‘Cloud services’ is a general term for anything that involves delivering hosted services over the Internet. Many users will have encountered the Cloud as a way of storing their information remotely (e.g. iCloud, Dropbox, Google Docs). The term ‘Cloud’ was inspired by the cloud symbol that's often used to represent the Internet in flowcharts and diagrams.
Cloud services offer benefits including cost reduction, flexibility of scale and remote access. However, users need to consider the data privacy and legal compliance risks associated with the use of Cloud services for processing University data relating to individuals, or which is commercially sensitive.
The University recognises that failure to adhere to its legislative, regulatory and contractual obligations may result in significant financial and legal penalties and reputational damage. With respect to information relating to individuals as covered by the Data Protection Act 1998, the Information Commissioner’s Office can issue a monetary penalty up to £500, 000 if it were determined that the University did not take reasonable steps to secure personal information or acted in such a way as to knowingly put information security at risk. Responsibility for ensuring appropriate use of Cloud services in accordance with relevant legislation and University policies lies with individuals managing, procuring or overseeing any services.
The following steps should be undertaken when choosing to use cloud services for storing, processing and/or sharing University information:
- Identify the class of information you wish to store, process and/or share using cloud resources or services using the University Information Classifications.
- Refer to the guidance table to see which types of cloud service is appropriate for that type of information.
- Research possible services or providers taking into account the considerations set out in the Due Diligence Section in Annex A of the guidance.
Outside of the legal requirements set out around confidentiality and data protection, the decision of one service over another rests on the suitability to deliver the service and performance needed to achieve your purpose. Some partner organisations or research funders may stipulate specific storage and access requirements for their information and it is important that these considerations are taken into account when deciding which service or provider to use. Failure to adhere to these obligations could result in legal or financial penalties, as well as potential reputational damage for the University.
- Undertake due diligence with the Institutional Resilience Team and the Purchasing Team as part of the standard procurement process . This process will vary depending on the cost of the service and the sensitivity of the University information to be stored, processed and/or shared via the cloud service.
You should perform the same steps and seek the same due diligence even if your preferred service is delivered free of charge.