes out of business. Keep local copies/backups of any critical data or records just to be safe.
  • Don’t expect to be informed if law enforcement or the government requests or subpoenas information from the vendor or service provider. This is true even if a UC-approved agreement is in place. While some organizations will try to direct the requester to you/the University first, there is no guarantee that this will happen, and the vendor may even be forbidden from disclosing the request. This means that your privacy and the privacy of everyone using the product or service is dependent on the outside organization.