Guidelines

Use of Cloud Services for Staff, Students and Visitors - Guidelines

Printer-friendly version
Body

1. Purpose and Objectives

This guideline provides principles to guide an evaluation of the suitability of Cloud Services and when they may be appropriate for the provision of IT services at UQ.

This guideline, and any applicable policies and procedures, should be reviewed before using Cloud Services or moving applications or data to a cloud based environment.

2. Definitions, Terms, Acronyms

User – all staff, students, contractors, third parties, clinical and adjunct title holders, affiliates, alumni and all other people who legitimately access UQ’s systems and/or network.

Personal Information – any information which identifies an individual or which allows his or her identity to be reasonably ascertained. In the University context, examples of personal information include home address, home telephone number, date of birth, marital status, next of kin; salaries and wages of University staff; all information concerning students, their enrolment, academic performance and their personal welfare (such as medical matters) and records of an individual student's library borrowings; information concerning persons who apply to the University for appointment or admission; information collected from or concerning human research subjects. It may include visual information, such as photographs of people.

Cloud Service – a service or resource made available to users via the internet from an external provider’s servers, possibly hosted internationally.

3. Guidelines Scope/Coverage

This is a University-wide guideline which applies to all users of University ICT resources.

4. Guidelines Statement

Cloud computing services are used for various purposes by the University, provided in the main by commercial third parties.

Cloud Services may not be appropriate for all applications and classifications of data. Where Cloud Services are used, the Cloud Services must be fit for purpose and used appropriately.

This guideline provides additional detail on cloud computing use, security, and suitability for hosting Personal Information.

5. Suitability of Cloud Services

An evaluation of the suitability of a Cloud Service needs to be conducted in accordance with relevant risk assessment guidelines provided by the University on a per case basis. Enterprise risk management documentation can be found at PPL 1.80.01 Enterprise Risk Management. Typically, it is found that:

Cloud Services may be suitable for use (with care and appropriate protections) to store or host data where the data is:

  1. of low commercial value;
  2. already publicly known or intended to be made public; or
  3. intended to be viewed by a large audience, potentially spread across multiple geographic regions.

Extra consideration around the suitability of Cloud Services should be taken if there is intent to store or host data that is or contains:

  1. commercially valuable;
  2. business-critical; or
  3. confidential; or
  4. Personal Information.

6. UQ Master Account

Many cloud providers provision a master account with the University when a service is provided. A master account allows UQ to ensure that particular Cloud Services are used most effectively and economically across the organisation as well as provide input into central provision and management of Cloud Services and vendors. Where UQ has established a master account with a cloud vendor/supplier, individual organisational units are encouraged to either use that master account or link their individual accounts with the master account.

Use of master accounts can benefit the University and its organisational units by making use of consolidated billing which may return a discount with bulk payments as well as create a centralised point of contact for support. Cloud Service master accounts are commonly managed by Information Technology Services to ensure consistency of communication with and service provision by service providers.

7. Security

The transfer of data to Cloud Services involves moving that data from infrastructure that is within the University’s direct control onto a network that is controlled by a third party. Storing data outside of the University may expose the data to various risks over which the University has limited control, such as data corruption, data loss and unauthorised access.

Security considerations around the use of Cloud Services must be examined in accordance with existing UQ policies and procedures (such as PPL 6.30.01 ICT Security).

7.1 Data security

Most Cloud Service providers only accept limited responsibility for securing customer data.

Some Cloud Service providers establish ownership of data once it is stored on their platform.

Users should ensure data of particular value or sensitivity is encrypted in transit and at rest using UQ approved cryptographic methods (PPL 6.30.01 ICT Security Policy section 9.8). Some cloud providers offer services using infrastructure that may be shared with other clients. An assessment of risk should guide a determination of the suitability of the security measures applied to safeguard data stored by service providers.

7.2 Data retrieval

Data stored using Cloud Services may not be backed up by the Cloud Service provider. Users should consider whether the data should be backed up in a different location when using Cloud Services.

Cloud Service providers generally offer little assistance when it comes to retrieving data from the service and may have a right to change the way in which the services operate at any time. This is another reason why users should consider accessibility of data and whether data should be backed up in a different location. The appropriateness of data protection should form part of the risk analysis referred to in section 5 of this guideline.

8. Personal Information

Use of Cloud Services must comply with existing UQ policies and procedures around data classification and privacy as outlined in PPL 1.60.02 – Privacy Management.

8.1 Privacy laws

The University has legal obligations under the Queensland Information Privacy Act 2009 in relation to the collection, storage, use and disclosure of Personal Information. Relevant to Cloud Services are the additional requirements around contracted service providers and transfer of Personal Information outside of Australia. The Queensland Information Commissioner has produced guidelines to assist compliance with these requirements, which are available from the OIC website here and here.

Contact the UQ Right to Information and Privacy Office for further information.

8.2 Storage of Personal Information

Cloud Services may be provided in Australia, or may be provided at disclosed or undisclosed locations outside of Australia. Use of Cloud Services in connection with Personal Information may involve a disclosure of Personal Information to the Cloud Services provider and/or transfer of Personal Information outside of Australia, which must be carefully managed.

In general, Personal Information should not be disclosed to Cloud Service providers unless they agree to be bound by the information privacy principles contained in the Information Privacy Act 2009, or a substantially similar binding obligation. All GITC accredited suppliers have agreed to comply with these requirements. Some Cloud Service providers may not agree to comply with Australian privacy laws or be responsible if there is a breach of those laws arising out of the University’s use of the Cloud Services. This could create a serious risk for the University, and these services should not be used to store data containing Personal Information.

Depending on the classification of data to be stored in a Cloud Service, considerations should be taken as to whether or not:

  • the Cloud Service provider has agreed in writing to comply with the information privacy principles contained in the Information Privacy Act 2009; and
  • the Cloud Service provider has agreed to store the data in Australia only
  • the data is encrypted in compliance with industry standards whilst in transit and preferably at rest; and
  • access to data is restricted using appropriate authentication methods provided by the University.

9. Using Cloud Services

9.1 Users of Cloud Services

The University may procure Cloud Services solely for the University’s internal purposes, or for use by users for broader purposes.

Users that are provided with access to Cloud Services must comply with the University’s policies (such as PPL 6.20.01 Acceptable Use of UQ ICT Resources) and any terms of use notified by the University in relation to specific Cloud Services.

The University may suspend or terminate access to Cloud Services at any time.

Some Cloud Services prohibit reselling or sub-licensing of those Cloud Services. As a result, use by different users may not be permitted. This may include other institutions, companies or facilities associated with the University.

Consideration should also be given to the proposed use of a Cloud Service to ensure that the use is permitted by the Cloud Service provider. If that use requires new functionality or services available from the Cloud Service provider, then this should be procured in accordance with University policies (such as PPL 9.40.01 Purchasing - Policy). Even if this functionality is free, the licence terms should be considered to ensure they are appropriate.

9.2 Permissible content

Any content loaded onto Cloud Services must:

  • comply with the University’s Acceptable Use of UQ ICT Resources - Policy;
  • comply with the acceptable use policy applicable to the Cloud Services; and
  • comply with all laws, not infringe any third party’s intellectual property rights and not be offensive.

A Cloud Service provider’s use policy must be reviewed to ensure that any data or content you transfer onto the Cloud Services does not violate such policy.

9.3 Community areas and forums

Some Cloud Services provide community areas or forums on which ideas can be shared. Users should be aware that any content that is posted or submitted to these forums may be broadly licensed to all users of the Cloud Services or ownership may even be transferred.

Users must be careful when using these forums. Confidential information or information that contains intellectual property owned by the University or a third party must not be uploaded onto these forums.

Custodians
Chief Information Officer
Mr Rob Moffatt
Custodians
Chief Information Officer
Mr Rob Moffatt