When purchasing or renewing software / applications there are minimum standards that MUST be met to ensure the university meets all its internal policy and legal requirements. To help you through this process, you will need to fill in the Contracts Approval Checklist. Please check you have all the information you need before starting.
This applies to all software applications or services both locally installed and externally hosted e.g. web services / Software-as-a-Service (SaaS) applications including free of charge.
What information is needed for the contract's checklist?
- Details of hosting (e.g. locally installed, server hosted, web service)
- Name of supplier
- Type of license (e.g. site license, user licenses, device licenses, concurrent licenses)
- Cost of software / service
- Details of any data integration / data extract requirements
- Details of Single-Sign-On requirements
- Requirements for IT support
For software / services which store classified data
- Information about any personal or otherwise confidential data which is stored / processed (including name / e-mail address)
- Classification of data which will be stored / processed and details about where this is stored
- Copy of existing supplier Data Processing Agreement (if applicable) and Data Processing Impact Assessment (if required)
- Information about any card payments processed on behalf of the University
- Details about supplier’s information protection standards (e.g. ISO27001, SOC2/3, PCI-DSS etc.)
For software / services which have a web interface
- Details about compliance with web accessibility standards (WCAG 2.1)
Why do we need to do this?
The University has a duty to ensure that all software and services meet our legal and other policy requirements in areas such as:
- Data Protection and Information Security (ensuring that staff and students’ personal information and otherwise confidential data is effectively secured and used appropriately).
- Accessibility (making sure that the software or services are accessible to all)
- Procurement (checking that contractual terms cover the proposed use of the software or service and that the purchase complies with the University’s procurement rules)
Renewals of our existing services are included in this process. This is to enable the University to complete regular compliance checks on the services provide by our current suppliers, as the standards that we need to deliver do change over time.
High level process breakdown
Stage 1 Approval contract information security checklist
Everyone needs to fill in a Contracts Approval Checklist
Demand - once the security and governance checks have been completed, a purchase order route will be recommended. Either:
- Renewals (skip to Outcome), or
- Project purchase (via IT prioritisation process), or
- Purchasing / procurement
Stage 2 approval (if required)
Purchasing via a tender process, or contract initiator, to send the required documents to the IT Contract Manager to present to the Contracts Assurance Group.
IT Coordinator to pre-check request and add to approvals tracker for IT Exec Leadership Team (ELT) / IT approval
Stage 3 approval (if required)
Request submitted to ELT. Designated member of Contract Assurance Group to present request to ELT for final approval and signatures
Formal decision given back to the requester by a member of the Contracts Assurance Group.
Question & Answers
- I have had this software for a long time, why do I need to follow this process?
- The process for purchasing software and services has changed in line with University policy as a result of changes in the legislative and legal requirements placed upon the University in areas such as data protection, web accessibility and information governance.
- It’s free software, what do I need to do?
- You still need to complete the checklist. Even free software may store personal or otherwise confidential data or require integration with other systems. Some software is only free for personal users, so use within a University would be outside the terms of the contract.
- I need to purchase some software or a web service for learning and teaching. Do I still need to complete the form?
- Yes. Before you complete the form you must also seek approval from the Digital Education Service via this link.