By Gabrielle Krim
No one can deny that cloud services offer the most affordable solution for file storage. Never before has our consumption of video and audio been higher and we seem to have an insatiable need for more storage space. The packrats among us are no doubt thrilled about the virtually limitless and often free space provided by the cloud – it’s like having a spare room in a magic dimension that lets you keep a much as you like without seeing the mess.
And let’s not forget the convenience of being able to access our data from anywhere, on virtually any device that’s Internet-enabled. Yes, these benefits are all well and good for personal files, such as family vacation photos, music and cooking recipes, but what about when it comes to Institutional data? The security of data in the cloud depends on the terms of service offered by the provider, and not all cloud services are equal.
McGill has a responsibility to protect institutional data. Ghilaine Roquet, McGill’s Chief Information Officer, is very much aware of this duty. When negotiating McGill’s contract with Microsoft for Office 365, including OneDrive for Business cloud storage, she made sure it would guarantee the protection of Intellectual Property and would comply with data privacy laws of Quebec and Canada.
McGill has known for some time that faculty and staff were using self-acquired cloud services both for personal use and to collaborate with colleagues across the globe. While we were preparing to provide faculty and staff with OneDrive for Business cloud storage – available since April 2015 – “we knew we needed to give the community some guidance on what institutional data should be hosted where. The Cloud Data Storage Directive was born out of this need,” Roquet said.
The Cloud Directive identifies different types of institutional data – Regulated, Protected, and Public – and dictates which types can be stored in self-provisioned cloud services, such as Google Drive, Dropbox vs. McGill-provisioned cloud services, such as OneDrive For Business.
The main points of the Directive can be summarized as follows:
- Regulated Institutional Data is data regulated by laws or governing bodies, for example personal information, student records, medical records, bank/credit card data, and the like. These cannot be stored in self-acquired/consumer-level cloud services, nor in the current OneDrive for Business offering.
- Protected Institutional Data includes data that should remain internal to McGill, but is not regulated by laws. This category includes material such as operation procedures, project documents, etc. This type of data may be stored in a McGill-approved cloud service, e.g., OneDrive, as long as the master copy of the data resides on McGill premises, in a system that is backed up regularly. It may not be stored on self-acquired cloud services (see exception below for Research).
- Research Protected Institutional Data may also be stored in a self-acquired cloud service, as long as the user has performed due diligence to ensure the security of the data.
- Public Institutional Data is data that is already in the public domain, for example available on public Internet sites, journals, television, etc. This type of data can be stored in self-acquired or McGill-provisioned cloud services.
- If you are currently storing any institutional data in a self-acquired cloud service, it must be removed or migrated to a McGill-approved cloud service.
- McGill’s Content Management System, Documentum, is an appropriate on-premises file storage solution for master copies of all institutional data.
While it’s important to keep McGill Institutional Data out of cloud services that are not secure, the directive also aims to ensure this data does not end up on local computers and other devices that could potentially be compromised. To avoid this situation, the Directive states that if Regulated or Protected Institutional Data is stored in the cloud, it may only be synched to McGill-owned, password-protected devices. This restriction does not apply to Apps that allow access to cloud data while connected, without storing a copy on the device, as long as the communication channel is encrypted.
The best way to make use of cloud storage services while keeping institutional data safe is to understand and follow the Directive. The official version of the Directive can be found on the Secretariat’s website.
Cloud data storage companion document – includes the text of the directive, with examples and comments