UPPS 05.02.06 - Acquisition of Information Technology Products and Services
Acquisition of Information Technology Products and Services
UPPS No. 05.02.06
Issue No. 3
Effective Date: 5/04/2020
Next Review Date: 10/01/2023 (E3Y)
Sr. Reviewer: Director, Procurement and Strategic Sourcing
This policy identifies guidelines applicable to the acquisition of information technology (IT) products and services including, but not limited to, the purchase, rental, lease, or free acceptance of IT products and services from third-party providers.
Acquisition of IT products and services shall be in accordance with UPPS No. 05.02.02, Texas State Purchasing Policy.
The vice president for Information Technology, or designee, will be responsible for central review and oversight of all university acquisitions of IT products and services, including, but not limited to, computing hardware, software, and hosting services, regardless of source of funds, as authorized in The Texas State University System (TSUS) Rules and Regulations, Chapter III, Paragraph 19. Department heads shall consult with the vice president for Information Technology, or designee, prior to acquiring any IT products and services to:
assess the acceptability of the licensing or contract terms;
ascertain the nature and amount of university IT support required and available for such products and services;
ensure the products and services comply with information security policy and requirements; and
ensure accessibility of purchased software and hardware.
University departments and individual faculty and staff shall not entrust any third-party provider with sensitive or confidential business data in the absence of a duly-approved and authorized agreement between the university and the provider (see definition of business data in Section 02.05 and definitions for sensitive and confidential data in Section 02.08 of UPPS No. 04.01.11, Risk Management of Information Resources).
Public web information services from third-party providers (e.g., Google, Dropbox, etc.) may be inappropriate for storing, sharing, or processing business data because their standard terms of service may fail to afford adequate protection against loss, destruction, or inappropriate use or disclosure of these data. Consistent with UPPS No. 03.04.04, Processing, Approving, and Executing Contracts, Purchases, and Agreements, only designated university officials (see link) may enter into information services agreements involving the university’s business data.
Before engaging third-party IT products or services to store, share, or process scholarly data (see definition of scholarly data in Section 02.04), individuals shall review the University Libraries Copyright Guide for guidance and insight into the numerous issues that should be considered. These issues include information security, personal privacy, personal liability, copyright and content ownership, minimum service levels, and provider lock-in, just to name a few. Additionally, staff in the IT Assistance Center and the University Libraries can provide experienced assistance in determining the efficacy and suitability of third-party products and services for specific scholarly endeavors.
Individuals should not store, share, or process student scholarly data (see definition of scholarly data in Section 02.04) on any third-party IT products or services not reviewed and approved by the Texas State Information Security office. Before using third-party IT products and services approved by Information Security to store, share, or process scholarly data, it should be clear that students own the copyright in their own work and that privacy in student records is protected by federal law. Students own the copyright in their own work, as stated in Section 03.06 b. of UPPS No. 01.04.27, Intellectual Property: Ownership and Use of Copyrighted Works, and their privacy is protected by federal law as stated in UPPS No. 01.04.31, Access to Student Records Pursuant to the Family Educational Rights and Privacy Act of 1974.
Information Technology Products or Services – computing hardware, software, and related services, including externally hosted “cloud” services, software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS), and consumer-oriented web services governed by so-called “click-through” agreements.
Acquisition – purchase, rental, or lease of IT products or services with university funds, or the acceptance of free IT resources from a third-party provider.
Third-Party Provider – any provider of IT products or services that is not an organizational component of Texas State University, and not an employee of Texas State who is supplying the products or services as works done for hire.
Scholarly Data – documents, files, and other items of information created, developed, collected, or maintained solely for research or instructional purposes, or for direct support of those purposes. Examples include the scholarly work of faculty or students, the personal or intellectual property of individuals, and instructional content in which the university has no ownership interest or license. Owners of scholarly data shall ensure that the security and privacy controls of third-party service providers are adequate to protect the security and privacy of their data. Note that research-related data held by units with research administration and oversight responsibilities (e.g., the Office of Research and Sponsored Programs, the Office of Technology Transfer and Contracts) are considered business data.
Business Data – documents, files, and other items of information created, collected, maintained, and used to support the continued operations of Texas State. Examples include administrative records, student education records, financial and human resource records, works made for hire, commissioned works, and similar informational objects, held by the institution’s organizational units, contracted service providers, or individual faculty or staff. Business data also include the following subsets of scholarly data (as defined above):
informational items in which the university has an ownership interest; and
informational items licensed by the university for instructional or research purposes.
ACQUISITION COMPLIANCE REQUIREMENTS
In accordance with Texas Administrative Code §213.38, any university contract for the purchase, lease, or free acquisition of IT products and services should include the terms and conditions of Amendment Z, Access by Individuals with Disabilities.
The contractor represents and warrants (the “EIR Accessibility Warranty”) that the electronic and information resources and all associated information, documentation, and support that it provides to the university under the agreement (collectively, the “EIRs”) comply with the applicable requirements set forth in 1 TAC Chapter 213 and 1 TAC Section 206.70 (as authorized by Subchapter M, Chapter 2054, Texas Government Code).
To the extent that the contractor becomes aware that the EIRs, or any portion thereof, do not comply with the EIR Accessibility Warranty, then the contractor represents and warrants that it will, at no cost to university, either perform all necessary remediation to make the EIRs satisfy the EIR Accessibility Warranty or replace the EIRs with new EIRs that satisfy the EIR Accessibility Warranty. In the event that the contractor fails or is unable to do so, then the university may terminate the agreement and the contractor will refund the university all amounts the university has paid under the agreement within 30 days after the termination date.
In accordance with Texas Government Code, §2054.460, and Texas Administrative Code, §213.37, all EIRs developed, procured, or changed by an institution of higher education shall comply with the standards and specifications of Chapter 206 or Chapter 213 of Title 1 Texas Administrative Code, unless an exception is approved by the president, chancellor, or delegate of an institution of higher education, or an exemption is granted by the Department of Information Resources.
Exceptions requests should be emailed to the electronic information resources coordinator (EIRAC) for review and must include the following information:
a date of expiration or duration of the exception;
a plan for alternate means of access for persons with disabilities;
justification for the exception including technical barriers, cost of remediation, fiscal impact for bringing the EIR into compliance, and other identified risks; and
documentation of how the institution of higher education considered all institutional resources available to the program or program component for which the product is being developed, procured, maintained, or used. Examples may include, but are not limited to, agency budget, grants, and alternative vendor or product selections.
The exception request form can be found on the Division of Information Technology Accessibility website.
Prior to contracting with another state agency or institution of higher education via an “interagency cooperation contract,” Texas State must assure compliance with Texas Administrative Code, Title 1, Part 10, Chapter 204, Subchapter C, for any commodity or service identified as “information resource technologies” with a total cost estimate not to exceed the dollar amount specified in Texas Administrative Code, §204.31.
REVIEWERS OF THIS UPPS
Reviewers of this UPPS include the following:
Position Date Director, Procurement and Strategic Sourcing October 1 E3Y Director, Information Technology Business Services October 1 E3Y Chief Information Security Officer October 1 E3Y Copyright Officer October 1 E3Y
This UPPS has been approved by the following individuals in their capacities and represents Texas State policy and procedure from the date of this document until superseded.
Director, Procurement and Strategic Sourcing; senior reviewer of this UPPS
Associate Vice President for Financial Services
Vice President for Finance and Support Services