A Cloud Service is a free or paid service or software solution delivered over the internet by an external vendor. This service provides access to applications and resources, using infrastructure or hardware external to ۲ݮƵ. Personal and institutional (enterprise and research) data is stored, processed and transmitted outside of ۲ݮƵ infrastructure, “in the cloud”.
See Cloud 101 for an overview of Cloud Services.
What is the Cloud Directive and related Cloud Service Acquisition Process?
ճCloud Directive outlines ۲ݮƵ's obligations in securely acquiring and using Cloud Services. It describes the necessary protections (controls) to use cloud services, depending on the type of data involved and its required security and privacy needs.
ճdzܻܾپDzʰdz describes in detail what steps need to be followed to acquire a Cloud Service. The process requires that a privacy, a contractual and an IT risk assessment be performed to evaluate if the vendor can deliver on their commitments to safeguard our data against theft, loss and corruption.
Why do we need the Cloud Directive and Cloud Service Acquisition process?
The main objective of the Cloud Directive and the Cloud Service Acquisition process is to:
-
protect personal information (PI) as well as personal health information (PHI). Examples include: SIN number, date of birth, address, gender, medical records or bank account information (to just name a few)
-
safeguard our institutional (enterprise) data, research data, proprietary information and intellectual property (IP)
-
comply with applicable laws, regulations and standards
Students who leverage solutions that have been assessed and approved by ۲ݮƵ, can do so knowing that their personal information is managed securely.
What happens if we don’t follow the Cloud Directive and Cloud Service Acquisition process?
If we don’t follow this directive and process, then we don’t have any assurance that our data is properly safeguarded, and as a result, our data privacy and Intellectual Property rights are not guaranteed. Our data could be prone to unauthorized use or loss.
In addition, we have a legal responsibility to safeguard our data. For example, personal information must be protected. In other words, if we are not safeguarding our data appropriately, we are in violation of the law.
What data needs to be protected in the cloud?
Any data that is confidential needs to be protected. This includes data whose protection is required by law or regulation, or governed by contract or ۲ݮƵ policies.
Here are a few examples of data to protect:
-
Faculty members need to protect student personal information, and hence ensure that educational software for teaching and learning has been evaluated and approved.
-
Researchers (including students working on research projects) need to protect their research data and the intellectual property associated with their research
-
Staff members need to protect other people’s personal information, such as employee files, medical information, student records
Who needs to comply?
All members of the ۲ݮƵ University community must comply with the Cloud Directive and the Cloud Service Acquisition Process when acquiring and/or using paid or free Cloud Services. Research data and educational software used for teaching and learning are subject to the Cloud Directive as well.
How to get support?
We realize that it may be difficult to understand the details of ۲ݮƵ policies and directives. We, therefore, encourage you to contact itgovernance.its [at] mcgill.ca if you have questions or concerns. It will be our pleasure to assist and guide you through the process.