Guidance for University staff on data protection and information compliance issues for using a specific piece of cloud software or services Before you start using any new third party based software or services for University business, you must carry out due diligence to ensure that University information will be secure and appropriately managed. This guidance is relevant to software or services where the University intends to transfer data to the relevant service provider so it is hosted in the cloud, as well as the use of cloud based or other software where the University asks users to provide data directly to a software or service provider. This checklist covers some of the main points you need to consider from a data protection and records management perspective. Before you start Check with Information Services if any existing centrally supported University software meets your requirements. This will usually be the simplest option. Contact Information Services Our wiki also has a list with some of examples of software that have come up in previous enquiries. Wiki list of supported cloud software: University login required Checklist 1. Personal data must be stored inside the UK or in a country approved by the European Commission as offering adequate protection for personal data. (This includes personal data held on back ups and anyone accessing personal data remotely). If the company is not able to guarantee this, you should not use the cloud service. European Commission list of approved countries If the company is based anywhere else, you will have to complete an International Data Transfer Assessment. Contact the DPO for this at dpo@ed.ac.uk 2. Does the company offer an appropriate level of security for the sort of data that will be processed by the cloud service? Consider the level of security needed for personal data and any other sensitive University information, as well as the risks to the University or data subjects if the data was lost or damaged. Contact the Information Security Division for advice. Contact the Information Security Division 3. Will you be able to manage information retention? Is it possible to delete or take down information once your need for it has ended? Will the service provider remove information once their need for it has ended? If you need to keep the information for many years (e.g. because of research funding council policies on data retention), does the external service provider have arrangements in place to ensure the long-term survival and security of the data despite risks such as technological obsolescence and software and data standard changes, or is it possible for you to make arrangements to preserve the data yourself locally? 4. Are the terms and conditions and privacy policy of the company acceptable? You should always read the terms and conditons and privacy policy in full before signing up to any cloud service. Be aware that many cloud service provider supplier will be reluctant to negociate terms. 5. The company must agree to sign an appropriate data processing or data sharing agreement. The standard terms and conditions and privacy policy of most cloud service providers are not normally sufficient, although some companies may not be willing to negociate. The University’s Legal Services team can provide advice and template agreements. Legal Services 6. Carry out a data protection impact assessment (DPIA) for your project. Data protection impact assessment guidance Approvals Ensure you obtain the appropriate approvals. This must include agreement from the data steward or owner of data, for example if your project involves sharing personal data about students from EUCLID it should be approved by the Director of Student Systems. List of Data Stewards: University log in required Refer to the University's Delegated Authority Schedule for information about who is required to sign any contract. Powers of delegation Legal Services have useful guidance on who you should contact for different kinds of contracts. Legal Services contracts guidance You also need to make sure you comply with any relevant University procurement regulations. Procurement department website This article was published on 2023-11-09