Cloud Computing and ECU Data
ECU data cannot be stored external to the university network (in the “cloud”) without the proper authorization and approval of the department head, data owner, and CIO (Chief Information Officer).
What is Cloud Computing?
Cloud computing is the delivery of hosted services over the Internet. One example is data storage using an outside company’s servers and hardware. Software hosting is another use. A cloud service can be public (see the examples below) or privately-hosted on a company’s internal network.
Examples of some popular public cloud services include:
- Amazon Cloud Drive
- Google Mail cloud services
- IBM Big Blue cloud platform
- Dropbox file storage/sharing
- Microsoft Live
- sponsored research programs
Why Do I Need Authorization?
Examples of Educational Cloud Tools and Services
- Educational assessment tools
- Clicker-type response apps
- Screen capture recording software or app
- Educational games
- File storage
- Drop Box
- Student presentation tools
- Student portfolios
- Collaboration tools including blogs, wikis and journals
- Note taking apps
- Personal email accounts (Gmail, Hotmail, Yahoo, etc.)
- Any other tool that stores student data external to ECU
How Does This Affect Me?
If you store ECU data externally with a service provider who utilizes a non-ECU IT infrastructure with resources that are not maintained, owned or managed by ECU-like the example services above- you must remove that data from this service and store it in ECU-maintained network storage or ECU Exchange.
What ECU Storage is Available?
ECU provides an Office 365 subscription for full-time staff and enrolled students. This subscription includes OneDrive for Business cloud storage approved for storage and sharing of general research and academic information (e.g., FERPA but NOT SSN). OneDrive is not approved for storage of sensitive data, including but not limited to protected credit information, social security numbers, protected health information, identifiable human subjects data, and data covered by nondisclosure agreement or otherwise restricted from dissemination by extramural sponsors and partners. When approved by the Institutional Review Board, de-identified human data may be stored on OneDrive.
ECU provides Piratedrive , a 40GB storage solution on ECU’s network to all students, faculty and staff; departments can also request a 50GB piratedrive folder for sharing group projects.
Contact the IT Help Desk at 252-328-9866 or 1-800-340-7081 to request storage or a consult to find the most efficient storage method for your data.
Are There Guidelines?
- All cloud computing services shall be approved by the Chief Information Officer (CIO) or designee prior to purchase
- All cloud computing service contracts must be reviewed by ECU Materials Management
- No confidential data shall be placed in the cloud without department head, data owner and CIO approval
- ECU ensures that individuals with disabilities have access to reasonable accommodation and services and adheres to the requirements and philosophy of the Americans with Disabilities Act (ADA) and Section 504 of the Rehabilitation Act of 1973. Technology must meet ADA requirements. To ensure the cloud technology you are considering meets ADA requirements, please consult with the Department for Disability Support Services prior to purchase or use. For consultation, call 252-737-1016 or email email@example.com.
If you have data stored externally, contact the IT Help Desk to request a consult in how best to move the data back onto ECU approved storage.
How About Privacy and Data Security Best Practices?
- Never divulge information on the Internet that the university has classified as confidential. Examples include social security numbers, credit card information, and driver’s license numbers
- Comply with FERPA requirements to protect student privacy. Do not place grades or evaluative comments on Internet sites. Contact the Office of the Registrar at 252-328-6747 for assistance interpreting FERPA
- Comply with HIPAA privacy and security rules to protect PHI. Never place HIPAA data on internet sites. Contact the HIPAA Office at 252-744-5200 for assistance interpreting HIPAA rules.
- Never use personally identifying information (PII) without explicit permission, unless the university has classified the information to be public. For example, in the university directory (“Search People”)
- Ensure that the cloud computing service provider can meet and will agree to the requirements in the ECU Data Compliance Document. Prior to selecting the provider, contact the ITCS Help Desk at 252-328-9866 for assistance.
- Never agree to terms and conditions for a cloud service to store, transmit, process or back up ECU information. Binding contracts can only be signed by authorized university officials
- Schedule an ITCS review at 252-328-9866 prior to making a decision to use a cloud computing service provider
Are There Data Availability and Records Retention Best Practices?
- Ensure that all records-whether instructional, administrative or research-can be retained in the cloud solution as specified by the records retention schedule. See ECU Data Retention Schedule
- Ensure that the cloud service provider meets the unfettered access requirement by consulting with Materials Management and request that the hosted services compliance memorandum of understanding be included in the contract prior to acceptance
- Ensure data backup requirements are documented into the contract and include a tested recovery plan to ensure records are available when needed, as many providers assume no responsibility for data-recovery of content
- If you perform your own data backup, ensure procedures are documented and tested, and the same security controls are included in the backup solution