Scribd
Upload
102 views2 pages

Concur Privacy Review PDF

The document summarizes the methodology used to ensure the third-party cloud-based Concur system complies with privacy laws and protects privacy. Key aspects included a risk assessment of Concur, contract negotiations guided by the university's procedure, and ensuring the contract established conditions like the university owning records, Concur only using records for the university's purposes, implementing security measures, and allowing audits and termination.

Uploaded by

magazin email
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
102 views2 pages

Concur Privacy Review PDF

The document summarizes the methodology used to ensure the third-party cloud-based Concur system complies with privacy laws and protects privacy. Key aspects included a risk assessment of Concur, contract negotiations guided by the university's procedure, and ensuring the contract established conditions like the university owning records, Concur only using records for the university's purposes, implementing security measures, and allowing audits and termination.

Uploaded by

magazin email
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

INFORMATION AND

PRIVACY OFFICE

1050 KANEFF TOWER


Memo
4700 KEELE ST To: University Community
TORONTO ON
CANADA
From: Carolyn Heald, Director, Records & Information Management and
M3J 1P3
Coordinator, Information & Privacy Office
T 416 736 2100
Date: January, 2015
EXT 20359

F 416 736 5094


Subject: Concur Privacy Review
Email: [email protected]
http://ipo.info.yorku.ca/

The following summarizes the methodology used to ensure that Concur is a secure, privacy-
protective system, in compliance with the University’s FIPPA obligations.

The move to a third-party, cloud-based service could only be undertaken if privacy concerns
were adequately addressed. With input from the Information and Privacy Office (IPO) and
University Information Technology (UIT), a risk-based assessment was made of the vendor
and its product using the University’s draft “Procedure for Using Third-Party Information
Technology Services.” The draft procedure also guided contract negotiations which were
conducted in consultation with York’s legal counsel. Accordingly, contract negotiations
sought to ensure the following conditions were in place:

 York University retains ownership of all records and information.


 The service provider will use the records and information for York University’s
purposes and for no other purpose.
 The records and information are held "in trust" for York University.
 No information will be disclosed without the consent of York University.
 The service provider will not sub-contract to another service provider without the
consent of York University.
 The service provider will ensure that it acts in such a way as to assist York University
meet its obligations under FIPPA and other statutes as necessary.
 The service provider will be transparent about the location of York University records
and information.
 The service provider will resist, to the extent lawful, any orders to disclose information
without consent, will give notice to York University of any orders and give York
University opportunity to dispute the order.
 The service provider will implement appropriate security measures to protect
information (such as compliance with ISO 27002 or another security standard).
 The service provider will allow York University to audit its security measures and
information handling practices.
 The service provider will work cooperatively with York University in the event of a
privacy or security breach.
 York University will not accept any limitations of liability of the service provider related
to privacy and security.
 The service provider will return or permanently destroy/delete the records and
information upon request of York University, and will not retain any records and
information.
 The service provider will permit York University to terminate the agreement for any
reason and have the information returned immediately to York University in a
readable format.

In addition to the negotiated terms, Concur’s Security and Privacy Overview (version 1.30)
was explicitly written into the contract as Appendix D.

You might also like