Data Protection Checklist
The University has processes in place to protect sensitive information. This checklist will help you determine the reviews needed for a system, software, or service you are obtaining. If sensitive information is not involved, this is a short-form requirement. Keep in mind that other requirements beyond information security may apply to a procurement even if sensitive information is not involved.
Instructions for Purchases
If you are purchasing software, services, or IT/medical/scientific products, you must attach a completed Data Protection Checklist to your purchase requisition to show that you have obtained the necessary approvals or attest that your purchase does not involve sensitive information.
Download the Data Protection Checklist (PDF)
Core Requirements
All requests that involve sensitive information have two core requirements that must be completed.
| Requirement | Contact |
|---|---|
| 1. Risk Assessment | Information Security Office, security@unc.edu |
| 2. Data Governance Review | Data Governance Oversight Group, “Use of Enterprise Data” request at help.unc.edu |
Additional Requirements Based on Data Type
Some types of sensitive information, particularly Tier 3 data, have additional requirements. If your request involves the types of data below, you must complete the associated requirement(s) in addition to the core requirements.
| Data Type | Requirement | When | Contact |
|---|---|---|---|
| SSN (4 or more digits) | Specific SSN Review by Data Governance Oversight Group (DGOG) | Concurrent with Data Governance Review | “University Data Assistance” request at help.unc.edu |
| Credit Card | CERTIFI Approval | As early as possible | CERTIFI committee, certifi@unc.edu |
| Protected Health Info (PHI) | Business Associate Agreement (BAA) with vendor probably needed | Once vendor is selected | Your unit’s Privacy Liaison or Purchasing. If your unit does not have a Privacy Liaison, contact privacy@unc.edu. |
Digital Accessibility
Digital accessibility is a practice ensuring that content, resources, and technology communicated electronically can be used regardless of ability, disability, or assistive technology. You must request a VPAT if you are making a purchase of digital content or materials. For purchases/renewals over $5,000 and user base greater than 100 people, a Voluntary Product Accessibility Template (VPAT) is required. Review of VPAT is always recommended as an accessibility failure will be the responsibility of the unit to address.
A VPAT is an evaluation of a product’s accessibility. If the company has made a VPAT available online, search for the product’s accessibility page. You could also add VPAT or accessibility to the product name in your online search. If a VPAT is not available, you will want to contact the company and ask for one. Any company doing business with government or higher education organizations should have a VPAT.
The Digital Accessibility Office offers consultation for the Accessibility Standards for Procurement of Digital Content, Resources, and Technology. More information about VPAT can be found on the Digital Accessibility Office website. To request procurement support, submit a request to the Digital Accessibility Office at https://help.unc.edu.