Cloud Computing' Service Choices in your University-Role and your Personal Life
Cloud computing is often defined as a way of broadly sharing and consuming computer resources via the internet rather than through your individual computer. More specifically, cloud computing can be considered as an internet- or web-based alternative to using your computer's specific applications. Web-based e-mail from Yahoo!, Google and many others are examples of these alternatives to your personal computer's Outlook or Apple mail application programs. Google Docs provides a 'lite' alternative to your personal computer's word-processing, spreadsheet, and presentation application programs. The variety of 'cloud' services available to the general consumer today is unprecedented. The use of 'Cloud' applications has become as 'personal' as the use of applications that reside on a 'personal computer'. Many of these services offer features and functionality at little or no cost to the end-user. That said, free service offerings may actually involve hidden, non-monetary costs to those who are unaware of the 'cloud' service model or the terms and conditions that are implicitly or explicitly agreed to as a result of using these services. As a user, it is important to be aware of certain key concepts and their applicability to your use of 'cloud' service technologies so that you can protect yourself and the data that is important to you and the institution.
The University of Minnesota has an obligation to protect its legally protected private data (i.e.: student information covered by FERPA, health information covered by HIPAA, ...etc) and other sensitive intellectual property and research data. Legally protected private data is information that requires regulatory compliance as a result of legislation. Therefore, this type of information is of ‘high consequence’ in that it could result in financial penalty and reputation risk to the institution. This risk requires that faculty and staff know and understand the institution’s policies, strategies and practices for protecting private data as defined by the law. These strategies and practices are outlined in the University’s Securing Private Data Standard
This document is intended to help students, faculty, and staff make well-informed, thoroughly considered choices about the appropriate uses of technology services in the context of protecting sensitive or private data. Technology services, for the purpose of this document, are defined as those technologies that are managed by the University and those that are not. The following is an overview of the considerations that students, faculty and staff members ought to keep in mind as they use technology services that are provided by – and are not provided by – the University of Minnesota.
The following two concepts serve as a foundation for understanding and applying strategies to safeguard your personal data and the institution's high-consequence data:
Systems of Record. Private and sensitive data should remain in the systems that have been architected and designed to store such data. These systems are often referred to as ‘systems of record’ where the role of these systems have been carefully considered and the associated management control processes are carefully articulated, monitored, and tested. Information such as student grades and patient data should remain in the systems that have been created to meet the security requirements and standards that meet the tests for legal compliance.
Examples of these systems include:
· Health Care systems (i.e.: Electronic Medical Record, patient appointment, etc…)
· Student systems (i.e.: PeopleSoft)
· Human Resource systems (i.e.: PeopleSoft)
· Financial systems (i.e.: PeopleSoft, Banking systems)
· Course Management systems (i.e.: WebCT Vista, Moodle)
· Donor Management systems (i.e.: DMS)
Data De-Identification as a General Practice. In general, ‘data’ is de-identified when it is not possible to reasonably ascertain the identity of a person from that data. This is often predicated on circumstance and context. Data de-identification is recommended when sharing sensitive or private information with technology tools that are not part of the ‘system of record’. This practice is always recommended – regardless of the technology service, how the technology service is managed, or who manages the technology service.
Applying these Key Concepts
E-Mail is not an appropriate tool for sharing sensitive or private data. E-mail is an inappropriate mechanism for sharing sensitive data because of the technology’s failure to guarantee delivery, inability to protect data in transit, and loss of message control once sent.
Do not use e-mail to send sensitive or private data. When this is not practical, de-identification is essential to assuring the sensitivity and privacy of the data.
Cloud Services and your University Role: Do not use e-mail to communicate sensitive or legally protected private data.
Cloud Services and your Personal Life: Do not use e-mail to communicate sensitive or legally protected private data.
Collaboration systems have been designed for sharing information among a group of individuals who choose to share digital documents or files. These systems include control and file-sharing mechanisms that provide access to data without the need to create copies for re-distribution. Conversely, access can be revoked when it is no longer necessary to share the information.
Cloud Services and your University Role: Tools are available to University faculty and staff for sharing sensitive or private data provided that they are practicing the key concepts described above. Where it is impractical to apply these concepts, then data de-identification is essential to assuring the sensitivity and privacy of the data.
University of Minnesota-Managed Systems designed for collaboration when working with legally protected private data:
o Active Directory
Cloud Services and your Personal Life: Your health-care provider and financial institution, for example, likely provide on-line systems for managing your health and financial resources. These systems serve as the systems of record described above. It is never a good practice to place sensitive or legally protected private and personal data like your social security number, bank accounts, passwords, ...etc. in collaborative tools outside systems of record.
Examples of Personal / Private Systems designed for Collaboration when working with legally protected private data:
o Your On-Line Banking System
o Your On-Line Health-Care System
User Acceptance / Click-Through Agreements
The choice to use a 'cloud' service is generally made by individual users. These users individually indicate their acceptance of the service provider’s terms of service/use (which often define content ownership and licensing rights) through a “click-through” agreement process. A "click-through" agreement is considered to be a binding contract.
Terms of service/use vary widely between providers, and agreeing to them can grant a broad range of rights to the provider for content that is placed in the service. As content often includes sensitive data, valuable intellectual property or institutional business records, it is important that all individuals take responsibility for their own individual choices to protect against the loss or unauthorized access and use of the content.
Cloud Services and your University Role: In your role at the University, content that you manage may often include sensitive data, valuable intellectual property, or institutional business records. These data are of 'high-consequence' for the institution.
University policy states that the University of Minnesota's Office of the General Counsel (OGC) has the responsibility to negotiate the institution's terms of agreements to whom it is contracting. Individual University faculty and staff members who enter into a contractual agreement with a vendor on behalf of the University need to be aware of this University policy. Because a "click-through" agreement is considered to be a binding contract, a faculty or staff member should not automatically agree to on-line managed/cloud service "click-through" terms on behalf of the University without carefully understanding the types of data that will be used in the service and how the service provider will manage the data.
Contact the Office of Information Technology's Software Licensing group (firstname.lastname@example.org) if you have questions or are unsure of a 'click-through' agreement. This OIT group will involve the General Counsel should they be needed to provide guidance.
Cloud Services and your Personal Life: When considering whether a 'cloud' technology service is appropriate for use, it is important to consider the following factors:
· Terms of service/use: The terms of service/use of many managed technology services are non-negotiable. The only choice available to the user is to accept or decline the terms, therefore it is important to understand what one is agreeing to before accepting the terms.
o Ownership of content: Terms often state that ownership of content is retained by the individual and that the service provider claims no ownership. Who owns what is an important issue that should always be stated in clear language.
o License to use content: It is important to look carefully at what licensing rights to the content will be granted. It is common for terms to include language stating that by using the service, the individual grants the service provider (and others) a broad range of rights to use, reproduce, distribute and publicly display the content. Caution is required to assure that only content the individual intends to share is made available to others and that all other content is not accessible to others.
o Modifications of the service, terms and/or policies: Terms often state that the service provider can modify the service, its components, the terms of service/use, policies and the overall business model from time to time. It is desirable if terms include information about how the service provider notifies customers of such changes, the amount of advance notice customers will receive, and what are conditions for opting out of the service if the terms are not agreeable.
o Privacy and security policies: All service providers should identify what information the provider collects and when and to whom such information can be disclosed. Also desirable are descriptions of information security measures to insure protection against unauthorized access, alteration and destruction of data.
o Indemnity: Terms often state that the service provider is held harmless if customer data is damaged/unavailable or if the service is not accessible. Caution is advised here, as the terms of some service providers are very one-sided (in the service provider’s favor) and may include language about customer liabilities and commitments to pay legal expenses for the service provider.
· Data formats supported: It is a good practice to understand what data formats are supported by service providers. If a service provider uses proprietary formats, it may be more difficult to use the data in other applications. Standard, non-proprietary data formats simplify data sharing, prevent becoming locked in to a specific service, and can be a key factor in planning an exit strategy for migration out of the service.
· Data backup and restoration are often not included as responsibilities of the service provider. To protect against loss of data, individual users should have robust, tested processes for backing up and restoring data – or an acceptable data management strategy that ensures the integrity of the data.
· Data purging: It is a good practice to understand how long copies of data stored in a service are kept. It is common for service providers to keep residual copies of data (due to replication on many servers and copies saved for disaster recovery purposes) for some time. Service providers should explicitly state how long it will take for these copies to be deleted from their systems.
· Effects of termination: It is important to know what happens when an agreement with a service provider is terminated. Service providers should indicate any provisions, time lines and fees related to exporting customer data from their systems. Caution is needed here to insure data are not lost, as it is common for service provider to delete all data immediately when an agreement is terminated.
Treatment of Specific Categorical Types of Data
The following information is designed to help you know what to do with certain categorical types of data that you may encounter in the use of digital tools and services. This guidance applies primarily to your University role – but also to your personal life as well.
These are general approaches. See individual Service Statements (http:XXX) for specific information about these data types and their appropriate use in University managed / arranged technology services.
Technology Use and FERPA Protected Information
Keep Data in Systems of Record. As a general principle, legally protected private data (in this case student data protected by FERPA) should remain in the ‘Systems of Record’ that have been architected and designed to store such data. FERPA data should remain in the course management, PeopleSoft, …etc. systems that have been designed for these types of data. You should not remove these data from these systems. If this is simply not practical, then you need to de-identify the data to assure its privacy.
Email is Insecure. E-mail, by it’s nature and in general, is an insecure medium for sharing sensitive information. Just as you wouldn’t include your social security number or credit card number in an email message, nor should you include FERPA in e-mail. If this is simply not practical, then you need to de-identify the data to assure its privacy or be certain that your message remains private to those who are permitted to see the protected data.
Collaboration Tools. Collaboration tools are used for individual or group interactions and are an effective instructional technology. In instances where collaborative tools are used for group projects and data covered by FERPA exists, only those who are permitted (i.e.: the students in the group and the instructor) to see the FERPA data should have access to it. In instances where the group needs to be expanded or a collaborator is added and student information covered by FERPA exists, student permission is required prior to making the protected data available to the new collaborator.
Technology Use and HIPAA Protected Information
Keep Data in Systems of Record. As a general principle, legally protected private data (in this case Protected Health Information/PHI) should remain in the ‘Systems of Record’ that have been architected and designed to store such data. HIPAA data should remain in the electronic medical records, patient health, patient scheduling, …etc. systems that have been designed for these types of data. You should not remove these data from these systems. If this is simply not practical, then you need to de-identify the data to assure its privacy.
Email is Insecure. E-mail, by it’s nature and in general, is an insecure medium for sharing sensitive information. Just as you wouldn’t include your social security number or credit card number in an email message, nor should you include HIPAA in e-mail. If this is simply not practical, then you need to de-identify the data to assure its privacy.
HIPAA / PHI data are legally protected and of high-consequence.
Export Controlled Data
Export controlled information is generally not permitted at the University of Minnesota. It can be a federal crime to share export-controlled information with collaborators who are not United States citizens or permanent United States residents. Because the requirements for Export Controlled data are contrary to the University’s Openness in Research Policy, found at www.umn.edu/regents/policies/academic/Openness_in_Research.html, the University of Minnesota takes every reasonable step to avoid receiving or maintaining Export Controlled information.
If you think that you have export-controlled restrictions placed on your data, see www.research.umn.edu/regulations/export_controls.html.
Please note that email, by its nature, is an unsecure medium for sharing sensitive information. Just as you wouldn’t include your Social Security number or credit card number in an email message, you should not include export-controlled data in email. If this is simply not practical, then you need to de-identify the data to assure its privacy.
Export controlled data are legally protected and of high consequence.
(Individual Service Statements will be updated to include to appropriate use of protected and sensitive data.)