UW-Madison - IT - Non-UW-Madison Applications and Services Guidelines
Applies to anyone contracting or otherwise acquiring use of non-UW-Madison-owned or -operated applications and services for university business. Applications and services that are not owned and operated by UW-Madison might not meet UW-Madison guidelines or requirements for privacy, intellectual property, security, and records retention. Faculty and staff using or considering the use of non UW-Madison applications and services should take these factors into account when selecting applications and services.
Guidelines
Applications and services that are not owned and operated by UW-Madison might not meet UW-Madison guidelines or requirements for privacy, intellectual property, security, and records retention. Faculty and staff using or considering the use of non UW-Madison applications and services should take these factors into account when selecting applications and services.
Understand the risks to you and others
Providers may require the user to agree to a Terms of Service agreement. This is a legal contract. Only a few UW-Madison administrators are authorized to enter into legal contracts on behalf of the university. Users without that authority become personally responsible for the terms of the agreement and any problems that may arise.
Providers may change their Terms of Service without notice. Check periodically to see if it is still acceptable.
Contact Legal Affairs at 263-7400 for assistance understanding the associated risks.
Protect sensitive research data and other sensitive information
Comply with research grant and other contractual and legal requirements to protect sensitive information. There may be requirements that a non UW-Madison application or service cannot meet.
Restrict access to any sensitive information, so that only those with a “need to know” can access it.
Do not include any personally identifiable information if you can avoid it.
Remove data when it is no longer needed.
Protect student privacy
Comply with FERPA (Family Educational Rights and Privacy Act) requirements to protect student privacy.
Restrict access to student content whenever possible, so that only those who “need to know” have access.
Suggest students use aliases when creating accounts, particularly if student work is publicly available.
- Do not place any personally identifiable information in content. Avoid referring to students by full name.
Limit students’ postings to course-related content. Delete student content when no longer needed.
Obtain student written consent for continued use of student materials beyond the current class.
Communicate the use of non UW-Madison applications and services to students
Use of non UW-Madison applications and services should not create an undue burden for students who do not agree to the conditions of use. Instructors should weigh the needs of the course activity against the student’s privacy rights.
Instructors should communicate their intent to use non-UW-Madison applications and services, along with a summary of issues, conditions of use, and risks to students in the course syllabus. This allows a student to decide whether to withdraw from the course, or request alternate solutions. Consider that withdrawal may not be possible because the course is required, is offered in a sequence, is not offered regularly, or is only offered by one instructor.
Refer students who are concerned about their privacy to the Dean of Students office.
Understand who owns content and what they can do with it
Placing content on a non UW-Madison application or service may constitute “publication” of intellectual property, and may inhibit other publication of the work, or prevent a successful patent application.
Review the Terms of Service agreement:
Who owns the intellectual property rights when content is created or uploaded to the application or service?
Does the provider claim any rights to use the content created or uploaded to the application or service?
If there is a right of use claim, when and how are these rights terminated?
Identify content as “© 20XX The University of Wisconsin System Board of Regents” when appropriate.
Consider accessibility, support, retrieval, retention, and backup
Ensure non UW-Madison applications or services meet campus web accessibility requirements.
Existing campus support might not resolve technical issues. Users might have to deal with the provider directly.
Ensure that records can be retrieved from the provider. UW-Madison records are subject to public records law.
Ensure that university records are retained according to records retention schedules.
Back up material regularly. Many providers assume no responsibility for backing up content.
References
Public Records Law - https://compliance.wisc.edu/public-records/Acceptable Use Policy - https://www.wisconsin.edu/regents/policies/acceptable-use-of-information-technology-resources/
Web Accessibility Policy - https://policy.wisc.edu/library/UW-519
Data Classification Policy - https://policy.wisc.edu/library/UW-504
Protecting Your Student Data - https://registrar.wisc.edu/ferpa_guidelines_faculty_staff.htm
University Records Schedules - http://www.library.wisc.edu/archives/records-management/retention-disposition/
Research Data Sharing and Security - http://researchdata.wisc.edu/data-access-2/
HIPAA Security Officer and Coordinators - https://compliance.wisc.edu/hipaa/coordinators/
UW-Madison Information Technology website - http://it.wisc.edu/
Human Research Protection Program (HRPP) - https://research.wisc.edu/compliance-policy/human-research-protection-program/
Effective: Jul 22, 2009
Revised: Nov 01, 2013 RevC
Reviewed: Apr, 2018
Review in: two years
Maintained by: Office of the CIO, IT Policy
History at: https://kb.wisc.edu/itpolicy/cio-non-uw-services-history
Reference at: https://kb.wisc.edu/itpolicy/cio-non-uw-services-guidelines
Please address questions or comments to itpolicy@cio.wisc.edu.