Skip navigation to content

Storing University Information in the Cloud

Cloud computing can be defined as "Using a network of remote servers to store, manage and process online data". It is becoming an increasingly popular way to work with files – people do not need to carry the files that they need to use wherever they go, or email these to themselves; collaborative working is more convenient and easier to manage.

However, there are a few negative aspects with this type of working:

  • It is important to know where information is stored. Cloud computing providers can store information overseas. If the information is not stored within the European Economic Area (“EEA”) then is unlikely that files will be subject to the high level of privacy protection that EU law provides. Normally, personal information must, by law, be stored within the EEA. If this is not possible, then specific contractual arrangements must be put in place.  
  • Cloud computing allows files to follow a user across the range of devices that they use. There is a risk that information that should be kept confidential becomes available to others who have no right of access. This is a concern where information is available from a device that is not under the University’s ownership or control. 

The services offered by cloud providers and how they manage the data they process is, by their very nature, outside the control of the University. Unless the University has a contract with the service provider (as is the case with Microsoft Office 365), this presents a significant risk in terms of the University being able to protect privacy and remain complaint with Data Protection Act 1998. When planning to place information into the Cloud, particular care has to be taken:

  • Sensitive Personal data for which the University is responsible for i.e. details about a person’s health, sex life, religious beliefs, membership of a trade union, or ethnicity cannot under any circumstances be placed into the Cloud; and
  • Personal data must not be placed into the Cloud, where the Cloud service is synchronised and can place that information onto a device that is not under the ownership or control of the University.  It is your responsibility to ensure that where systems can synchronise data automatically with Cloud service storage that information is not placed onto a device out with the University’s control.

The document Use of cloud computing services with university information and data provides more details on what University information can and cannot be placed into the Cloud.

If your account for a cloud service becomes compromised and you have used that service to process any University data (personal or otherwise) you must immediately change your password that provides access to the Cloud service. You must also brief your line manager as to what information may have been compromised.

 

For more information please see the Cloud Computing Guidance (PDF, 369 KB)

Quick answers

See if your question is answered in our quick answers.

Contact the IT Service Desk

Log a call using IT Self-Service

itservicedesk@st-andrews.ac.uk
(01334 46) 3333
 Message us on Skype for Business
(Mon - Fri, 09:00 - 17:00)

Level 2
University Library
North Street
St Andrews
Fife KY16 9TR

Opening Hours
Mon - Fri
: 08:30-18:00
(front desk support
from 09:00)

Sat: 10:00-17:00
Sun: 11:00-18:00

The IT Service Desk is closed
for staff training on Fridays
between 09:30 and 10:30