University Information may only be shared with external parties when protected through appropriate contractual agreements and the University has assured that the recipient will protect the data as appropriate for the nature of the data and the relationship with the data recipient.
Data Use Agreements
Data Use Agreements (DUA) are used for sharing data for research. These agreements are managed by the Office of Sonsored Projects. See Data Use Agreements
Business Associate Agreements
Business Associate Agreements (BAAs) are used for sharing HIPAA-protected PHI with contractors performing services on our behalf. See Business Associates.
Service Agreement Addendums
Service agreements may need to include an addendum to protect identified university data such as student data or data involving residents of the EU. Many of these agreements are managed by Procurement. If you are unsure or the agreement isn’t negotiated by Procurement or the Office of Sponsored Projects contact the Privacy Office.
If the data to be shared qualifies as moderate or high risk data (see Data Classification Guidelines) then the vender’s ability to protect data privacy in compliance with federal, state, or international requirements will need to be reviewed. Privacy expectations will depend on the type of data involved as well as the purpose of data sharing. A brief questionnaire should be completed by the Yale user to determine if further review of the vender is needed. Where needed, the vender should complete the Vender Privacy Assessment Questionniare.