Any organization that handles personally identifiable information about people (staff, customers, patrons, students, etc.) and stores or sends that information to third party vendor software should define steps to protect this information. These steps include minimizing the information collected and transfered to third parties, understanding how the software vendor uses the information, establishing an expectation of the secure handling and storage of this information and deletion of unneeded data. To initially gather information on a third party vendor, before sending your customer data to that vendor, take a look at their privacy policy.
Language to look for in vendor software privacy policies before utilizing their software includes:
- Information collected: What information is being collected directly from the users? What information is required for rostering users?
- Age restrictions: Look for language including age restrictions if the data may include information from or about children.
- Targeted advertising: This is a concern for adults as well as children. Would your staff, patrons, customers, etc. want their information shared for advertising purposes?
- Information security: Does the vendor follow a cybersecurity framework? Do they have a security plan? What steps do they take to protect cusomter data? Look for third party security audit evidence, to verify practices.
- Third party data sharing/processing: Will the vendor share data with others? For what purposes?
- Data storage location and data soverenty: Who has rights to access this data? Some nations’ data soverenty laws allow the government to access information stored in their country.
- Data breach response: Does the vendor clearly define their notification plans in case of a data breach?
- Data deletion: Do they have a defined process to request deletion of data?
Not seeing some of these addressed by a vendor’s software privacy policy? Reach out to the vendor directly with questions to clarify their practices.