Cloud service providers offer IT services to consumers and to organisations. Use of a cloud service usually means transferring data to the cloud service provider. Well known examples of cloud service providers include Dropbox, Amazon Web Services, Microsoft Azure, Google Apps and Drive, Microsoft Office 365 and One Drive.
If you are transferring data for which the University (or you as an employee of the University) has a responsibility to control and keep safe then you need to follow certain guidelines in order to remain legal or to follow good practice (depending on the nature of the data).
- Have a clear set of requirements in mind before assessing any IT solution, whether for supporting research, education or administration. It may be helpful to categorise your requirements as those that an IT solution must meet, and those which it should or could meet.
- Check that existing IT services provided by the University or your department or college will not satisfy your essential requirements. Existing solutions for storage, for example, that may be appropriate include Nexus SharePoint, WebLearn, OxFile (all three support data sharing with external parties) as well as storage services provided by your department or college. The Advanced Research Computing service or the University Private Cloud service, for example, may have server or computational resources that meet your requirements.
- Check if the University has negotiated agreements with preferred cloud service providers, whether for specific products or as part of a framework agreement of which departments and/or individuals may take advantage. Depending on the nature of the agreement it is very likely that you will remain responsible for ensuring the service meets your requirements (including any legal requirements) prior to using the service.
- Understand the terms & conditions: Be aware that if you sign-up to a cloud service in your role as a member of University staff, for example, you may be binding the University, not just yourself, to the cloud service's contractual terms. The University permits only certain officers to sign contracts on behalf of the University (Statute XVI). You have responsibility for safe-guarding University data in your possession. It is important to read and understand the terms and conditions before “clicking-through” and, if in doubt, consult with University Purchasing or Legal Services.
- Assess the data 1: Does the data include information about living, identifiable individuals? If so, the data contains personal data and must be controlled and processed in accordance with the Data Protection Act. If the cloud service provider is being used to enable University research, education or administration then the University (and you) remain responsible for ensuring there is no breach of the Data Protection Act.
- Assess the data 2: Even if the data does not include personal data, does the data include data that is sensitive, confidential or for which access should be restricted to (some or all) members of the University (internal data)? If so then there is potentially a reputational risk to the University, or even a financial risk (e.g. if the data relates to intellectual property or commercial contracts) if unauthorised access to the data is gained or if the data is lost or damaged.
- Assess the data 3: Even if the data is not confidential, is it valuable? Much data created during research or simply as part of your employment with the University is valuable data. If lost, it would be expensive or sometimes impossible to re-create. Keeping data safe is a principle that applies wherever the data is stored and you share in the University's responsibility to ensure that a cloud service provider is doing their part in keeping data safe (which in turn may, for example, partly depend on whether the cloud service provider holds the master data or only a copy).
If the data includes personal data then ensure you are familiar with the principles and implications of the Data Protection Act and the extent to which the cloud service provider enables the University to fulfil her obligations under the Act. In particular:
- A written contract is required between the cloud service provider and the University. Standard terms and conditions may not contain the requisite assurances for the protection of data (e.g. a cloud service provider may state that they will inform you when they move or process your data rather than seeking your consent or acting on your instructions).
- Establish in which countries the cloud service provider will hold or use the data being transferred. Unless explicit, informed consent has been obtained from the individuals concerned, personal data must be held within approved countries (in practice the European Economic Area) or must be protected by specific data protection clauses within the contract agreed between the cloud service provider and the University (see the Data Processing Clause in Schedule 2 of “Cloud services and data protection law”). Some specific exemptions to this rule exist – contact Legal Services if in doubt.
- Ensure that the cloud service provider will keep personal data secure. The University (and you) is responsible for the security of personal data wherever it is held. Data security includes ensuring no unauthorised access or use of the data and protection against accidental loss or damage. The contract with a cloud service provider should provide assurances around data security that are in conformance with the University's Information Security Policy (and appropriate for the type of data being protected).
If in doubt, seek advice from Legal Services.
You should ensure you are familiar with the following University regulations and policies:
- Regulations and policies applying to use of University ICT facilities
- University Information Security Policy
- University Policy on Data Protection
- and corresponding department or college policies.