Use cloud services safely

​Cloud services such as online booking systems or document storage sites are usually secure, provided you follow our advice for protecting your accounts, data and devices. However, if you’re putting University data “in the cloud” you need to make sure the data is treated securely in accordance with University policies. What’s more, security and compliance with the Data Protection Act are related, but they’re not the same thing. If the data contains personal information there will be extra hoops you need to jump through.

At a glance

 Know the data you're going to share

 Know who is responsible for the data

 Seek permissions beforehand

 
AT OXFORD

Make use of internal services

Before you start using a particular cloud service, take a look at what the University has to offer. There are plenty of options available for sending surveys, sharing data and storing documents. And using internal services could save you the trouble of setting up agreements and carrying out due diligence. To find out what’s available, speak with your department or college IT manager, or with IT Services via the Service Desk.

Know your data

Before you use a cloud service, you should know what kind of data you're going to store, or share and who is responsible it.

Know what kind of data you’re going to store or share. The University classifies data under three categories. Consumer cloud services are usually fine for public data and for most internal data. But they might not be secure enough for confidential data. You mustn’t use consumer cloud services for personal data unless you’ve both sought the necessary authorisation and consulted Legal Services

Know who is responsible for the data. They might be internal or external to the University, and are accountable if things go wrong. They are responsible for deciding whether the data is public, internal or confidential, and should tell you whether there are any rules that prevent you from using a particular service. 

Consider Data Protection

If the data you share contains personal information (such as names or email addresses) you need to protect it in accordance with the Data Protection Act, even if it is classified as “public”. Seemingly innocuous tasks like sending a questionnaire through SurveyMonkey could lead to you falling foul of the law. Following the advice on this website will help you meet your information security obligations to protect data, but there is more to it than that. You should familiarise yourself with the University’s Data Protection Policy and seek advice from the Compliance team if you are unsure.

Protecting data stored outside of the EEA

One question that often comes up is that of geographical location. Many cloud services are based outside the European Economic Area (EEA) and if you're sticking any personal data there you'll need to consider the GDPR (General Data Protection Regulation). This doesn’t prevent you from using them, but it does mean you need to go the extra mile to apply an adequate level of security.

In practice this probably means one of two things, either to:

  • Make sure any contract includes the relevant "model clauses" approved by the EU, or
  • Obtain unambiguous and freely given consent from any individuals concerned

The quickest option is usually the second. You can do this by making users aware of the privacy policies for the service and providing a viable alternative if they don’t want to use your cloud service.

An example for Eventbrite might look like this:

Example, Eventbrite privacy policy

Eventbrite processes data (including any personal data you may submit by booking this event) outside of the European Economic Area. Please only submit any personal data which you are happy to have processed in this way, and in accordance with Eventbrite’s privacy policy, which is applicable to respondents. If you prefer not to use Eventbrite for responding to this invitation, you may respond directly to [insert email address].

 

For detailed advice on whether it’s OK to share data with cloud service providers see the IT Services Cloud Toolkit, and for further advice on complying with all of the principles of the GDPR contact your local Privacy Champion who can help guide you in the first instance.

IN DEPTH

What are the model clauses?

The model clauses are contractual clauses which are approved by the EU which can be included in agreements with third parties and allow for transfers of data outside of the EEA. There are two key things to be aware of:

  • The clauses must be included in the agreement with all parties (including subcontractors or any affiliate companies)
  • Any agreement must cover the specific usage

By way of example, SurveyMonkey provide an ancillary agreement directly with its US affiliate which incorporates the model clauses. However, this has to be signed up to on an account-by-account basis.

For more information on the model clauses contact Legal Services.