Data Protection Considerations for Cloud Services Guide¶
Before using any new software application or service hosted by a third party to process Institutional Information or conduct university business, several due diligence tasks must be carried out to ensure that the information will be secure and properly managed.
This guidance is relevant to any software or services where The New School intends to transfer Institutional Information to a service provider so that it will be hosted in the cloud, as well as the use of cloud-based or other software where the university asks individuals to provide data directly to a software or service provider. Terms that may be used to describe these types of arrangements include:
- web services
- cloud services hosted or cloud-hosted
- application service provider
- Software-as-a-Service (SaaS)
- Platform-as-a-Service (PaaS)
- Infrastructure-as-a-Service (IaaS)
Before looking for a new service¶
Check with the Office of Information Technology to find out if suitable software or services are already available.
- The IT website offers information about available software and services to support teaching and learning, business operations, and collaboration.
- Contact IT Central to ask about a specific capability.
The following should be confirmed about any new software or service prior to moving ahead to the contracting and purchasing stages:
- If the software or service will be used to Process Personal Data, that data must be stored within the United States or in a country approved by the European Commission as offering adequate protection for Personal Data. This includes Personal Data held on backups and anyone accessing Personal Data remotely. If the vendor is not able to guarantee this, the software or service should not be used.
Does the vendor offer an appropriate set of administrative, technical, and physical safeguards to protect the types of information that will be Processed by the software or service? Consider the Protection Level and Availability Level classifications of the information, as well as the risks to the university or Data Subjects if the data was lost, damaged, or disclosed to unauthorized persons.
Once a product has been tentatively selected for purchase, an Information Security Risk Assessment must be performed to confirm the details of the vendor's security posture. Contact the Information Security and Privacy Office to arrange for an assessment to be performed.
If the software or service will be used to Process Personal Data a Data Protection Impact Assessment (DPIA) may need to be performed.
Contact the Information Security and Privacy Office for assistance in determining whether a DPIA is needed and, if so, to arrange for one to be performed.
If the software or service will be used to Process Personal Data, the vendor must agree to sign an appropriate data protection agreement or data processing agreement (usually an addendum to the main contract). The standard contact terms and conditions and privacy policies of most cloud service providers are not normally sufficient by themselves to protect New School Personal Data. The New School prefers to use its own Data Processing Addendum for this purpose but will, in some circumstances, be willing to accept the vendor's DPA in its place.
Before sending any Institutional Information to the vendor, the appropriate approvals must be obtained.
- All relevant Data Owners must approve any transfer of datasets containing Institutional Information they are responsible for to the vendor.
- The Office of the General Counsel must approve the contract for the software or service, and the contract must be signed by an authorized person.
Only senior managers of the university (president, provost, executive vice president, deans, and officers) have the authority to sign contracts and related documents, and then only after they have been reviewed and approved by the Office of the General Counsel.
- The Procurement Department must approve the vendor as a university supplier.
- Standard for Information and System Classification
- Standard for Security and Privacy Risk Management
|Jul 2020||D. Curry||
Parts of this guideline are adapted from the University of Edinburgh’s guidance on third party software applications and services, the contents of which are used with permission.