Vendor Review Form
Vendor Review Form
Please download and complete this form. Do not complete this form on your
browser. Download the file to your device before starting.
Email the completed form and all required attachments to the Campus
Privacy Office at for review. Incomplete forms may be returned without
review.
Thank you!
Demographics:
Information that, alone or in combination with other data, regardless of where those Data are stored or who has ac
is capable of being associated with, or could reasonably be linked, directly or indirectly, with or single out an individ
information includes, but is not limited to, the following:
- Identifiers such as a real name (legal or preferred), alias, postal address, telephone number, unique personal ide
Protocol address, MAC addresses, and other unique device identifiers, email address, account name, social security
number, insurance policy number, education, employment, employment history, bank account number, credit card
by or attributed to the individual, physical characteristics or description, or any other financial information, medical
or other similar identifiers.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search
interaction with an Internet Web site, application, or advertisement.
- Biometric and behaviometric information.
- Characteristics of protected classifications under state or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or co
histories or tendencies.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Educational information, including uses of services and products offered in an educational setting by virtue of th
recreational facilities, basic needs).
- Inferences drawn from any of the information to create a profile about a person reflecting the person's preferen
preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Identifiable information may include data that has been stripped of direct identifiers but leads to a small population
synonymously with "personally identifiable information," "PII," or "personal data".
Data tied to a protected class under State or Federal law, or from which membership within a protected class might
not limited to race, color, religion, sex/gender identity, gender expression, sexual orientation, marital or parental sta
status, national origin, ancestry, disability, age, and genetic information. Although not considered protected class, in
background, or relationships outside of their direct educational experience should be approached with extra caution
sort individuals into educational opportunities in lieu of more direct measures of need/benefit.
The EDUCAUSE Chief Privacy Officers' Vendor Review Working Group contributed their vision and sign
of this resource.
Steering Committee
Nichole Arbino
Susan Bouregy
Jeff Gassaway
Paul Guarino
Pegah K. Parsi
Joseph Potchanant
2021-2022
Mark Cather
Brian Kelly
Jonathan Kimmitt
Doug Welch
their vision and significant talents to the conception, creation, and completion
University of California San Diego
Requesting Department/Unit
Phone Number
Project Title
Type of Project Medical/Clinical Care Fundraising/marketing
Research Quality improvement/assessment
Outsourcing (process, University administration/operations
application/service)
Student Education Other (describe):
1. Overview.
a. Identify all non-UC San Diego parties involved in the project. Add additional lines as necessary.
Entity Name Role (e.g., vendor, funding sponsor, business Point of Contact P-3 Data will be transferred P-4 Data will be transferred
associate, subcontractor, collaborator, technical to/accessed/collected by entity to/accessed/collected by entity
support, etc.) Yes No Yes No
Yes No Yes No
b. In layperson’s language, briefly summarize the overall project and purpose, including the contributions of all parties identified above. Explain what need you are trying to address.
c. What is the target start date for this project or this project phase What is the expected period of performance?
2. Project Funding. If this project is externally funded, provide the name of the funding source, record number, or agreement.
Name of funding source:
Is funding under federal grant or contract? Agreement #:
Project is not externally funded
3. Contracts and Other Obligations. Identify and attach any agreeements, obligations or regulatory requirements related to this project, this datset, or the third parties involved.
No known obligations UC Terms and Conditions with Appendix DS
MOUs UC Terms and Conditions WITHOUT Appendix DS
Master Agreement Non-disclosure/Confidentiality Agreement
Umbrella Agreement Sponsored Research Agreement
Business Associate Agreement (BAA) Data Use Agreement
Collaborative Agreement FIPS, FISMA, NIST requirements in contract
Statements of Work Other (explain):
Service Level Agreements (SLAs)
4. Other Involved/Interested University Entities. Identify any other University entity whom you have worked or consulted as part of this project.
Campus Counsel Integrated Procure-to-Pay Solutions (IPPS)
Office of Contracts and Grants Administration Export Control
Office of Innovation and Commercialization Advancement
Registrar Office of Risk Management
Institutional Review Board (IRB) Health Sciences Compliance and Privacy
UCOP Other University Schools or Units:
Information Technology Services
5. Access. Who at UC San Diego will have access to the data and systems involved in this project? (Specific names, roles or offices)
Name Name
Role/Office Role/Office
6. Training. Describe data management, privacy, and security trainings required for access. All UCSD workforce members with access to personal data must complete on-demand Privacy@UCSD training
through UC Learning.
3. Are the Data Incoming to/Outgoing from the US? No Yes (where?)
* If you selected Epic of hospital medical records, permission from UCSD Health Privacy Office may be required.
5. Population Size. Provide an estimate of the number of indivituals whose data will be involved in this project.
1 - 500 501 - 10,000 > 10,000
University of California San Diego
6. Population Location. Some countries have very stringent privacy laws. If the data subject population is not entirely within the United States, specify the countries/regions in which data subjects are located physically.
US only Canada Other (specify):
EU/UK Brazil
China India
7. Data Elements Involved in any part of the Project. Select all that apply and explain, where necessary. Attach a data dictionary, if available. NOTE: Most apps and websites collect IP addresses and date-time stamps.
8. Explain the need for each type of data involved. Describe efforts to ensure that only the minimum necessary data are used/processed.
9. Will data be subject to any disclosure limation methods (e.g., de-identification, anonymization, differential privacy, or other masking) at any point in the data lifecycle (by UCSD or any vendors/third pa
Yes No
If yes, describe the process, and explain who will be responsible for it (third party or UCSD)
10. How will individuals whose data are involved be made aware of this data use and UC San Diego's data practices?
Consent (attach document or language) Website notice/Statement (attach)
Opt-in Opt-out
Hard copy notice/statement
They will not be aware (explain)
11. Will other UC San Diego units have access to this information (e.g., through activity hubs, shared for administration or analytics)?
Yes No
If yes, describe who will have access and for what purpose.
12. Will this information be combined with data from other sources?
Yes No
If yes, please describe what data will be combined and for what purpose.
13. Please describe how you and any other group or entity handling the data will address any requests from the data subjects (e.g., access, deletion, or correction requests) and who will be responsible for responding.
15. What is the disposition of the data at the end of this project?
Securely deleted
Masked and archived (explain where)
Masked and made available for open/public access (where)
16. Does any part of this project involve a web/app tracking component (e.g., use of web tracking pixels, cookies)?
Yes No
If yes, describe tool, data collected by the tool, and the justification and need for tracking users.
University of California San Diego
Version 1.0
GUIDANCE
Please review the data classification levels (i.e., P-levels) in BFS-IS-3 before completing this
form; data should be classified at the highest level of sensitivity applicable. If unsure of the
risk level, err on the side of the higher P-level.
Link to BFS-IS-3
A signed Appendix DS will be required, at minimum, from the third party for projects
involving P-3 and P-4 data. The Campus Privacy Office strongly suggests the this document be
provided to all vendors in advance for their review.
Link to Appendix DS
In order to protect the institution and its systems, vendors whose products and/or services will access, collect, and/
must complete the assessment tool. Throughout this tool, anywhere the term "data" is used, this is an all-encompas
will be reviewed by the institution's office responsible for privacy. This process will help the institution protect instit
and international regulations. This is intended for use by vendors and should be completed by a vendor.
While this tool has a format similar to that of the HECVAT, it is not affiliated with the HECVAT or endorsed by the HECVAT leadership tea
Step 1: Complete the Qualifiers section. Step 2: Complete each section answering each set of questions in order, fro
Submit the completed Higher Education Data Privacy Assessment to the institution according to institutional proced
Qualifiers
The institution conducts third-party data privacy assessments on a variety of third parties. As such, not all assessme
strategy is implemented and allows for various parties to use this common documentation instrument. Responses t
questions below.
Does your product process protected
health information (PHI) or any data
QUAL-01
covered by the Health Insurance
Portability and Accountability Act?
Company Overview
Documentation
Consulting
Will the consulting take place on-
CONS-01
premises?
Change Management
Data
Is sensitive data encrypted, using
DATA-01 secure protocols/algorithms, in
transport (e.g., system-to-client)?
Datacenter
Quality Assurance
Do you have a documented and
QLAS-01 currently implemented quality
assurance program?
Vulnerability Scanning
Are your systems and applications
VULN-01 regularly scanned externally for
vulnerabilities?
Data Privacy
Have you performed a Data Privacy
Impact Assesssment for the
DPRV-01 product/service/project?
Data Privacy AI
Does your service use AI for the
DPAI-01 processing of Institutional Data?
Is AI processing limited to fully licensed
DPAI-04 commercial enterprise AI services?
DPAI-06
oducts and/or services will access, collect, and/or host personal data on behalf of or in collaboration with the institution
the term "data" is used, this is an all-encompassing term including at least data and metadata. Upon submittal, answers
his process will help the institution protect institutional data and comply with institutional policies, state and federal laws,
d should be completed by a vendor.
ted with the HECVAT or endorsed by the HECVAT leadership team. Any questions or feedback on this tool should be directed to [email protected].
Vendor Name
Product Name and Version Information
Brief Description of the Product
http://www.vendor.domain/privacynotice
http://www.vendor.domain/VPAT
555-555-5555
555-555-5555
on answering each set of questions in order, from top to bottom; the built-in formatting logic relies on this order. Step 3:
the institution according to institutional procedures.
ariety of third parties. As such, not all assessment questions are relevant to each party. To alleviate complexity, a "qualifier"
mmon documentation instrument. Responses to the following questions will determine the need to answer additional
Vendor Answers Additional Information
Vendor Answers Additional Information
Vendor Answers Additional Information
Vendor Answers Additional Information
Guidance
COMP-04
Guidance
Guidance
THRD-03
Provide additional information that may
help analysts better understand your
environment and how it relates to third THRD-04
party solutions. If No, state your plans to
implement a third party management
strategy.
Guidance
CONS-01
CONS-02
CONS-03
CONS-04
CONS-05
CONS-06
CONS-07
CONS-08
CONS-09
Guidance
Guidance
AAAI-02
AAAI-12
Guidance
If Yes, provide links or attach
documentation. If No, summarize or decribe
your strategy to implement.
Guidance
Guidance
If Yes, summarize your transport encryption
strategy. If No, describe why sensitive data is DATA-03
not encrypted in transport.
Guidance
Guidance
Provide a valid URL to your current DRP or
submit it along with this fully populated DRPL-01
assessment.
Guidance
If No, state any plans to implement. FIDP-01
Guidance
If Yes, provide links to these documents or IH-01
attach. If No, state any plans to implement.
Guidance
Provide a valid URL to your Quality
Assurance program or submit QLAS-01
documentation.
Guidance
If Yes, decribe your external application VULN-01
vulnerability scanning strategy.
Guidance
HIPA-02
HIPA-03
HIPA-04
HIPA-05
HIPA-06
HIPA-07
HIPA-08
HIPA-09
HIPA-10
HIPA-11
HIPA-12
HIPA-13
HIPA-14
HIPA-15
HIPA-16
HIPA-17
HIPA-18
HIPA-19
HIPA-20
HIPA-21
HIPA-22
HIPA-23
HIPA-24
HIPA-25
HIPA-26
HIPA-27
HIPA-28
HIPA-29
Guidance
If Yes, describe where and what activities
will take place in the EEA.
Guidance
Refer to PCI-DSS Security Standards for PCID-01
guidance on all PCI-DSS related questions.
PCID-02
PCID-03
PCID-04
PCID-05
PCID-06
PCID-07
PCID-08
PCID-09
PCID-10
PCID-11
PCID-12
Guidance
If Yes, please indicate specific privacy
standard, last date performed and provide
documentation. If No, state any plans to
perform and time frame.
In order to protect the institution and its systems, vendors whose products and/or services will access, collect, and/
must complete the assessment tool. Throughout this tool, anywhere the term "data" is used, this is an all-encompas
will be reviewed by the institution's office responsible for privacy. This process will help the institution protect instit
and international regulations. This is intended for use by vendors and should be completed by a vendor.
While this tool has a format similar to that of the HECVAT, it is not affiliated with the HECVAT or endorsed by the HECVAT leadership tea
Step 1: Complete the Qualifiers section. Step 2: Complete each section answering each set of questions in order, fro
Submit the completed Higher Education Data Privacy Assessment to the institution according to institutional proced
Qualifiers
The institution conducts third-party data privacy assessments on a variety of third parties. As such, not all assessme
strategy is implemented and allows for various parties to use this common documentation instrument. Responses t
questions below.
Does your product process FERPA-
QUAL-02
related data?
Does your product process GDPR-
QUAL-03
related or PIPL-related data?
Does your product process personal
QUAL-04 data regulated by state law(s) (e.g.,
CCPA)?
Documentation
Change Management
Does your change management process
CHNG-02
include privacy review and approval?
Data
Are institutional data coming into or
going out of the United States at any
DATA-15
point during collection, processing,
storage, or archiving?
Will you handle personal data in a
manner compliant with all relevant
DATA-16
laws, regulations, and applicable
institution policies?
Data Privacy AI
Does your service use AI for the
DPAI-01 processing of Institutional Data?
DPAI-06
oducts and/or services will access, collect, and/or host personal data on behalf of or in collaboration with the institution
the term "data" is used, this is an all-encompassing term including at least data and metadata. Upon submittal, answers
his process will help the institution protect institutional data and comply with institutional policies, state and federal laws,
d should be completed by a vendor.
ted with the HECVAT or endorsed by the HECVAT leadership team. Any questions or feedback on this tool should be directed to [email protected].
Vendor Name
Product Name and Version Information
Brief Description of the Product
http://www.vendor.domain/privacynotice
http://www.vendor.domain/VPAT
555-555-5555
555-555-5555
on answering each set of questions in order, from top to bottom; the built-in formatting logic relies on this order. Step 3:
the institution according to institutional procedures.
ariety of third parties. As such, not all assessment questions are relevant to each party. To alleviate complexity, a "qualifier"
mmon documentation instrument. Responses to the following questions will determine the need to answer additional
Vendor Answers Additional Information
Guidance
Guidance
Guidance
Guidance
If Yes, please describe your process for
privacy review. If No, describe any plans to
implement.
Guidance
Guidance
Provide links to these documents in
Additional Information or attach them with
your submission.
Guidance
Guidance
If Yes, provide process of how privacy
feature request are incorporated. If No, are
there plans to implement.
Guidance
If Yes, describe where and what activities
will take place in the EEA.
Guidance
If Yes, please indicate specific privacy
standard, last date performed and provide
documentation. If No, state any plans to
perform and time frame.