Cloud Services
Use of Cloud Services
Cloud services are computing services provided and hosted by a third-party. Such services include storage services (e.g. Dropbox, Box), computational services (e.g. Amazon AWS, Microsoft Azure, Google Cloud, etc.), and email services (e.g. Gmail, Outlook/Hotmail, etc.). When using cloud services, all data is stored and processed on third-party systems outside of UW control. It is imperative that special consideration is given to their use in order to protect all members of the UW community, it’s partners, and the mission of the UW.
Storage of Confidential and/or Restricted Data
Confidential and/or restricted data refers to data that is subject to one or more laws, regulations, contracts, and/or policies that govern how it must be handled. These stipulations must be fully and carefully evaluated prior to providing data to a third-party to ensure they are understood and adhered to. Some examples of confidential and/or restricted data include:
- Protected Health Information (PHI), subject to HIPAA
- Student data, subject to FERPA
- Personal information, subject to federal, state, and UW regulations/policies
- Protected research data, subject to applicable regulations and contractual obligations
- Confidential, protected, or sensitive UW finance data, subject to federal, state, and UW regulations/policies
- NIH-supplied human genomic data, subject to NIST 800-171, as well as any applicable regulations and contractual obligations.
Contractual agreements regarding the use, security, and privacy of data supplied to a third-party processor* are almost always required. Prior to utilizing a third-party service, please consult DOM IT for guidance by contacting us.
*Data processing is “Any operation(s) performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, access, use, disclosure by transmission, dissemination, combination, restriction or destruction.”
Source: https://itconnect.uw.edu/guides-by-topic/privacy/reference-materials/glossary-of-privacy-terms/
Storage of Personal Data
Personal data refers to any record or information relating to an identified or identifiable person, including pseudonymized and de-identifiable data that can be made identifiable by using a data key, lookup table, contextual clues derived from the de-identified data, etc. Only data about one or more persons that has been completely anonymized such that it is impossible to render identifiable information from it can be considered non-personal data.
Depending on the type(s) of personal data used, who the personal data represents, and how the information will be used, a data processing agreement (DPA) with the third-party processor may be required before data can be provided. Information about DPA’s, including the DPA Decision Support Tool document that serves as a checklist to see if a DPA is required, is available at https://itconnect.uw.edu/guides-by-topic/privacy/take-action/share-data/data-processing-agreement/. You may also contact DOM IT for guidance and/or assistance with understanding the requirements of using a third-party.
Records Management
The UW is subject to federal and state regulations, along with UW policies, governing the retention requirements of records. Special consideration must be made when storing records with a third-party to ensure these obligations can be met. UW Records Management Services includes guidance about the usage of cloud storage services such as Dropbox and Box:
Description
Box and Dropbox are popular examples of cloud-based services that allow for storing, accessing, and sharing of files as well as document collaboration.Appropriate Use
Because the University does not have a contract with these companies and because of security and privacy concerns, these services should be implemented only after careful departmental consideration when other options cannot be made to work. Even under the best of circumstances, these unaffiliated third-party apps should be used only sparingly and for brief temporary storage recognizing that they create significant legal risk for your office and the University.Warnings
It should be noted that limited access permissions can make it difficult for others in your office to access these records and can increase the burden of responding to public records requests, litigation, or audit.Before an employee separates from your office, any records with continuing retention requirements must be transferred to another employee or stored in a centralized location such as a network drive or SharePoint site or Google Shared Drive. UW-IT does not automatically preserve these records on your behalf.
Records Management Services also ties this guidance back to Washington Administrative Code:
Per WAC 434-615-020, offices and departments at the UW can use cloud applications to store university records provided that the records are managed properly. Managing records properly includes the ability to respond to audits, public records requests, and litigation, retain records for their full retention period, and delete records at the end of their retention period.
Source: https://finance.uw.edu/recmgt/resources/cloud-based-applications-best-practices
Approved Computing Resources
The following, non-exhaustive list of computing resources are approved for storing UW data. Please note that not all listed services will meet all requirements for all types of data. For specific guidance on which computing resources will satisfy requirements for your data, please contact DOM IT.
- DOM IT provided storage (network drives)
- DOM IT SharePoint/DOMCloud
- UW Office 365, including OneDrive, SharePoint Online, and Teams
- UW Google Drive1
- Amazon AWS2, via UW’s existing contract
- Microsoft Azure2, via UW’s existing contract
1 UW Google Services are NOT approved for processing PHI.
2 AWS and Azure resources must be carefully designed, managed, and operated to comply with data security policies.