Standard for Handling Institutional Information - 1. Disclosing Information to Third Parties
Institutional Information Classified at Protection Levels PL-3 or PL-4 may only be disclosed to third parties (vendors, consultants, etc.) if all of the following are true:
- A clear business purpose for the disclosure exists.
- The Data Owner has provided written approval of the disclosure.
- A written confidentiality agreement or non-disclosure agreement is in effect between The New School and the third party.
- A written agreement is in effect between The New School and the third party describing the security controls the third party will use to protect the information (including how it will delete or destroy the information at the conclusion of the agreement).
Additional requirements may apply if the information to be disclosed includes Personal Data; see Data Protection Handbook - 5. Data Sharing.
NOTE: Only senior managers of the university (president, provost, executive vice president, deans, and officers) have the authority to sign the agreements referenced above, and then only after they have been reviewed and approved by the Office of the General Counsel.