19.18 / Third Party Data Transfers

Effective: October 11, 2022Last Revised: December 05, 2023

  1. Initiating Authority

    1. Information Security and the Chief Data Officer serve as the initiating authorities for this policy.

  2. Purpose

    1. The purpose of this policy is to decrease the risk around transmission and transfer of Restricted Information between the University and any Third Party.

  3. Policy

    1. Data Transfer of Restricted Information

      1. All Data Transfers of Industry Defense Programs ("IDP") Restricted Information or WSU Restricted Information shall be in accordance with this policy and applicable Data Transfer Processes and Procedures.
      2. All Data Transfers of WSU Restricted Information from the University to a Third Party must be reviewed and approved by the Data Management Committee ("DMC") prior to transmission.
      3. All Data Transfers of IDP Restricted Information from the University to a Third Party must be reviewed and approved by IDP IT prior to transmission.
      4. All Data Transfers of Restricted Information that involve both WSU Restricted Information and IDP Restricted Information must be reviewed and approved by both the DMC and IDP IT prior to transmission.
      5. The DMC and/or IDP IT, as applicable, shall be notified thirty (30) days prior to renewal of any Restricted Use Agreements.

    2. Restricted Use Agreements

      1. All Data Transfers of Restricted Information must be accompanied by a Restricted Use Agreement, unless otherwise set forth in this policy.
      2. All Restricted Use Agreements must be reviewed and approved by the Office of General Counsel.
      3. Restricted Information may be transmitted without a Restricted Use Agreement if the Restricted Information includes:
        1. student educational records protected by the Family Education Rights and Privacy Act (FERPA) and is being produced to the student, or a third party authorized by the student, pursuant to a valid FERPA authorization and release, or as otherwise permitted under FERPA;
        2. patient records protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and is being produced to the patient, or a third party authorized by the patient, pursuant to a valid HIPAA authorization and release, or as otherwise permitted under HIPAA;
        3. confidential personnel records and is being produced to the employee, or an third party authorized by the employee, pursuant to a valid authorization and release; or
        4. records that are requested or compelled by court order, subpoena, or otherwise mandated to be produced under the law.

    3. Termination of Transfer of Restricted Information

      1. Users must notify either the DMC (for WSU Restricted Information), IDP IT (for IDP Restricted Information), or both (for both WSU Restricted Information and IDP Restricted Information) prior to termination of a Data Transfer to obtain transfer termination instructions.
      2. The DMC and/or IDP IT may request termination of the transfer of Restricted Information and/or a Restricted Use Agreement.

  4. Definitions

    1. For the purpose of this policy only, the following definitions shall apply:
      1. Bulk Data: An electronic collection of data composed of information from multiple records, whose primary relationship to each other is their shared origin from a single or multiple databases.
      2. Cloud Service: Networked computing facility(ies) providing remote data storage and processing services via the internet. This can include but is not limited to Infrastructure as a Service (IaaS) or Software as a Service (SaaS) delivery methods and includes all cloud services, regardless of capacity.
      3. Controlled Affiliated Organizations: Wichita State University Intercollegiate Athletic Association, Inc., Wichita State University Union Corporation, Wichita State University Innovation Alliance, Inc., WSIA Investments Corporation.
      4. Data Management Committee ("DMC"): The University committee charged with managing and maintaining compliance with the Higher Learning Commission requirements related to institutional data for accreditation which includes but is not limited to providing oversight to University data systems to ensure data integrity, best practices in data management, reporting standards, information consistency, and security access.
      5. Data Transfer: Automated or manual transfer of Restricted Information from the University to a Third Party that involves the following agreements and/or situations: (1) agreement for the purchase or use of Cloud Services for data storage, transfer, or processing; (2) agreement with a third party to manage, store, or transmit Restricted Information on behalf of the University; (3) agreements that require the University to set up a connection with a third party to University systems to receive or store data; or (4) any agreement or request for a transfer of data via the Internet that is outside of the normal business process, such as a first-time transfer of Bulk Data. A Data Transfer may be a one-time transfer or an ongoing transfer. Data Transfers do not include: (a) University Restricted Information transferred under a sponsored research agreement, or (b) Restricted Information transferred under a legal request managed or expressly approved by the Office of General Counsel.
      6. Data Transfer Process and Procedures: Those processes and procedures established by the DMC and/or IDP IT governing Data Transfers to Third Parties, which are published on the Information Security webpage.
      7. IDP Restricted Information: Includes all Restricted Information that is stored only within the NIAR Enclave.
      8. IDP IT: The department / unit-specific technology office responsible for Industry and Defense Programs.
      9. NIAR Enclave: The set of system resources that operate exclusively in the IDP security domain and that share the protection of a single, common, continuous perimeter.
      10. Restricted Information: Includes all data, records, documents or files that contain information that is: (a) required to be maintained confidentially under any applicable law, regulation or University policy; (b) subject to a contractual obligation to maintain confidentiality; (c) subject to any applicable legal privilege or protection, such as the attorney-client privilege; (d) deemed by the University to be a trade secret, confidential or proprietary; and/or (e) classified by the University as WSU PRIVATE or above.
      11. Restricted Use Agreement: A Restricted Use Agreement shall include any written agreement with the University that contains restrictions on the use and disclosure of the Restricted Information being transmitted, including, but not limited to, non-disclosure provisions, nondisclosure and confidentiality agreements, business associate agreements, and data use agreements.
      12. Third Party: Any individual, organization, or entity that is not the University or a Controlled Affiliated Organization including, but not limited to a Cloud Provider.
      13. University: Wichita State University and Controlled Affiliated Organizations.
      14. User: Any individual, including but not limited to faculty, staff, students, contractors, and visitors who has access to and uses University information resources, systems or data.
      15. WSU Restricted Information: Includes all Restricted Information that is not stored within the NIAR Enclave.

  5. Applicable Laws And Additional Resources

    1. Kansas Information Technology Security Standard (ITEC) 7230A
    2. WSU Policy 3.12 / Security and Confidentiality of Student Records and Files
    3. WSU Policy 20.17 / Protected Health Information
    4. WSU Policy 20.18 / Privacy of Financial Information

  6. Revision Dates

    1. December 5, 2023