External Party Data Transfer Policy

External Data Transfer Policy

Scope:

This policy applies to the data transfer of Restricted or Confidential data to an external party performed on a manual, ad-hoc, or one-off basis. Data transfers that occur on an ongoing basis are subject to separate policies and procedures per the Data Security Policy.

 

Policy Statement:

The University will only transfer Confidential or Restricted data to external parties if the owner of the data explicitly approves its transfer. The data owner is the Data Trustee (or their designee, as defined by the Administrative Data Steward list) who has direct authority over and full responsibility for the data—not the internal users of that data. 

  1. This data must be encrypted during transfer and at rest using an encryption strength of AES128, at a minimum. The preferred encryption strength is AES 256 bit or better. This can be achieved using encrypted ZIP files.  If the data is being transferred via web upload, the in-transit encryption should be TLS 1.2 (weak ciphers disabled) or TLS 1.3.  
  1. The encryption key to the encrypted data must be transferred out of bounds. That is it cannot be transferred using the same mechanism as the data. For instance, if the data is sent via e-mail, the key must be exchanged via phone or letter. 
  1. The external party must acknowledge receipt of the data. One best practice approach is to create a CD with the encrypted data on it and then to use an overnight shipping company to send it, requesting a return receipt. E-mail acknowledgements are also acceptable although not preferred. 
  1. The data must be verified as secure by an authoritative member of Information Services before the transfer occurs. The Director of Information Security or designees can provide this service. The data must be securely archived so that in event of an issue, the University can verify the exact contents of the data shared.

View the External Data Transfer Policy.