Interim Guidelines for the Use of Cloud Services on UAB campus
UAB IT is offering interim guidance to members of the UAB campus community who wish to use “cloud” applications and services available on the Web, including file storage, web conferencing and content hosting. These tools, which we collectively refer to as “cloud computing”should be fully understood before they are used.
Additional policies, recommendations and guidance for the use of specific products will be coming in early 2015.
Interim Guidelines for the use of Cloud Services at UAB
Cloud computing is the array of Internet based services, often available to the public, for gathering, storing, processing and sharing information.Some cloud services, such as those offered by Apple, Microsoft or Google, may be free to end‐ users. For the general user who wants a convenient, Internet‐ based solution for storing or sharing personal information, cloud computing may provide a reasonable option. University departments seeking such services need to be aware that all services need to adhere to UAB policy and standards as well as confidentiality laws. Cloud providers typically require users to consent to their Terms of Service, frequently via a “click-through” agreement, which is a legal contract between you and the provider. Faculty, staff and students are not authorized to enter into legal contracts on behalf of UAB and may not consent to click-through agreements for the purposes of university business, even if the agreement is a no-cost subscription.
Individuals should not approve/click through on these agreements as they may be personally responsible in any legal actions related to the services. To better ensure compliance with all University policies and guidelines, you should submit all agreements through the proper approval process. It is also best not to subscribe to any cloud service using personal information or payments and then request reimbursement as the agreement would then not be between the vendor and UAB. More information about cases in which personal subscriptions are absolutely required is on the last page.
Storage and transmission of sensitive information should be limited to cloud computing resources protected by the University’s physical, technical and/or administrative processes for safeguarding data. When considering cloud computing services that may be entrusted with University data, working with UAB IT security staff to help understand and navigate issues of security and confidentiality is a good idea. In the event the service is being purchased, legal,purchasing, and risk management and other offices (per UAB policy)* will also need to be engaged to review, negotiate contracts and/or determine liability. Some data comes with licensing or other usage agreements that need to be known and followed. These can include software, commercial data products or information received by virtue of partnerships. Potential problems with non-University approved applications/services include:
• Terms of Service from many providers include provisions about who owns intellectual property rights when content is created or uploaded to the application or service that may confuse intellectual property ownership claims. Note, also, that cloud computing providers may reserve the right to change their Terms of Service at will.
• Security of data uploaded to Internet services is rarely guaranteed. “Free” services frequently depend on data aggregation and data mining about users to attract advertising revenue. The privacy and/or security of that data is then potentially at risk. State and federal law mandate protection of sensitive information such as health information, student data, Social Security numbers and credit card information.
• All UAB business and educational records are subject to public records law, regardless of where they are stored. However, many providers assume no responsibility for archiving content or ensuring availability, which places the burden on the user to ensure availability and may inadvertently break public laws. All records should be retained according to the University’s record retention schedule. See UAB’s Record and Retention policy link on last page.
Best Practices for Using Cloud Computing
Sensible practices apply when using any Web application. Some that should be considered are:
Remember that many UAB images and symbols are owned by the University and not freely available for reproduction. Review and understand UAB’s policy on branding.*
Security and Privacy
The integrity, availability and maintenance of appropriate confidentiality of institutional data is critical to UAB’s reputation and to minimizing exposure to legal and compliance risks. Much of the challenge in deciding whether cloud computing is desirable and appropriate for an institution is determining whether a prospective cloud provider has adequate physical, technical and administrative controls and safeguards in place that are as good or better than the local on-campus systems. UAB’s current Data Protection and Security Policy requires that all sensitive data must have a “data custodian” and that the ”data custodian” is responsible for protecting such data. For UAB, sensitive data includes (but is not limited to) individually identifiable information, Social Security numbers, credit card numbers, driver license numbers, protected health information, proprietary research data, privileged legal information, and data protected by law, such as student and patient records.
- Ensure data is removed/deleted from the cloud service when no longer required.
- Never divulge information that the University has classified as “restricted” on the Web, including storing it in the cloud, without University-approved agreements in place. Examples include protected health information, Social Security numbers, credit card information and driver license numbers.
- Comply with FERPA requirements to protect student privacy. Do not place grades or evaluative comments on Web sites. Contact the Office of the Registrar at 934-8222 for assistance interpreting FERPA.
- Never use personally identifying information without explicit permission, unless the University has classified the information to be public, for example, in the University Directory.
- Ensure that all records — whether instructional, administrative or research — are retained according to the records retention schedule. See UAB’s Records Retention Policy.*
- Ensure that applications or services are accessible to all. See UAB’s Web Accessibility information.*
- Back up materials regularly to ensure that records are available
when needed, as many providers assume no responsibility for data
recovery of content.
- Communicate the business need and risk to management before
using any cloud service or tool.
- Don’t use personal cloud subscriptions to store/host UAB data.
So, how does this impact me?
Failure to properly understand and manage cloud computing relationships can result in significant institutional
and individual liability, including criminal charges. It is essential that you seek review of any contract or agreement
for services according to UAB Policy.* As a member of the University community, be aware of the sensitivity
or conditional uses of the data you generate, have access to, or receive. Should you ever need to store
or share University information in a manner not currently provided within the University’s computing environment,
always consider its sensitivity before doing so. It is everyone’s responsibility to take privacy and security
into consideration when making decisions about the use of any service (free or paid).
Guidance for use of a free or paid personal cloud subscription for which UAB has not executed an agreement with the provider:
As a general statement, and without an appropriate agreement directly with UAB, cloud services cannot be
subscribed to or used, nor reimbursement made, if the service is used to host, store, transmit or otherwise
process any information or data that is classified (or should be classified due to the nature of the information/
data) as HIPAA (patient), PHI (protected health information), PII (personally identifiable information), FERPA
(student) or other such protected or sensitive data such as Social Security numbers, credit card numbers, proprietary research data, privileged legal information, data protected by law, etc. Individuals requesting reimbursement for any personal subscriptions must sign an affirming statement satisfying the above restrictions.
Guidance on when you could subscribe or utilize cloud services:
Until more formal policies are in place, UAB IT recommends that, unless absolutely necessary from a business
perspective and appropriate approvals are obtained, all data remain on UAB owned systems on-campus. UAB
IT offers researchers 1TB of free storage space that allows sharing of files between individuals with the appropriate access — contact AskIT for more information. If the only way to conduct your business/research requires the use of cloud (non-UAB) services such as Dropbox, Sugarsync, Rackspace, Amazon, etc., you should
first attempt to route a contract through the normal UAB process* for approvals to ensure adequate risk mitigation,
data ownership certification, and billing (if any) directly to UAB. If the vendor allows only individual
subscriptions via a credit card or provides a free service where they will not allow changes to any agreements
and/or only accept click agreements, you can utilize such services, but only to the extent no sensitive data is
involved. You will be required to sign an affirming statement as part of any request for reimbursement.
What if I have questions or need extra help?
If you have questions or need additional guidance please contact UAB IT (firstname.lastname@example.org), UAB Contracts
* Relevant Campus Documents and Policies
Contract Policy: http://financialaffairs.uab.edu/content.asp?id=196557
Confidentiality Policy: http://www.uab.edu/policies/content/Pages/UAB-AD-POL-0000090.aspx
Records Retention Policies: http://www.uab.edu/policies/content/Pages/UAB-AD-POL-0000708.aspx
Minimum Web Accessibility Standards: http://www.uab.edu/accessibility/
Policy on Patents and Copyright: http://www.uab.edu/policies/content/Pages/UAB-RA- POL-0000035.aspx
Human Research Protection Program: http://www.uab.edu/policies/content/Pages/UAB- RA-POL-0000273.aspx
Data Protection and Security Policy: http://www.uab.edu/policies/content/Pages/UAB-IT-POL-0000038.aspx
Brand/Web Standards: http://www.uab.edu/brand/home/
HIPAA Policies: http://www.uab.edu/policies/Pages/UAB-HIPAA-Core-Policies.aspx