Loading

Personal Cloud Based Storage Guidance

Purpose of this Document

This document gives guidance on the use of Personal Cloud Based Storage for University data.

This document and practises will be reviewed at least every 12 months

Review/Approval History for this Document:

Document Control:

Contents

Review/Approval History for this Document:.................................. 2
Document Control:.................................. 2
Contents.................................. 2
Executive Summary.................................. 3
Intended Audience.................................. 3
Assumptions and Constraints....................... 3
Definitions.................................. 3
Introduction.................................. 4
Advice and Guidance.................................. 4
Considerations.................................. 5
Cloud Storage and Information Security..................................5
Support.................................. 5
Other Supporting Documents.................................. 5

Executive Summary

This policy defines the acceptable use by University users whilst using Personal Cloud Based Storage, for the storage of Nottingham Trent University documents.

Intended Audience

This policy document applies to:

All NTU Users accessing Personal Cloud Based Storage Services
Any auditor, internal or external, appointed to review the process

Assumptions and Constraints

Nottingham Trent University (“the University”) is a data controller, for the purposes of the Data Protection Act (1998). It is assumed that all staff have an awareness of the Data Protection Act (1998) and that they understand the consequences of the loss of University owned personal data.

Definitions

Cloud storage is a cloud-computing model in which data is stored on remote servers accessed from the Internet or "cloud". Cloud storage services are maintained, operated and managed by a cloud storage service provider on storage servers generally in a data centre.

Cloud storage is also a service model in which data is maintained, managed and backed up remotely and made available to users over a network (typically the Internet).

Some examples of Cloud storage are: Office365 OneDrive, Dropbox, Google Drive, iCloud, Box, CrashPlan etc.

Data Controller - The Data Controller is a person, group or organisation (in this case the University) who determines the purposes for which and the manner in which any personal data are, or are to be, processed.

User – A member of staff, enrolled student, contractor, visitor, or another person authorised to access and use the University’s systems.

Introduction

Personal Cloud Based Storage solutions (such as Office365 OneDrive, iCloud, Dropbox, Google Drive, Box and Ubuntu One) have become very popular for storing, sharing and collaborating on various types of files, for example photos, documents, sound clips etc, as they provide an easy way to store various data online and access it from a variety of devices.

Their ease of use make them ideal for use in an academic context and they are often as convenient and accessible as our corporate systems. Their utility and synchronisation across a range of devices means that they are particularly useful for collaboration and in supporting smarter ways of working. As such, their use is encouraged for non sensitive corporate data, and Information Systems (IS) will provide specific advice on the more popular cloud based storage systems.

For solutions not covered by current advice or where terms and conditions change, IS will provide ad hoc advice on a reasonable endeavours basis, but users also should ensure their use of cloud based storage meets their needs within a range of important considerations.

Advice and Guidance

Advice and guidance on all aspects of this Policy are available via the Information Systems Service Desk:

Web: https://support.ntu.ac.uk

Email: support@ntu.ac.uk

Phone: 0115 848 8500

Advice and guidance on Data Protection legislation are available from the University’s Legal Services Department.

The risks to consider when using Personal Cloud Based Storage solutions are:

There is no guarantee of data confidentiality.
The data may be stored outside the European Economic Area, so will not be covered by EU data protection laws. In other jurisdictions it may be accessed or removed without your knowledge or consent.
There are no safeguards about the continuing existence of the data and no guarantee that your right to access it will be maintained.
The data may be altered or corrupted without your knowledge, and you won’t have any way of getting uncorrupted data back
If the files are accidentally deleted there is no backup nor are their any guarantees that the data is recoverable.
Most cloud storage providers do not keep records of who has accessed or downloaded your data
Most cloud service administrators can access ANY content on the site, and if access is compromised, all cloud service data is automatically at risk of compromise.

Considerations

When using cloud based storage systems, you should consider and ensure that the following requirements are met:

Obligations under the Data Protection Act, including safe harbour requirements, are met. Most do, but worth checking.
The cloud based storage terms and conditions with regard to intellectual property right meet your requirements. Note that in the past some cloud based storage operators claimed rights to all material stored and still might not offer sufficient protection for intellectual property or commercially sensitive information, so this aspect is worth checking.
Cloud based storage solution do not generally provide a specific reliability service level. While cloud based storage solutions are generally very reliable they mostly do not provide a defined service availability level or any form of indemnity against information loss.
The true copy of any information defined within the University’s Document Retention Schedule must be held within University systems.

Cloud Storage and Information Security

The University will not monitor the content of your personal Cloud services, however the University reserves the right to monitor and log data traffic transferred between your cloud service and University systems, both over internal networks and entering the University via the Internet.

In exceptional circumstances, for instance where the only copy of a University document resides on a Personal Cloud Service, or where the University requires access in order to comply with its legal obligations (e.g. under the Data Protection Act 1998, the Freedom of Information Act 2000, or where obliged to do so by a Court of law or other law enforcement authority) the University will require access to University data and information stored on your personal cloud service. Under these circumstances all reasonable efforts will be made to ensure that the University does not access your private information.

You are required to conduct work-related, online activities in line with the University’s Computer Use Regulations. This requirement applies equally to Personal Cloud Storage used for to store University data and files.

Support

Help and advice is available on a reasonable endeavours basis, via the Information Systems Service Desk, including help installing and configuring cloud applications.

Support forums are maintained at https://support.ntu.ac.uk/

The University takes no responsibility for supporting, maintaining, repairing, insuring or otherwise funding employee-owned cloud storage, or for any loss or damage resulting from support and advice provided.

Other Supporting Documents

NTU Computer Use Regulations – Regulations accepted by Users when granted access to the University Computer Network. 

Information Systems Security Manual – Regulates the manner in which Information Systems are managed to ensure the security of information assets.

Have more questions? Submit a request

Comments