In cases where Harvard is outsourcing management or processing of confidential information to an external service provider, the University contracting agent is required to choose an external service provider capable of maintaining appropriate safeguards for covered data. All vendors having access to Harvard confidential information or performing functions such as credit card processing must agree to protect this information.
The confidentiality language in the OGC model consulting agreement can ordinarily be used for vendors who may access or process confidential information other than High Risk Confidential Information or other confidential personally identifiable data.
Contracts for service providers who will handle, maintain, process, or otherwise have access to HRCI or other confidential personally identifiable data must include the first contract rider below.
The second rider is to be used when a vendor is dealing with credit cards on Harvard's behalf.