Protecting External Confidential Information
On occasion, Purdue University and a research partner may want to exchange proprietary non-public information related to existing or prospective research (“External Confidential Information”). In these cases, often Purdue will enter into an agreement (“Confidentiality Agreement”) that obligates the university and its personnel (including faculty, staff, students or other individuals obligated to abide by the university’s policies and procedures) to use the External Confidential Information only for a specific purpose and not to disclose the information to third parties. When granted access to such information, individuals are expected to safeguard and prevent the unauthorized use, disclosure, dissemination or publication of External Confidential Information. Purdue personnel are expected to diligently comply with the restrictions and protocols specified in the applicable Confidentiality Agreements and to make a good-faith effort to know and apply Purdue’s recommended practices found:
- On this page,
- At Secure Purdue: Security Requirements for Handling Information, and
- By the Information Security and Privacy (VII.B.8).
Forms
Personal Acknowledgment Form – Download
NDA Information Sheet – Download
Best Practices for Handling and Safeguarding External Proprietary Information
- The Primary Recipient is the individual identified at contract execution who is the control point for access to the External’s Confidential Information.
- The Primary Recipient is responsible for:
- Determining who has a legitimate “need to know”, consistent with the specific purpose for which the External Confidential Information was shared.
- In some cases, the Export Controls Officer will require that personnel with access to External Confidential Information to sign a Personal Acknowledgement Form documenting their responsibilities.
- Ensuring that any contract specific measures are understood and followed.
- Keeping any necessary records (such as summaries of External Confidential Information that is received orally or visually).
- When in possession of hard copy confidential documents use cover sheets that appropriately label the document as confidential. Include specific notice of restrictions on the use of the data or information).
- Electronic files containing confidential information should be titled as confidential.
- If received orally or visually and identified at the time of disclosure as confidential, the recipient should summarize in writing and provide that summary to the applicable Primary Recipient.
- Limit use to only the intended purpose.
- External Confidential Information should not be used for design or reverse engineering or any other use but that which was specified without the written permission of the disclosing party.
- Limit access to only those Purdue personnel who have a legitimate “need to know”, consistent with the specific purpose for which the External Confidential Information was shared.
- Special consideration of the Export Control implications must be given if access is sought for a Foreign Person. Prior to granting access, contact the Export Controls team at rsec@purdue.edu, if this situation occurs.
- Note: External Confidential Information shall not be shared with a non-Purdue person without the approval of the Export Controls Officer, and only after it is determined that such disclosure is authorized by the agreement under which the information was shared. Such disclosure may require an additional agreement binding the new party.
- Secure physical items (documents, materials, hardware, etc.) that include External Confidential Information at all times when not in use in locked cabinets or rooms with access limited to those with need to know.
- Store electronic files containing External Confidential Information on Purdue owned devices.
- Encrypt electronic files containing External Confidential Information even if the data resides on stationary systems.
- Do not email External Confidential Information “in the clear,” even within the Purdue network. If you need to share files securely, consider using one of the following methods:
- When discussing External Confidential Information, make sure that only those Purdue personnel with a need to know and who understand their confidentiality obligations can hear.
- When External Confidential Information is being shared, make the participants aware and remind them of their obligations.
- Ensure that all copies (physical or digital) are destroyed or returned to the disclosing party. Primary Recipient should make sure any disposition requirements in the applicable agreement are also followed.