Guidelines for Purchasing Software
January 16, 2014
Responsibility for software purchasing is distributed to units at the University of Minnesota Duluth. These guidelines are intended to assist units in choosing, purchasing, installing, and securing software applications, including those offered by vendors in the cloud (that is, running on vendor servers rather than UMD or UM servers). The focus of these guidelines is larger applications that may store private University data, research data, or serve large numbers of internal customers. It does not apply to standard desktop software, such as Word, Excel, Google Apps, or Dreamweaver. In general we are looking for applications that run on servers, not on desktops. It also does not apply to small apps running on tablets or smart phones.
In order to be more clear about what types of applications these guidelines cover, here are some examples.
- Administrative applications that store any private University data, especially credit card (PCI) data, health (HIPAA) data, and student (FERPA) data. Examples here include eClinical, Micros, and MSPOS.
- Administrative cloud-based applications that store University data. Examples here include Campus Labs, Maxient, TK20, and Symplicity.
- Research applications, especially those that store sensitive data.
- Academic applications, especially those that store student grade information.
Checklist of Steps Required
Depending upon the application, not all steps may be required. Applications that will be used to store and manipulate University data will almost certainly require at least some of these steps.
- Consult with the Director of Information Technology Systems and Services.The IT Director's role is to determine whether there may be any existing local applications that can meet your needs, thus helping you to avoid unneeded costs.
- Consult with University Enterprise Architect. Enterprise Architect Patton Fast's role is to determine whether there may be any existing enterprise systems that can meet your needs, thus helping you to avoid unneeded costs.
- Contact Purchasing Services (email email@example.com or visit purchasing.umn.edu). Purchasing Services will assign a purchasing category manager to assist you. Your purchasing category manager, most likely Elaine Kelash or Cathy Naborowski, will help you determine what steps you need to follow to choose a product. If the contract will cost more than $50,000, you will be required to use a request for proposals (RFP) process. This includes the full price of a multi-year contract as well as implementation costs. If the cost is under $50,000, then you will need to complete the "Under $50K Price Comparison for Purchase of Goods and Services." This goes in your file in case of audit.
- Contract Review. Regents Policy requires all non-standard agreements, including software licenses, to be reviewed by the Office of the General Counsel (OGC). Unless the vendor accepts the University's standard terms and conditions, your contract must be reviewed and negotiated by an attorney in the OGC. Your purchasing category manager will refer your contract to an attorney. Be sure to plan enough time for this step; two weeks is the standard turn-around time except in cases of high urgency.
- Credit Card Transaction Review. If you intend to accept credit cards as a method of payment and the software application will process, transmit, or store cardholder data, then you must contact Accounts Receivable Services, Payment Card Program (email firstname.lastname@example.org). Protecting cardholder data requires a significant commitment of staff time and funding. You may want to consider other options if at all possible.
- Protected Health Information Review. If you intend to store or access protected health information (PHI) as defined under HIPAA, then you will need to have the vendor sign our form of Business Associate Agreement. This agreement is an acknowledgment by the vendor that its solution is HIPAA compliant. To receive the most updated form of agreement, or if you have questions about PHI and HIPAA, submit your request to email@example.com. Please keep in mind that collecting, storing and securing PHI requires a significant commitment of staff time and funding. Whenever possible, you should use UM enterprise secure systems that are HIPAA compliant for this kind of data.
- Non-Directory Student Information. The Family Educational Rights and Privacy Act (FERPA) is federal law that protects the privacy of student education records. This protection includes directory information. University of Minnesota defined directory information is student's name, address, electronic (email) address, telephone number, dates of enrollment, enrollment status, major, advisor, college, class, awards and honors and degree awarded. Students at any time may request information to be suppressed. If you intend to store educational records, such as grades, test scores, class enrollment, behavior, or class work, etc., the licensor will have to agree to maintain the University requirements for physical and electronic data security provisions to protect the information from disclosure. Protecting FERPA data requires a significant commitment of staff time and funding. You may want to consider other options if at all possible. For support regarding FERPA, please contact the UMD Registrar 218-726-8795, firstname.lastname@example.org.
- Security Review. Ask University Information Security to review the vendor contract before you sign it, to ensure that the contract and vendor meet University security requirements. You can reach them at email@example.com.
- Obtain Support from ITSS. Many business applications require that data be pulled from University systems, such as PeopleSoft, for use in the application. In some cases, data must be transferred from the vendor application back to University applications, such as PeopleSoft. ITSS provides this service for a charge. Please let us know early about any potential needs you may have. This step is often more difficult and requires more time than you may anticipate. ITSS can provide an estimate of costs for you to factor into your planning. Submit a work request to start this process.
If you have any questions or concerns about any part of this process, please contact the Director of Information Technology Systems and Services (ITSS) for assistance.