Procuring Accessible Technology

To ensure accessible electronic information technology, it is essential to ask vendors to explain how their products are accessible, test for accessibility and include accessibility assurances in purchase agreements.

What is the software review process?

UB's Software and Web-based Services Review is required to comply with federal and state regulations, SUNY and UB (University at Buffalo) policies, and industry best practice.

The goal is to identify potential problems before software is acquired or used to avoid serious consequences.

Our team of experts stay current on compliance requirements for accessibility, data security and business impact. The team consists of members from VPCIO staff and the Electronic and Information Technology Accessibility Officer.

Learn more about the software review process on the UBIT website.

What kind of software requires a review?

  • Desktop applications
  • Third party add-ins/plug-ins
  • Web-based services (hosted software)
  • Server-based software requiring installation on UB servers
  • Any service or software accessed by students or the public via UB or third-party websites
  • Any software that contains or exchanges Personal Identifiers (PID) or HIPAA data
  • Any upgrade from current on-premises to cloud-based services or software
  • Open source, freeware, shareware, and no-charge products

When is a review needed?

 A software review can be initiated at any time:

  • When a faculty or staff person identifies a software need.
  • When a department is ready to move forward with a purchase or renewal.
  • When several products are being considered and a review could potentially help determine which product meets the data security and accessibility requirements.

Why is the review needed?

All technology requests must be reviewed for compliance with state and federal regulations and SUNY and UB policies. As SUNY is responsible for the data entrusted in its possession, all vendors handling, processing, transmitting, and storing SUNY data must undergo a risk assessment to ensure all vendors are securing SUNY data in accordance with SUNY policy and industry best practice. 

Technology purchases:

  • can put sensitive university data at risk;
  • may not meet the needs of the campus population with disabilities; and/or
  • may require integration with enterprise-level applications or university systems. 

Who does the review?

  • Financial Management reviews for credit card processing or payments,  student fees, and/or rebates or refunds to the university.
  • Equity, Diversity and Inclusion (EDI) reviews for digital accessibility.
  • VPCIO reviews for data security, privacy and systems integrations.
  • Purchasing reviews agreements, contracts, terms and conditions.

Review Outcomes

Once all reviews are completed, the requestor will be notified if the requisition has been cleared, cleared with conditions or denied.

  • Cleared: Product aligns with policies, security standards, and accessibility requirements and may be acquired and/or used
  • Cleared with Conditions: Product aligns with polices, security standards and accessibility requirements but also needs to comply with conditions, requirements, or restrictions for acquisition/use
  • Rejected: Product does not align with policies, security standards and/or accessibility requirements and may not be acquired or used

The requestor will also be notified if any accessibility or security issues need to be resolved, if more information is needed, or if the contract language must be negotiated.

If more than one product or service is available that meets the needs of the department or college, the purchaser should consider the one that best meets UB’s accessibility and security standards.

Exceptions

In some cases, an exception may be granted when secure or accessible products are not yet available. These exceptions are narrowly tailored, limited in duration, and should describe the method through which equally effective alternative access will be provided. You may only request an exception after the initial accessibility and security reviews have been completed. Exceptions are discouraged and should be requested only when truly necessary. All exception requests and determinations will be made on a case-by-case basis.

Require Specific Information

One way to assess a vendor’s accessibility efforts is to require a completed ), also referred to as an Accessibility Conformance Report (ACR). A VPAT is a standard form used by companies to document how their technology meets (or does not meet) accessibility requirements.

The university requires that vendors demonstrate that information technology provided addresses each of the World Wide Web Consortium’s Web Content Accessibility Guidelines (WCAG) 2.1 Level AA success criteria.

It is important to understand that receiving a VPAT from a vendor does not guarantee that products are accessible. It is important also to verify the accessibility of hardware and software through consultation and testing.

Obtain Written Assurances

Vendors should be asked to commit to improving products that pose accessibility issues, and this commitment should be part of any purchase agreement. Sometimes, the best product for a unit's needs might not be fully accessible, but vendors can be asked to provide a written explanation of how accessibility improvements will be built in, with a timeframe for completion. Even if a product appears to be fully accessible, purchase agreements and contracts must include assurances of accessibility as the product is updated.