Data Protection Guide

All software, SaaS, and online subscription purchases are required to have a Data Checklist or to verify safe usage if no sensitive data will be housed or transmitted on the software or platform. Even if a purchase is not being made but Tier 2 (or higher) data is being used, the Data Governance process still needs to occur.

To understand the University’s different tiers of data, please view the Data Classification Standard.

The University provides a purchasing guide on software that has been reviewed by the Data Governance Oversight Group previously. Items that can be purchased through UNC Software Acquisitions typically do not require a Data Checklist as they are covered under a larger purchasing agreement.

The Data Governance Oversight Group has suggested that if you are considering a software or online service to put it through the Data Governance process in the planning stages to ensure a smooth process for purchasing and account for any concerns that may arise.

If you have any questions, please contact EdIT, and they can assist you through the process.

Data Protection Checklist

Required for all software, SaaS, online subscription purchases (including $0 “purchases”)

Safe Computing at UNC has more information related to data checklists and the School of Education-specific version can be found here. If no sensitive data is involved, a VPAT is still required to be requested from the vendor for Digital Accessibility compliance. VPATs are only if software is obtained (free software included) or purchased through a vendor, the requestor is responsible for obtaining the VPAT from the Vendor (there is general confusion from the end-user as to where to obtain a VPAT). In addition to the VPAT if it was determined that Tier 2 (or higher) data is being used the requestor will need to ask the vendor for a SOC2 and a HECVAT form. This checklist should be completed before you request a purchase as purchasing requires this and will return the submission if it is not present.

Please submit your form along with the Data Checklist Submission Questions to ensure a smooth process. These questions correlate or are exactly the questions required to submit a Data Governance request.

There are now two pages for this form. Please make sure you complete both pages.

Terms Addendum

Required for all software, SaaS, online subscription purchases (including $0 “purchases”) that do not need to be submitted for a formal PO* requested through RASR.unc.edu. (E.g., P-Card Purchases, Vouchers, etc.)

* A formal PO is needed if at least one of these things is true:

  • There is anything that requires a signature (agreement, contract, order form, etc.)
  • The order is over $5,000 (this includes multiple smaller purchases of the same product over a fiscal year where the total cost is over $5,000).
  • There is any sensitive information involved in the use of the product. (What is sensitive information – https://safecomputing.unc.edu/data/sensitive-information/)

How to Sign Forms in Adobe Reader/Acrobat

Please download and edit the forms in Adobe Reader/Acrobat Pro

  • The Data Protection Checklist is required for all software, SaaS, and online subscription purchases (including $0 “purchases”)
  • The Terms Addendum form is only required for P-Card purchases and Vouchers
  • For additional guidance refer to the Adobe documentation for signing PDFs located here.