If you are interested in using cloud or hosted IT services (or are already using one of these services) it is important that you are clear of the implications with regard to data protection and information security. Well known examples of cloud service providers include Dropbox, Box, Eventbrite, Amazon Web Services, Microsoft Azure, Google Apps and Drive, Microsoft Office 365 and One Drive.
Guidance has been prepared in the form of a toolkit to assist members of the University when assessing the suitability of the service for processing and storing data controlled by the University. The guidance is intended to be applicable to the University, its constituent units, and its members (whether staff or student). You may be:
- a researcher considering the use of cloud storage for your research data;
- a department seeking a cloud application to support prospective applicant engagement activities;
- a central service investigating the replacement of an existing 'on premise' system with a hosted, 'in the cloud' service.
What is common and important to all these scenarios is the processing of data considered valuable to the University and for which legal obligations may apply.
Top tips for getting started
Please refer to the full guidance before entering into any agreement for cloud services. However key points to be aware of include:
- Check if there are existing solutions that meet your requirements: the University, your department or college may have an existing service or may have already negotiated an agreement with preferred providers. Your department or college IT manager may be able to advise, or the IT Services Service Desk.
- Understand the terms & conditions: Be aware that if you sign-up to a cloud service in your role as a member of University staff, including with your University email address, for example, you may be binding the University, not just yourself, to the cloud service's contractual terms. The University permits only certain officers to sign contracts on behalf of the University (Statute XVI). If in doubt, consult with University Purchasing or Legal Services.
- Assess your data: Is it personal? Confidential? Valuable? You may have legal obligations or responsibilities as an employee of the University to control and keep safe data in your possession. If in doubt, seek advice from the person responsible for information security in your department or college, or from the University's Legal Services.
Cloud Services Toolkit
The Cloud Services Toolkit includes detailed guidance together with particular aids relating to data protection and information security. The Toolkit was created by the Cloud Services Standards and Legal Working Group, which included members from Legal Services, Purchasing, IT Services and OUP. Please note that some links are publicly available whilst others are restricted to University members (requiring Single Sign-On authentication).
The toolkit comprises:
- Guidance – web pages providing guidance on the selection and use of cloud computing services relevant for any member of the University.
- Cloud services and data protection law - a brief guide to the obligations and responsibilities under the Data Protection Act with respect to cloud-based services, together with an approved Data Processing clause, prepared by Legal Services. This guide is complemented by a flowchart, ‘Data protection: when can the University share personal data with a third party contractor?’. This guidance is relevant to anyone contracting with a cloud service provider (and 'contracting' includes ticking a box accepting the provider's terms and conditions).
- Cloud Information Security Guidance - drafted by the Information Security Team, this provides guidance on the benefits and risks of using cloud services and what assurance activities should be undertaken to reduce identified risks. This is complemented by the Information security considerations flowchart for use when engaging a cloud services provider; an Information Security Checklist for desktop assessment of cloud services; a Template for undertaking a third-party security assessment to be used as part of procurement. Whilst the guidance is provided for the benefit of all University members, the third-party security checklist is expected to be used in formal procurements.