Category Or Type

This proposal is for a: / ü / Policy / Procedure / Guidelines
Cloud Computing [Working Title]

Category or Type

/ Information Technology
Originally approved by, and date
Last approved revision
Sponsor / Registrar or Director of ITS
Responsible Officer / Manager Strategy and Planning
Date Policy will
take effect / [Date from which the Policy, Procedure or Guidelines come into effect]
Review date / [Two calendar years from date of implementation and every five years after that]
Purpose

The purpose of this policy is to guide University staff in the appropriate manner of storing data or information in non-University storage facilities, often referred to as ‘the cloud’, ‘cloud computing’ or outsourcing.

This policy also provides a checklist of recommendations when considering engaging in use of such services, however it is strongly recommended that staff seek expert advice when using these services.

Organisational Scope

This policy applies to all University of Otago data or information resources which are stored with or hosted by any party other than The University of Otago within one of its Data Centres.

Definitions

[Supply definitions of jargon or key words used.]

Content

The University provides facilities for secure storage of data and information, however it is recognised that there may be instances where staff need to use applications which store data in non-University-owned facilities. These services include, but are not limited to:

(a)  Consumer services such as: Google Docs, Dropbox, Gmail, Hotmail, iCloud, MobileMe, etc.

(b)  The New Zealand Government Cloud Programme which offers storage or services on a pay-per-use or subscription basis.

(c)  Software as a Service (SaaS) applications which store data in non-University-Owned facilities such as Project Management software, Customer Management Software, Patient Management software, Task Software or Reader Software etc.

Use of outsourced data storage or cloud computing resources must be in compliance with all other University policies and procedures and relevant legislation. It is the responsibility of University staff using such services to ensure that they are aware of, and are fully compliant with all relevant policies, procedures and legislation.

Staff who use cloud computing or outsourcing facilities are also responsible for ensuring compliance with the following:

1.  Evaluation Process:

(a)  When deciding to use a cloud-based service or to store information or data in a facility which is not owned by the University, it is the responsibility of the staff member using the service or storing the information or data to consult with appropriate data stewards, process owners, stakeholders, and subject matter experts during the evaluation process.

(b)  The Registrar or the Director of Information Technology Service should also be consulted for guidance.

(c)  The consultation and decision to store data in a non-University facility must be documented.

2.  Intellectual Property and Copyright:

(a)  Information or data must not be stored in any facility where the University’s intellectual property, copyright, trademarks or patents may be compromised.

(b)  Information or data may not be stored in such a way that allows unauthorised parties to claim ownership of the information or data.

(c)  When information or data is stored in a facility which is not owned by the University, it is the responsibility of the staff member storing the information or data to ensure that no contract or legal agreement is entered into which may compromise the University’s intellectual property, copyright, trademarks or patents.

3.  Privacy and Data Security:

(a)  Information or data that has been marked as confidential, sensitive or secret may not be stored in such a way that the information or data could be accessed by any unauthorised parties.

(b)  Student information, staff information, or any other personally identifying information must be stored in a manner which fully protects the privacy of the individual and is fully compliant with all relevant privacy legislation.

(c)  It is the responsibility of the staff member storing the data to ensure that physical and logical security measures adequately protect the information being stored. Staff should consult with Information Technology Services where any security issues are unclear.

(d)  Staff should consult with the Registrar for assistance where Privacy issues are unclear.

4.  Records Retention and Availability:

(a)  All Public Records whether instructional, administrative, or research must be stored and retained according to the University Records Management Policy and the General Disposal Authority.

5.  Requirements of Cloud Services:

The following guidelines are intended to assist units in their approach to evaluating the prudence and feasibility of using cloud computing services. This is not an exhaustive list and it is recommended that staff consult with the Director of Information Technology or the Registrar when considering the use of cloud-based services.

(a)  Cloud based services may have ‘click-to-accept’ agreements that incur legal obligation or risk. By accepting such terms, staff could be held personally liable.

(b)  Ensure a Service Level Agreement (SLA) with the vendor exists that requires:

(i)  clear definition of services

(ii)  agreed upon service levels

(iii)  clearly defined physical and logical security conditions

(iv)  performance measurement

(v)  problem management

(vi)  customer duties

(vii)  disaster recovery

(viii)  termination of agreement

(ix)  protection of sensitive information and intellectual property

(x)  agreement of the disposal of information when required

(xi)  definition of vendor versus customer responsibilities, especially pertaining to backups, incident response, and data recovery.

(c)  An exit strategy for disengaging from the vendor and/or service should be planned before committing information or data to a cloud computing or outsourced service. The exit strategy should outline how the relevant records will be preserved and maintained, and how the service can be discontinued or transitioned to another provider.

Related Policies, Procedures and Forms

Records Management Policy

Computer Regulations

Acts:

-  Public Records Act 2005

-  Electronic Transactions Act 2002

-  Official Information Act 1982

-  Privacy Act 1993

-  Protected Disclosure Act 2000

-  Evidence Act 2006

-  Public Finance Act 1989

-  Taxation Administration Act 1994

-  Education Act 1989

-  Crown Entities Act 2004

-  Employment Relations Act 2000

Standards:

-  The Creation and Maintenance of Full and Accurate Records Standard

-  The Storage Standard

-  The Electronic Recordkeeping Metadata Standard

-  The Digitisation Standard

Contact for further information about this Policy

If you have any queries regarding the content of this policy or need further clarification, contact Tracy Huntleigh-Smith: Telephone 03 479 8155.

Implementation Process

All Policies, Procedures and Guidelines must include an implementation plan, which should respond to each of the following headings:

Person responsible / Tracy Huntleigh-Smith
Communication strategy / Publication on the University Policy Database and ITS Web Pages
A series of workshops will be planned in conjunction with the Electronic Records and Document Management Project which will seek to advise University Staff on how to safely use Cloud resources.
Other Actions/tasks / [What action or tasks will need to be undertaken to implement the Policy, Procedure or Guidelines?]
Resources / [Will the implementation cost money? Printing costs? Staff time? What is the estimated cost of implementation?]
Completion Date / [When will the implementation be completed? If the action or tasks are to be completed in phases what are the completion dates for each phase?]

Page 2 of 5