Make use of internal services
Before you start using a particular cloud service, take a look at what the University has to offer. There are plenty of options available for sending surveys, sharing data and storing documents, for example. And using internal services could save you the trouble of setting up agreements and carrying out due diligence. To find out what’s available, speak with your department or college IT manager, or with IT Services via the Service Desk.
Know your data
Before you use a cloud service, you need to:
Know what kind of data you’re going to store or share. The University classifies data under three categories. Consumer cloud services are usually fine for public data and for most internal data. But they might not be secure enough for confidential data. You mustn’t use consumer cloud services for personal data unless you’ve both sought the necessary authorisation and consulted Legal Services.
Know who is responsible for the data. They might be internal or external to the University, and are accountable if things go wrong. They are responsible for deciding whether the data is public, internal or confidential, and should tell you whether there are any rules that prevent you from using a particular service.
Consider Data Protection
If the data you share contains personal information (such as names or email addresses) you need to protect it in accordance with the Data Protection Act, even if it is classified as “public”. Seemingly innocuous tasks like sending a questionnaire through SurveyMonkey could lead to you falling foul of the law. Following the advice on this website will help you meet your information security obligations to protect data, but there is more to it than that. You should familiarise yourself with the University’s Data Protection Policy and seek advice from the compliance team if you are unsure.
Protecting data stored outside of the EEA
One question that often comes up is that of geographical location. Many cloud services are based outside the European Economic Area (EEA) and if you're sticking any personal data there you'll need to consider the GDPR. This doesn’t prevent you from using them, but it does mean you need to go the extra mile to apply an adequate level of security. In practice this probably means one of two things:
- Make sure any contract includes the relevant ‘model clauses’ approved by the EU; or
- Obtain unambiguous and freely given consent from any individuals concerned.
The quickest option is usually the second. You can do this by making users aware of the privacy policies for the service and providing a viable alternative if they don’t want to use your cloud service. An example for Eventbrite might look like this:
For detailed advice on whether it’s OK to share data with cloud service providers see the IT Services Cloud Toolkit, and for further advice on complying with all of the principles of the GDPR contact your local Privacy Champion who can help guide you in the first instance.