How to use the Regulated Data Chart
Before choosing a tool to send, store or share institutional information, ask two questions:
- Question 1: Does the Regulated Data Chart permit use of this IT service with the data type I am interested in working with?
- Question 2: Do my department/unit policies and my data steward permit use of this IT service with the data type I am working with?
If you don't know the answers to these questions, check with your supervisor.
If the answer to both questions is yes, you may use the IT tool to send and store the university data in question.
Important notes for chart users:
- Information in the chart applies to University contracted enterprise versions of the services listed and these should not be confused with consumer versions of these services or third party applications associated with these services that take institutional information outside of the protected technical environment that the University's contract with the vendor requires. Enterprise versions of cloud services are very similar to consumer versions in terms of features and capabilities. However, for enterprise versions, Seattle Pacific University
- negotiates institution-wide terms and prices.
- vets the service with its legal, policy, supply management, audit, and security specialists.
- integrates the service with SPU credentials and authentication environment (so that you can use your SPU Username+Password to log on, for example), when available.
- The Regulated Data Chart does not apply to data associated with faculty research unless that research falls under a regulation or contract.
The Regulated Data Chart indicates if appropriate technical safeguards and contractual protections are in place through for sending, storing, or sharing regulated or confidential data using a particular technology. Always check both the Regulated Data Chart and your local guidelines before deciding if a resource is a safe and acceptable for storing sensitive or regulated data.
Example: SPU's contract with (fictional) Vendor B requires that the company retain SPU's education records, such as a student's academic work, in a technical environment that protects against inadvertent disclosure and that the company implement privacy practices that meet FERPA standards. Because Vendor B is obligated to provide this level of protection, it is possible from a strictly contractual perspective, to send, store or share FERPA records using Vendor B's service. This contractual provision is the minimum, necessary requirement but is not, by itself, sufficient for permitted use of Vendor B's service with FERPA data. Although the Regulated Data Chart would indicate that this use is permissible, your data steward or your department/unit guidelines may still prohibit use of Vendor B's service.
Related Policies and Procedures