26.3 Special negotiation issues

26.3.3 Data processing negotiations

Negotiations regarding the protection and privacy of Commonwealth data should result in the highest standards for that protection and privacy, as well as security. Some suppliers providing software as a service or application hosting services may not assume responsibility or liability for the loss, compromise, corruption, unauthorized access, or other vulnerabilities with pushing data into their application. Supplier terms may also state they can share your data with their third-party providers, partners, or subcontractors. It is critical that you negotiate terms that align to the level of data protection and security that your project needs, especially when processing confidential information, personal information, personal health information, or citizen information. Your negotiations must not result in non-compliance with required Commonwealth Security, Enterprise Architecture and Data policies and standards that cannot be formally waived or any federal requirements, such as HIPAA or other statutory privacy acts. It is also critical that your negotiations result in your ability to retrieve your metadata within two to four hours of your request and that you have all your metadata returned at the termination or expiration of the contract within a quick, but reasonable time. Equally important is to negotiate that supplier facilities and backup/disaster recovery facilities, and those of any supplier third-party providers, partners or subcontractors, are located within the continental U.S.; that your data will be backed up daily; and, that supplier notifies you immediately of any compromise to the security or privacy of your data. Another important factor is the positive negotiation result for service or performance levels for the uptime you require for business continuity.