Skip to main content

The University has processes in place to protect sensitive information. This checklist will help you determine the reviews needed for a system, software, or service you are obtaining. If sensitive information is not involved, this is a short-form requirement. Keep in mind that other requirements beyond information security may apply to a procurement even if sensitive information is not involved.

Instructions for Purchases

If you are purchasing software, services, or IT/medical/scientific products, you must attach a completed Data Protection Checklist to your purchase requisition to show that you have obtained the necessary approvals or attest that your purchase does not involve sensitive information.

Download the Data Protection Checklist (PDF)

Core Requirements

All requests that involve sensitive information have two core requirements that must be completed.

Requirement Contact
1. Risk Assessment Information Security Office,
2. Data Governance Review Data Governance Oversight Group, “Use of Enterprise Data” request at

Additional Requirements Based on Data Type

Some types of sensitive information, particularly Tier 3 data, have additional requirements. If your request involves the types of data below, you must complete the associated requirement(s) in addition to the core requirements.

Data Type Requirement When Contact
SSN (4 or more digits) Specific SSN Review by Data Governance Oversight Group (DGOG) Concurrent with Data Governance Review  “University Data Assistance” request at
Credit Card CERTIFI Approval As early as possible CERTIFI committee,
Protected Health Info (PHI) Business Associate Agreement (BAA)  with vendor possibly required Once vendor is selected The Institutional Privacy Office,

Digital Accessibility

Digital accessibility is a practice ensuring that content, resources, and technology communicated electronically can be used regardless of ability, disability, or assistive technology. You must request a VPAT if you are making a purchase of digital content or materials. For purchases/renewals over $5,000 and user base greater than 100 people, a Voluntary Product Accessibility Template (VPAT) is required. Review of VPAT is always recommended as an accessibility failure will be the responsibility of the unit to address.

A VPAT is an evaluation of a product’s accessibility. If the company has made a VPAT available online, search for the product’s accessibility page. You could also add VPAT or accessibility to the product name in your online search. If a VPAT is not available, you will want to contact the company and ask for one. Any company doing business with government or higher education organizations should have a VPAT.

The Digital Accessibility Office offers consultation for the Accessibility Standards for Procurement of Digital Content, Resources, and Technology. More information about VPAT can be found on the Digital Accessibility Office website. To request procurement support, submit a request to the Digital Accessibility Office at

Download the Data Protection Checklist (PDF)