Information for staff
- Staff home
- Policies and strategies
- Using and protecting information
- University Information Policy index
- Third Party Access to University Information and IT Services Policy
Third Party Access to University Information and IT Services Policy
Related pages
This policy explains the risk assessments and access arrangements that are required to ensure effective information security when third parties need access to University information and systems.
It applies to University staff who are responsible for the specification and management of University IT services that are supported or accessed via third parties.
Policy
1. Policy
1.1 Third parties may be provided with access to University information and IT Services where there are business reasons to do so. Data protection and information security risks associated with such access will be managed through the use of risk assessments, Data Protection Impact Assessments and contractual agreements, to ensure the University meets its legal obligations.
1.2 Third parties can be involved in providing support and maintenance of University IT Services either on site or via remote access. Such arrangements will be delivered via a formal contract which includes binding requirements to ensure security of the University’s information and IT systems and to protect the confidentiality of its data. If the access involves transfer of personal data outside the European Economic Area the access is to be governed by a contract which provides for the transfer and security of the data in line with the General Data Protection Regulation requirements.
1.3 In some third party arrangements high levels of privilege might be needed for the third party to be able to carry out their activities. To ensure that security risks are identified and controlled, such access, whether on site or remote, must be managed in accordance with the “Method Statement - Managing third party access”.
1.4 Third parties might occasionally require physical access to areas where University IT equipment is located such as data centres and wiring centres. Such access must be agreed in advance with the relevant University manager and is subject to formal risk assessment. Access controls must be used and logs maintained.
1.5 For any third party access, the University and third party must agree in advance a code of practice, a data sharing arrangement and non-disclosure agreement to protect University information and working practices.