The University is governed by important Regulations and Working Practices, particularly on the tendering and purchase of software and/or systems. This is particularly important if you are outsourcing any services involving personal or sensitive information including hosting services.
More specific guidance on the Financial Regulations is available on the Finance pages and within the Working Practices for Protecting Electronic Information in the Information Security Framework.
In line with project 'best practice' the Secretary to Council's Office advises departments to approach the following teams, in the early stages to ensure you have all the necessary assurances in place before the project starts:
The Procurement & Insurance Office - The Procurement Manager
Information and Data Compliance - The Information Security and Compliance Advisor and where appropriate, the Privacy Support Officer
IT Services - IT Security
Research & Impact Services - For those academic departments who have an RIS contact
To assist with the procurement planning stages of a project the Procurement & Insurance Office have developed a Tender Initiation Summary (TIS) Document to identify the requirements of the project and any specific technical or personal data involvement. This provides a guide for departments to ensure all parties involved in the process are clear on any information security and/or data protection obligations. At the planning stages of any tender process a completed Tender Initiation Summary should be submitted to the Procurement & Insurance Team, although we recommend speaking to one of the team about your requirement before completing a TIS as we may have an existing agreement in place to meet your needs.
As part of any procurement process suppliers will be asked to provide details of their organisation, proposed products, services and systems as applicable. Where relevant to the scope of the tender this shall include questions relating to information security and/or data protection, this is not necessarily limited to suppliers of software or IT products.
When it has been determined that suppliers will need to be assessed by the Information Security team, those requesting a product or service must contact email@example.com with the following information: Name of the supplier, name of the product, why the product or service was chosen, when it will be implemented, where it will be used and how it will be implemented. If a comprehensive review of a suppliers' security practices is deemed necessary, suppliers may be asked to complete the University’s data protection and information security workbook. This shall be agreed as part of the procurement planning process and issued with the Invitation to Tender (ITT) and / or contractual documents. The completed workbooks will then be reviewed by the Information and Data Compliance Team and advice and recommendations will be provided as needed. Further information on the data protection and information security workbook process can be accessed here.
A checklist of some of the key areas for consideration when reviewing data processing contracts has also produced.