Data security and service agreements: what constructs should you have in place?03 November 2016
Australian universities hold vast repositories of financial, personal and academic information as well as valuable research and commercialisation information on-premises and in cloud-based systems. This makes them a target for data security attacks.
It is easy to see how any data leakage or data compromise could significantly affect a university and its reputation. Inadequate data security processes and measures, particularly in a decentralised administrative environment, place the integrity of the operational, research and teaching activities of a university at risk. For these reasons, universities need to work with their technology service providers to effectively manage the legal risks relating to data security in their third party service agreements—particularly where the third parties collect, hold, process or store data. Here, we look at the key constructs universities should have in their service agreements to protect the integrity and security of university data.
What data should be covered?
A university's data set, which is ordinarily covered in the data security provisions of a service agreement, should be broadly defined and may include:
- personal information (e.g. relating to employees and students)
- student data and educational records
- the data of any affiliates of the university
- trade secrets
- research information and statistics
- intellectual property
- financial information
- medical records, and
- any other operational and business information relating to the university.
While a broad definition may result in overlapping coverage with other obligations of the supplier in a service agreement (for example, those relating to confidentiality and privacy), additional data security requirements should provide greater protection.
Which legal constructs should be included in the agreement?
Universities should consider including provisions in their service agreements to cover data security constructs that relate to compliance with standards, obligations to notify the university of any data breach as well as general data security compliance obligations.
Compliance with standards
Suppliers should be obligated to acquire and maintain any licences, authorisations, consents, approvals and permits required to enable them to provide the services under the agreement.
Suppliers should also be required to comply with all applicable university policies, laws, standards, and other performance-related regulatory and industry standards.
Obligation to notify of a breach
Suppliers should be required to notify the university of any actual, alleged or suspected breaches of data security. Additionally, they should be required to take steps to rectify a breach, investigate the cause of the breach and to implement appropriate remedial measures.
Data security compliance obligations
To avoid any issues with proprietorial rights in or to the university's data that is held by or on behalf of the supplier, the university must include a clear provision that the data is the university's property.
The services agreement should also include provisions that:
- limit access to and use of the data, and require personnel who have been assigned to perform the services to be notified that the data is the property of the university and must only be accessed and used in the manner agreed
- limit the ability to transfer the data from a specified location to a different location, other than for the purpose specified in the agreement or with the prior consent of the university
- prohibit circumventing of any security system or security measure of the university, while requiring them to establish and maintain safeguards (which are no less rigorous than those maintained by the university) against the destruction, loss or alteration, and prohibited access to the data. They should be required to notify the university of any unauthorised use or access to the data and permit the university to conduct regular reviews, testing and validation of the security measures taken, including penetration testing, where required
- give the university the right to reasonably request further information in connection with the supplier's security controls and measures, an express right to access the data at any time, and the right to establish back-up security for the data, and
- restrict the creation of any lien, charge, mortgage, security interest or encumbrance on or over the data.
The supplier should ensure all subcontractors have obligations in respect of the university data that are at least as onerous as the supplier's obligations in the service agreement, and that the university has the same rights against any subcontractor as it does against the supplier, in respect of data security and compliance. The university should also include provisions that require the supplier to (at the university's discretion) return or destroy the data upon termination or expiry of the agreement, coinciding with the supplier ceasing its services to the university.
It is increasingly important for universities to implement and maintain data security policies. These policies should be accompanied by appropriate measures and data security instruments that enable the university to continually test and ensure compliance. If a university engages a third party service provider, the university should take steps to ensure there are appropriate and adequate provisions in the service agreement, including provisions that cover the constructs described in this article, to protect any university data that will be collected, held, processed or stored by the supplier.