Software Procurement and Licensing Compliance
Computer software is a form of intellectual property and is generally covered under the same provisions of copyright law that protect music, books, and film from unauthorized copying, sharing, or distribution. When U-M or its constituents license access to software, it does not own the software and must abide by any agreement that governs the software’s use. Violations of the copyright, patent, or contract rights of the software’s licensor transgresses the law, university policy, and our shared institutional values. It can also result in damages and reputational harm to individuals and the university.
- Supports the proper use of software licensed by the university, or by an individual using U-M funds, to carry out its administrative, academic, teaching, learning, research, and clinical activities;
- Supports software asset management best practices by assisting departments, faculty, and staff in procuring, managing, and complying with the terms of licensed software;
- Acknowledges that members of the U-M community that use or purchase licensed software in compliance with this policy are accepting the terms and conditions contained in a click-through agreement or other applicable license agreement, and assuming the risks and obligations that may accompany such agreement on behalf of the university;
- Articulates appropriate use expectations for all members of the university community with respect to licensed and copyrighted software.
The Proper Use of Information Resources policy found on the Information Technology and Services (ITS) website and Procurement General Policies and Procedures found on the Procurement Services website serve as governing policies. This policy establishes additional requirements to ensure compliance with key provisions of both of the above policies.
This policy applies to:
- All software used for U-M administrative, academic, teaching, learning, clinical, and research activities, including software obtained through ITS, Health System Information Technology Services (HITS), or other school, college, or departmental software procurement;
- All software that is purchased and licensed from third-party vendors, developers, or companies irrespective of the university entity or individual that makes the purchase;
- The acquisition of software installed on local computers or servers by faculty, staff, workforce members, departments, and affiliates.
Authority to bind the university to contracts and agreements for software purchases or licensing is delegated to Procurement Services by The Board of Regents. Only limited delegation of authority is granted to department end users to commit funds for the purchase of software as provided for in this policy.
All software acquired for or on behalf of the university or developed by university employees is deemed university property unless specified differently in The University of Michigan Copyright policy found on the website of the Copyright Office and Section 3.10 of the Bylaws of the Board of Regents.
IV. User, Department, or Unit Requirements
It is the responsibility of software purchasers and users to procure and use software in a manner that strictly adheres to all applicable university policies as well as all licensing provisions, including installation, use, copying, virtualization, maintenance, service, restrictions on the permitted uses and/or the number of users, and other terms of the license. Note that splitting a transaction into smaller dollar amounts, delaying, staggering purchases, and using multiple staff members to purchase the same or related items to avoid the competitive bid process are serious policy violations.
A. Due Diligence and Compliance
a. Departments, units, and individuals should review the software procurement guidelines found on the Procurement Services website prior to finalizing any software purchase.
b. Purchasers of proprietary and open source software are frequently presented with an electronic license agreement or click-through agreement that establishes the purchaser’s rights and responsibilities to use the software after having agreed to the vendor’s terms and conditions. Once the agreement is accepted by an authorized user, a legally binding contract between the licensor and the university is established. A copy of the license agreement should be maintained by the authorized user.
c. Departments, units, and users must understand and comply with all terms and conditions of licensed software (including free and open source software). Common issues to examine include: non-infringement of copyright and limitations on transfer or sale when assets or equipment are divested or decommissioned. In no instance can the supplier be granted the right to audit.
d. Users who access university licensed software on personally owned devices must comply with all provisions of the licensing agreement and are further expected to comply with the provisions of the Communication Tool policy found on the Safe Computing website when accessing sensitive institutional data on such devices; some licensing agreements do not permit use on personally owned devices.
e. Users whose software purchases require institutional data to run should plan on the published timeframe of institutional data request processes to acquire access to the requested data.
B. Software Acquisition and Procurement Restrictions
a. University PCards or purchase orders can be used to purchase non-competitively bid software up to $5,000 and $10,000 total value respectively for administrative, academic, teaching, research, and clinical use. PCard purchases must comply with all terms and conditions of the PCard Cardholder Agreement.
b. Personal credit or debit cards should not be used to purchase software for institutional use. The preferred method of purchase is PCard.
c. Individuals may not procure software that will be used to access, process, analyze or maintain sensitive institutional data. Examples of sensitive institutional data include personally identifiable information (PII), protected health information (HIPAA), student education records (FERPA), payment card industry information (PCI), and export control research (ITAR). Such software may only be procured by ITS, HITS, or through a school, college, or departmental purchase.
d. Whenever possible the university prefers to rely on software developers or manufacturers to provide the export control status of software being obtained through a procurement activity. If the software will be used for any export controlled activities or the purchaser has reason to believe the software is subject to export restrictions, purchasers should request the Export Control Classification Number (ECCN) or U.S. Munitions List (USML) category for any software they are procuring.
C. Software Disposal and Return
a. All non-transferable licensed software should be permanently deleted before any electronic device or media is disposed of or transferred within U-M.
b. Departments, units, and users are contractually obligated to follow the terms and conditions relating to the disposal or return of the software if the software was purchased with funds from research, commercial, or government contracts or grants. In instances where the terms of the grant are in conflict with Property Disposition policy, the grant requirements will take precedence.
V. Violations of Software Licenses and Enforcement
Individuals at U-M are ultimately responsible for any infringing software on their computers or devices or for violating the terms and conditions of software licenses. Departments or units where infringing copies are located or whose staff members otherwise violate licenses are responsible for any fines or fees associated with the non-compliance of software license agreements and legal fees.
Violations of this policy may result in appropriate sanction or disciplinary action consistent with applicable university procedures up to and including suspension or revocation of computer accounts or PCard, non-reappointment, discharge, dismissal, and/or legal action. In addition to U-M disciplinary actions, individuals who commit copyright infringement are personally subject to civil and/or criminal fines and sanctions under the U.S. Copyright Act.
Replaces SPGs 601.03, 601.03-1