Making the Contracting Process Consistent
One way to make the contracting process more consistent across vendors is a contract addendum. Contract addendums (when reviewed and vetted by legal staff) provide standardized legal language around the level of privacy and security expected of the vendor by the library. Changing or amending the main contract language or including a contract addendum can address the common red flags listed earlier, as well as set responsibilities, rights, and expectations around:
- Compliance with applicable federal, state, and local laws and regulations addressing data privacy
- Compliance with applicable industry standards and frameworks such as ISO, NIST, and PCI
- Legal jurisdiction of the contract; that is, what state or country’s laws will apply when interpreting the contract or deciding a dispute
- Vendor privacy and security audits done by either an independent third party or self-administered by the vendor
- User rights to data, including access and deletion
- User rights to opt-out of non-essential data collection by the vendor, as well as the right to opt-out of the disclosure or selling of their data by the vendor to other third parties, at any time
- Abiding by the library’s privacy and confidentiality policy when collecting, processing, and disclosing user data and abiding by any laws or regulations applicable to library users’ information
- Levels of access to and proper use of user data in the case of integrating with other library systems and applications
- User data retention periods
- Data breach and incident response
Using the same vendor contract from the red flag exercise, start a list that could lead to a contract addendum draft.
- How can the contract be improved?
- What requirements around privacy do you expect/desire across all vendors?
Start drafting a contract addendum for your library. Examples can be found in this PDF. Work with your library’s governing body and legal counsel to finalize an addendum.