PSQS Q&A between GCC/OIT and District Legal (Contracts)

Body

Uploaded Image (Thumbnail)

The following results from a Q&A between GCC/OIT and District Legal (Contracts).

 

When should new software requests be submitted to CLM for security/compliance review?

  • CLM review and approval is required any time privacy and security implications exist (CI/PII/Student Records/Health Records)
  • If the purchase documentation requires a signature
  • If the purchase documentation refers to online terms and conditions (by paying the invoice, you are binding MCCCD to those terms and conditions)

Who is ultimately responsible for filling out the PSQS?

  • Currently, we encourage that any combination of the requestor, local SME, and/or manufacturer be used as resources to accurately fill out the PSQS to better convenience the requestor (due diligence).
    • The intent was that the person requesting the agreement would complete the PSQS because they understand what the service is, how it works, what kind of information might be shared, etc. The vendor should NEVER complete the documentation. The MCCCD employee completes the PSQS as the first level of privacy and security (P&S) review based on their understanding of the service (or product). The requester may have any kind of conversation with all of these individuals to better understand how the service/product will be used and what P&S implications exist, but ultimately, they are the ones who need to complete and sign the PSQS form.

Who is ultimately responsible for signing a PSQS when one is needed?

  • The employee requesting the service/product. The one who initiated the request who understands the needs for the service/product and how it will be used.

When someone completes a PSQS, what conditions result in the need for a CLM entry?

  • A PSQS should accompany EVERY type of agreement entered in CLM, except real estate (e.g., leases). 
  • The only time a PSQS alone would be entered into CLM is for an LTI review. Even a terms and conditions only review should include copies of the online TCs, for convenience (or a direct URL at the very least, similar to an LTI).

Can software/cloud application use changes or function changes trigger a need to process again?

  • An example of change in use would be when tutoring asks their students to sign in to a service using their MEID but then decides the next semester to verify their MEID with their course and full name. An example of function change would be when a cloud app adds a new service that allows faculty to perform grading but now asks for a course number next to the student’s name. Previously, the use and function were compliant but now have potential security/FERPA concerns in this example.
    • If the use or function change requires access to CI/PII/student records/health records that are different from those already reviewed, yes, a new review will be required. The PSQS would need to be updated to reflect the new data being shared/accessed.

When should desktop EULAs be considered for CLM review?

  • When the license is for more than one person and/or if there are P&S implications.

If any of the above items are recommendations, as opposed to requirements, what is the recommendation from the General Council for any of the above processes or conditions for best practices?

  • How the PSQS is completed (aside from having the vendor do it all) can be handled by College SMEs in conjunction with the requester, but the requester will ultimately be the one to whom questions go and who will be the point person for Legal when needed regarding the purchase and use. So, if a faculty member is initiating the use, they may work with College IT and the vendor to get the form completed, but they will be responsible for answering Legal's questions or finding out the answer.
  • The rest are requirements.

What autonomy does the campus have as determining processes, requirements, and procedures when conducting the review process for anything having to do with CLM?

  • The College has full autonomy on how it chooses to assign responsibilities for selecting products/services, reviewing them, and ultimately inputting necessary records in CLM, whatever that might look like. The assumption is once an agreement is in CLM, it has been vetted by the College (use, support, budget, etc.) and is ready to be reviewed and finalized. Negotiations regarding the terms and conditions is not a College-led or controlled activity; that's what the CLM process is for, and Legal will take care of that, including requesting additional protections with our Data Confidentiality and Security Addendum when needed.

What liability does the PSQS requestor own, if any, when signing the PSQS from a legal standpoint, either internal or external, to MCCCD?

  • Only MCCCD employees should be signing the PSQS to attest to their understanding of the information provided. MCCCD as a whole would ultimately be the ones held accountable if security issues are discovered and a review was never initiated because the PSQS was completed incorrectly. It is expected that the PSQS is completed to the best of the requester's ability, and if they have questions, they should initiate conversations with College IT and the vendor to ensure they know exactly what will be shared/accessed and how before submitting the PSQS and agreement to be entered into CLM.

 

Details

Details

Article ID: 198
Created
Wed 5/29/24 4:16 PM
Modified
Wed 5/29/24 6:00 PM

Attachments

Attachments (2) Sort By: Sort Attachments ByName Sort Attachments ByDate

pdf

2023 Contracts Insider.pdf Computer

Wed 5/29/24 2:15 PM
View
pdf

Reference Guide for Privacy Questionnaire for Screening (PSQS).pdf Computer

Wed 5/29/24 3:00 PM
View
;