Software Purchasing and Usage Requirements

Overview 

The Minnesota State system and the State of Minnesota have specific requirements and policies regarding the purchase and usage of software to ensure compliance with legal and data security requirements. This knowledge article outlines key requirements, considerations, and the process for software usage and purchasing within the Minnesota State system. 

How to Purchase Software 

The Minnesota State Office of General Counsel requires that all software be reviewed for legal compliance and data security risk.  

  1. Employee submits a review request.  All software must be reviewed before purchase, fill out the review request online. Be prepared with information including:  

  • Description of the product 
  • If other Minnesota State institutions use it 
  • The product’s company information/contacts 
  • If it’s cloud-based or hosted locally 
  • If IT assistance will be needed to maintain it 
  • Details about what kind of data will be used 

  1. University, System Office IT Security, and/or General Counsel teams review the request. This can take anywhere from a few days to several weeks to complete. Follow-up documentation and clarification from the vendor is often required. 

  1. The employee is notified. The employee is provided with further information and next steps. 

Legal Compliance 

All university-purchased software must comply with various laws and policies, including: 

  • Federal Educational Rights and Privacy Act (FERPA) 

  • Health Insurance Portability and Accountability Act (HIPAA) 

  • Gramm-Leach-Bliley Act (GLBA) 

  • Minnesota Government Data Practices Act (MGDPA) 

  • Minnesota State Board Policies (e.g., Policy 1A.2.2 – Delegation of Authority, Policy 5.14 Part 3, Subpart B – Contract Form Approval) 

Common Contract Clause Considerations 

  • Choice of Law and Venue:The State of Minnesota cannot agree to the laws of or litigate in another state. 

  • Arbitration:Limits the ability for the State of Minnesota to litigate. 

  • Limitation of Liability:Limits the liability of a vendor for breach of contract (including data breach). 

  • Indemnification: Clauses that hold the vendor harmless for events. 

Cybersecurity and Privacy Risk Considerations 

  • Data Ownership: Understand who owns the data and what data is being stored, processed, or transmitted. 

  • Cloud Vendor Security:Assess the maturity of the cloud vendor’s security program. 

  • AI Security: Understand how data is collected and stored in AI tools and whether or not data is used to train AI models.  FERPA prevents AI tools from using Student Data to train the AI models. 

Individual Software License Purchase Considerations 

Many software products include terms of service that do not meet several State of Minnesota statutes and Minnesota State board policies. If you would like to purchase a software license for your individual use, please follow the How to Purchase Software process above. The University Information Security team will help you understand the data security and legal process. 

Print Article

Related Articles (1)

Generative AI: Minnesota State Guidance, Policy, and Recommendations
A comprehensive guide on policy intersections and recommendations for generative AI within the Minnesota State system.

Related Services / Offerings (1)

Technology Purchases
• Retail store - computers / supplies • University Procurement