University guidelines on use of external web (cloud) services

A) Executive Summary

These guidelines cover the use of external web services such as Google, Facebook and YouTube. These are occasionally called cloud services as there may not be a clearly identified location where information is being stored. There are seven key recommendations:

1. UON does not sanction the use of external (cloud) services where there is no corporate contract in place. If cloud services are used the agreement is between the individual and the provider (Google, for example).
2. Staff and students cannot be forced to sign up to external services in order to access course materials. For example, a tutor should not force students to signup to Facebook to obtain course notes.
3. Where cloud services are recommended, students and staff should be clearly informed then that these services are not run or controlled by UON.
4. There should be options for individuals to opt out of using external services. A UON sanctioned alternative should be provided for those who do not wish to share personal information with an external provider.
5. If staff or students use external services they should be made aware of the risks of using that provision. They are responsible for any consequences that arise from using UON data on such a service.
6. There are certain types of data that should never be stored in non-UON sanctioned external (cloud) services. This includes any personal or confidential information, any completed master copies of University information (final versions), and anything related to summative assessment.
7. Staff and students should be aware that any UON information held on external services may still be sought in response to requests under Freedom of Information and Data Protection legislation.

B) Background

The University of Northampton (UON) recognises that staff and students are increasingly using services beyond those which have been provided corporately. There is a dimension of provision which ranges from:

1. Managed Onsite (e.g., Exchange and QL Systems)
2. Managed Hosting – UON contracted services offsite (e.g., NILE and Turnitin)
3. Free hosting under a UON contract (e.g., Microsoft Apps)
4. Uncontrolled Hosting – free web services (e.g., Google Docs, Facebook, Twitter, and YouTube)

Cloud services are often used to describe those which are provided outside of the institutional provision (1) but many include those paid by the institution (2) and those provided at no perceived cost (3 and 4).

The types of information being generated by staff and students may be categorised into:

1. General
2. Confidential
3. Personal and Confidential

C) Benefits

Some of the services used in (3) and (4) provide additional functionality not provided institutionally (e.g., ability to collaborate with those outside of UON) and may be in regular use outside of the institutional setting.

D) Risks

Systems provided in (3) and (4) may be integrated with the UON identity management system (IDM) or more likely will mean that users will have to provision their own account and are likely to have access to this regardless of any UON action (e.g., at the end of an employee’s contract or when a student completes). Where there is lack of integration it means that there is no control over authentication / passwords from UON and that no assistance may be possible in the event of an issue in this area.

The use of multiple systems without clear navigation may provide confusion for end users who may have data located in many locations.

The nature of services provided in (3) and (4) further mean that there may be no control over the location of data storage which may mean external to areas with adequate data protection provisions (GDPR issues); the use to which that data is used for (e.g., data mining by the host); service support (data may be lost and not recovered); and continuity of service (e.g., the service may change to subscription model or be withdrawn at any point without notice).

E) Recommendations

1. UON should not prescribe services to use under (4) since this also implies duty of care (e.g., Microsoft email for life should be provided to students under the knowledge that they are using an external service).
2. Staff and students should not be forced to sign up to services under (4). For example a tutor should not force students to signup to Facebook to obtain course notes.
3. Where services (3) (4) are provided then clear navigation should be provided to them to indicate they are external to UON.
4. There should be options for staff and students to opt out of using services under (4).
5. If staff or students use systems under (4) then they should be made aware of the risks of using that provision and the fact that they may be responsible for actions taken on the data which has been put by them onto that service. This may include fines under GDPR and Data Protection legislation relating to misuse of personal data.
6. Personal information should only be located on service provided under (4) with full permission of those involved. Completed master copies of University information (final records) should not be held on these types of areas as they may at some point be requested in response to a Freedom of Information request
7. Staff should always consider the use of the University corporate SharePoint as the first choice for data storage and sharing where at all possible. Data stored on this system have a retention period set against them which ensures that information is not kept longer than is lawfully allowed. The University IT Department recommend the use of OneDrive as your personal drive.

F) Further Information

If there are any questions in relation to any of the guidance above then please contact the University's Data Protection Office at dpo@northampton.ac.uk

This guidance was created by the University of Northampton's Records Management Office on 26th March, 2012.
It was reviewed and minor revisions were made by the Records Manager on 15th March, 2021