The purchase of software follows the same dollar thresholds as other purchases, however, there are generally additional review and approval requirements that must be completed. These requirements apply regardless of the dollar value of the purchase. Thus for purchases less than $15,000 departments must assure that the requirements have been satisfied prior to issuance of a purchase order. Requisition workflow has a step that routes to Contracts and Procurement for approval prior to final approval by the department. The routing is based on the commodity code which was put in place to stop a process in order for any additional requirement to be addressed.
Accessibility refers to the design of products, devices and services for use by people who have disabilities. With regard to software this generally allows individuals with audio, visual, or motor impairments to utilize the software effectively. The accessibility status of a product must be reviewed and approved prior to the purchase of any software or cloud-based software solution regardless of value.
- Request a Voluntary Product Accessibility Template (VPAT) from the software provider and submit to System-wide Information Services (SWIS)
- If the provider does not already have a completed VPAT, have them complete the template located at https://www.itic.org/policy/accessibility/vpat
- Complete and submit the Accessibility Intake Form
The Information Security Office (ISO) establishes and maintains a security program that reduces risk and secures the information assets under its stewardship against unauthorized use, disclosure, modification, damage or loss. Software and cloud-based solutions contain University information and as such ISO must conduct a thorough review prior to issuing purchase orders or entering into contracts for these products regardless of the value.
- Complete and submit the Information Security Intake Form
Often software or cloud-based solutions house protected health information, student information or other personally identifiable information which often require specialized contractual language and agreements with the software provider. These include, but are not limited to:
- Health Insurance Portability and Accountability Act (HIPAA) requirements regarding protected health information (PHI)
- Contracts subject to HIPAA require the execution of a Business Associates Agreement as part of the contract
- The Family Educational Rights and Privacy Act (FERPA) requirements regarding student date
- Contracts subject to FERPA require a specific confidentiality agreement
Ordering and Contracting
Departments should not:
- Use procurement cards for the purchase of software unless reviewed and approved by Contracts and Procurement
- Not accept “click thru” terms and conditions
- Not sign any form of agreement with a software provider
- Be aware that Contracts and Procurement should review any documents, agreements, order forms, etc. related provided by a software provider
- Be aware that purchase of software or cloud-based solutions through a reseller will always require some type of license agreement with the software provider
- Be aware that the cycle time to complete a software or cloud-based solution procurement can be lengthy based upon negotiation of terms and conditions that are required to protect the University
- Be aware that accessibility, information security and privacy issues may need to be addressed even for renewals and maintenance agreements if those reviews were not completed at the time of the original purchase or if those reviews need to be updated