The University is governed by important Regulations and Working Practices, particularly on the tendering and purchase of software and/or systems. This is particularly important if you are outsourcing any services involving personal or sensitive information including hosting services.
More specific guidance on the Financial Regulations is available on the Finance pages and within the Working Practices for Protecting Electronic Information in the Information Security Framework.
In line with project 'best practice' the Secretary to Council's Office advises departments to approach the following teams, in the early stages to ensure you have all the necessary assurances in place before the project starts:
The Purchasing Office - The Purchasing Manager
Information and Data Compliance - The Information Security and Compliance Advisor and where appropriate, the Privacy Support Officer
IT Services - IT Security
Research & Impact Services - For those academic departments who have an RIS contact
To assist with the initial stages of a project, which aims to purchase software and/or systems, the Secretary to Council's Office, ITS and Purchasing have constructed a Tender Initiation Document to identify the requirements of the project and any specific technical or data involvement. This provides a guide for departments to ensure all parties involved in the process are clear on any information security and/or data protection obligations.
The Pre-Qualifying Questionnaire stage of the restricted tender process (if applicable) is where the University assesses the broad capabilities of tender respondents to deliver the software and/or system. All questions relating to information security and/or data protection MUST be included at this stage as it is not possible to revisit these capability areas once the Invitation to Tender stage has commenced. To assist with this a data protection and information security workbook must be completed by all tender respondents. The data protection and information
security workbook must also be completed by any other third party being considered to handle our data. Once a data protection and information security workbook has been completed, it should be sent to: firstname.lastname@example.org, where it will be reviewed. Advice and recommendations on the intended use
of the tender respondent/third party will then be provided.
A checklist of some of the key areas for consideration when reviewing data processing contracts has also produced.