Protecting External Confidential Information

On occasion, Purdue University and a research partner may want to exchange proprietary non-public information related to existing or prospective research (“External Confidential Information”). In these cases, often Purdue will enter into an agreement (“Confidentiality Agreement”) that obligates the university and its personnel (including faculty, staff, students or other individuals obligated to abide by the university’s policies and procedures) to use the External Confidential Information only for a specific purpose and not to disclose the information to third parties. When granted access to such information, individuals are expected to safeguard and prevent the unauthorized use, disclosure, dissemination or publication of External Confidential Information. Purdue personnel are expected to diligently comply with the restrictions and protocols specified in the applicable Confidentiality Agreements and to make a good-faith effort to know and apply Purdue’s recommended practices found:

After reviewing an NDA, the office of Research and Partnerships, Research Information Assurance Officer may require the recipients to complete Personal Acknowledgement Forms.

Proper Handling and Safeguarding External Confidential Information – Best Practices

Primary Recipient Responsibilities

  • The Primary Recipient is the individual identified at contract execution who is the control point for access to the External’s Confidential Information.
  • The Primary Recipient is responsible for:
    • Determining who has a legitimate “need to know”, consistent with the specific purpose for which the External Confidential Information was shared.
    • Ensuring that anyone granted access has a Personal Acknowledgement Form on file with the Research Information Assurance Office.
    • Ensuring that any contract specific measures are understood and followed.
    • Keeping any records (such as summaries of External Confidential Information that is received orally or visually).

Marking and Identification

  • When in possession of hard copy confidential documents use cover sheets that appropriately label the document as confidential. Include specific notice of restrictions on the use of the data or information).
  • Electronic files containing confidential information should be titled as confidential.
  • If received orally or visually and identified at the time of disclosure as confidential, the recipient should summarize in writing and provide that summary to the applicable Primary Recipient.

Proper Use

  • Limit use to only the intended purpose.
  • External Confidential Information should not be used for design or reverse engineering or any other use but that which was specified without the written permission of the disclosing party.

Determining access

  • Limit access to only those Purdue personnel who have a legitimate “need to know”, consistent with the specific purpose for which the External Confidential Information was shared.
  • Special consideration of the Export Control implications must be given if access is sought for a non-U.S. Person. Prior to granting access, contact the Export Control office at exportcontrols@purdue.edu, if this situation occurs.
  • Note: External Confidential Information shall not be shared with a non-Purdue person without the approval of the Research Information Assurance Officer, and only after it is determined that such disclosure is authorized by the agreement under which the information was shared. Such disclosure may require an additional agreement binding the new party.

Physical Controls

  • Secure physical items (documents, materials, hardware, etc.) that include External Confidential Information at all times when not in use in locked cabinets or rooms with access limited to those with need to know.

Electronic/Digital Controls

  • Store electronic files containing External Confidential Information on Purdue owned devices.
  • Encrypt electronic files containing External Confidential Information even if the data resides on stationary systems.
  • Do not email External Confidential Information “in the clear,” even with in the Purdue network. If you need to share files securely, the University has available the secure Filelocker service (https://filelocker.purdue.edu).  You can use Filelocker to share files securely both with other Purdue personnel as well as with persons outside the University system.

Conversation Controls

  • When discussing External Confidential Information, make sure that only those Purdue personnel with a need to know and who understand their confidentiality obligations can hear.
  • When External Confidential Information is being shared, make the participants aware and remind them of their obligations.

Disposition of External Confidential Information when access is no longer needed:

  • Ensure that all copies (physical or digital) are destroyed or returned to the disclosing party. Primary Recipient should make sure any disposition requirements in the applicable agreement are also followed.
  • When an individual no longer has a need to know the External Confidential Information, the Primary Recipient should ensure both physical and electronic access is terminated.

Special Consideration given to publications or presentations (formal or informal)

  • Be aware of any approvals required by a specific project agreement and allow for the required time for the External Party to review the proposed publication or presentation.
  • When presenting information formally or informally, give special care to ensure the External Confidential Information is not disclosed.
  • For Industry sponsored research, consider if it is necessary to identify the name of sponsor.
Report Inadvertent Disclosures of External Confidential Information immediately to:

Research Information Assurance Officer:
Mary Duarte Millsaps
email:  millsaps@purdue.edu
Telephone:  (765) 494-0702

Quick Links

Purdue University, West Lafayette, IN 47907 (765) 494-4600

© 2017 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by the Office for Research and Partnerships

If you have trouble accessing this page because of a disability, please contact the Office for Research and Partnerships at evprp@purdue.edu.