How do I request a Third-Party Assessment?

The Data Stewards have partnered with the University Information Security and Policy Offices to help units meet the requirements to comply with IU policy and privacy legislation. This service ensures that our vendors and other third parties appropriately handle the data that we share with them. This assessment offers:

  1. A review of the data classification and contract requirements based on the data to be shared with the third party.
  2. A review of the privacy policy of the third party to ensure they are not collecting data without our knowledge, claiming data ownership, or sharing it with other third parties without our approval.
  3. A review of the data requested to ensure it meets regulation requirements and has a legitimate educational interest.
  4. If Personally Identifiable Information (PII), restricted, or critical data are involved it will include a review of the vendor’s HECVAT submission. This survey is given to assess the third parties’ security readiness.

While the university recognizes the need to share institutional information with third parties to accomplish its mission, we recommend using the service to reduce the risks to your unit and to the institution. While a common use case for sharing data with a third party may be to share with a vendor offering an IT software or service, other purposes may include: auditing, research, partnering with an organization to assess institutional effectiveness or sharing contact information or specific academic performance data with federal and state officials.