Before any Service Providers can collect, use, or access personal or confidential UBC information, they must agree to protect the information and, where personal information is involved, comply with British Columbia’s privacy legislation, the Freedom of Information and Protection of Privacy Act (FIPPA), as more particularly described below.
This requirement flows from the UBC Board of Governor’s Information Systems Policy (SC14) and the Information Security Standards section 5, U9 – Outsourcing and Service Provider Management.
Definition of Service Provider
A Service Provider refers to any individual or organization engaged to perform services for UBC, excluding UBC employees. This includes vendors, contractors, software providers, consultants, volunteers, and other non-UBC employees delivering services to or on behalf of the university.
Obligations
Subject to any waivers or exemption described below, all contracts with Service Providers (including purchase orders) must incorporate UBC Procurement Services’ Privacy Appendix; or else the Service Provider must enter into a separate Security and Confidentiality Agreement (SACA) in the form of the template approved by the Office of the University Counsel (OUC) or in such other form as may be approved by the OUC.
Waivers
The Administrative Head of Unit or UBC Procurement Services may request the OUC to waive the aforementioned requirement for the Privacy Appendix or a SACA and the OUC may grant such a waiver if it is satisfied that the primary contract between UBC and the Service Provider already contains equivalent or better privacy and security provisions.
Exemptions
Service Providers who will not collect, use, or access personal or confidential UBC information are exempt from the requirement for a Privacy Appendix or a separate SACA.
Professionals who are bound by a professional duty of confidentiality, such as doctors, lawyers, accountants, auditors, and psychologists, are exempt from the requirement for a Privacy Appendix or a separate SACA.
The Privacy Appendix and SACA are not appropriate for use in partnerships or collaborations that do not result in a service provider relationship. However, these relationships may benefit from a mutual confidentiality agreement, non-disclosure agreement, or information sharing agreement. For assistance, please consult with the OUC.
Procurement Services’ Privacy Appendix
The UBC Board of Governors’ Purchasing Policy (FM2) governs the acquisition of goods or services and empowers UBC Procurement Services to commit UBC to agreements for the supply of goods and services. Except in limited cases, all service contracts should go through the Procurement Services process and your designated Buyer or Procurement Officer, as applicable, will ensure a Privacy Appendix is included when necessary or will seek a waiver from the OUC.
Security and Confidentiality Agreement (SACA)
In those cases where a service contract is already in place with a Service Provider without a Privacy Appendix or in those cases where a service contract is not being used (such as in the case of volunteers), the relevant administrative unit overseeing the engagement must:
- ensure that a SACA is completed and signed by the Service Provider; and
- retain a copy of the signed agreement.
Where more than one employee of a Service Provider will have access to confidential or personal information, a single SACA with the Service Provider is sufficient.
Where the SACA is in the form set out in the OUC-approved template, a UBC representative’s signature is not required on the SACA.
Non-Disclosure Agreements
A non-disclosure agreement (“NDA”) is a type of confidentiality agreement that focuses on preventing disclosure to third parties. This is already addressed within the SACA and Privacy Appendix, which have a broader scope that includes measures to protect information. Therefore, a separate NDA is generally not required when a SACA or Privacy Appendix is in place.
An NDA may be appropriate in situations where there is not a Service Provider relationship, or prior to a Service Provider relationship arising.
If an NDA or confidentiality agreement is reciprocal, meaning both the external party and UBC are agreeing to keep information confidential, and it requires a UBC signature, then it must be signed in accordance with UBC’s Signing Resolutions.
Template Access
The SACA template is available here at: https://universitycounsel.ubc.ca/files/2023/04/Security-and-Confidentiality-Agreement-Template-Stand-alone.docx
Questions
For questions, please contact the Office of the University Counsel at university.counsel@ubc.ca.