Budget & Finance Knowledge Base - How to purchase software

Overview

Follow the steps below to ensure that any new software purchase or renewal complies with UC San Diego  IT Procurement policies and receives the required security and privacy approvals before a requisition is submitted

Critical Concepts

ITS Data Security Review: All new software purchases, and renewals with significant scope or functionality changes, require review by the ITS Office of Information Assurance (OIA) to assess security risks.
Privacy Review: Software that processes P3 or P4 data or uses AI technology must undergo a Privacy Risk Intake with the Campus Privacy Office.
Documentation: Approval confirmations from both the security and privacy reviews must be included with the final requisition.

Steps to Take

Preparation

Before initiating a software purchase or renewal request, complete the following actions:

Check the UCOP Technology Agreement Page to see if the software is already covered by a UC systemwide contract. These agreements often include pre-negotiated pricing, terms, and data protection provisions.
Gather key information about the software’s purpose, the type of data it will process, and any new features or integrations.
Identify whether this is a new purchase or a renewal (especially one older than 3–5 years or with expanded functionality).

Determine if an ITS Security Review Is Required

Ask yourself:

Is this a new software purchase?
Is this a renewal that’s 3–5 years old or one with major scope or functionality changes (such as new features, integrations, or expanded use)?

If you said yes to any of these questions, an ITS Security Review is required. Complete and submit the Vendor Security Review Request Form to begin the review process.

If you said no to all, no ITS review is needed.

Determine if a Privacy Review Is Required

Ask yourself:

Does the software process P3 or P4 data?
Does the software include or rely on AI technology?

If you said yes to either question, a Privacy Review is required. Complete a Privacy Risk Intake Form with the Campus Privacy Office.

If you said no to both, no privacy review is needed.

Attach Approvals and Submit Your Requisition

Once all required reviews are complete:

Collect approval notifications from both the ITS Security Review and the Privacy Review (if applicable).
Attach these approvals to your final requisition in Oracle.
Submit the requisition only after all reviews are complete.

Helpful Contacts & Resources

Topic	Contact / Resource
Data Security Reviews	Email oia-rc@ucsd.edu to check the status of an ITS security review.
Campus Privacy Office	Email ucsdprivacy@ucsd.edu for privacy-related inquiries
UCSD Health Sciences Privacy Matters	Email hscomply@health.ucsd.edu for all privacy matters related to UCSD Health Sciences, including medical research.
Additional Resources	Visit the Software Acquisition Blink Page for comprehensive IT procurement guidance.

If you still have questions or need additional assistance, please submit a ticket.