Selecting cloud solutions

Selecting cloud solutions to support teaching, learning & research

When looking for opportunities to introduce a cloud solution to support teaching, learning and/or research, many things need to be considered before using a cloud solution – privacy, information management and protection, and legislative compliance to name a few. When considering teaching and learning technologies, the Centre for Innovation in Teaching and Learning (CITL) should be consulted first to assist with finding the right tool(s).  

When considering research technologies, submit a Research IT Request first to see if there’s a solution already available to you that meets your needs. Information from researchers will be reviewed by a research IT advisory group to connect researchers with research IT services as well as to identify gaps in services.  

 If a suitable technology is not available, the Office of the Chief Information Officer (OCIO) has established an IT Governance and Collaboration Framework to support the university community in selecting the right tools for its specific needs. An IT Investment Proposal is the first step to initiate that process. The primary benefits for availing of this process are: 

  • Each proposal is reviewed to determine if the same or similar IT solution is already licensed at the university before new solutions are acquired or created. There is the potential to save time and money.
  • Solutions receive a thorough review by the Office of the CIO and Office of General Counsel. Technologies identified in an IT Investment Proposal receive priority over requests to review technologies that do not go through the IT Investment process.
  • Solutions are reviewed to determine the complexity and potential challenges of implementing – determining compatibility with the University’s network, systems, etc.
  • As proposals are reviewed by the appropriate committee(s), it is common for other areas of the University to have a similar need. There are opportunities to cost share.

Should an employee choose to use/procure a cloud solution outside of the IT Governance and Collaboration Framework, the following advice/considerations are offered: 

Prior to Purchasing 

1.      Visit the company website to identify where it is headquartered, where it will store your data, and its business affiliations. Try to find out the locations of the company’s production servers, data backups, and disaster recovery. Avoid a company that refuses to tell you where its servers are located. 

2.      Look for articles about the company and reviews of its product from reputable sources and, in particular, articles and reviews about its privacy and security practices. Avoid vendors that have been found by regulatory authorities to be guilty of privacy or security breaches. 

3.      Look for the company’s compliance with security and regulatory standards depending on the nature of the cloud service and the type of information being collected/processed: 

General/baseline security best practices – ISO/IEC 27001 (focused on information security), ISO/IEC 27017:2015 (information security in the cloud), ISO/IEC 27018:2019 (protection of personally identifiable information in the cloud), System and Organization Controls (SOC 2) Reporting. 
Personal information - General Data Protection Regulation (GDPR). While specific to the collection/processing of personal data of European Union citizens and residents, it identifies a vendor that is compliant with a regulation focused on the handling/use of personal information. 
Personal health information - Health Insurance Portability and Accountability Act (HIPAA) – while this is a US based Act, many vendors aim for compliance as it sets standards for those handling electronic personal health information. 
Credit card information - Payment Card Industry Data Security Standard (PCI DSS) is MANDATORY if the vendor will be collecting/processing credit card information. 

4.      Review the Privacy section to learn what information about your users and you that the company will collect, how it will use and disclose the data you and your users provide and generate, how data will be protected, use of your data for company purposes, and who you can contact if you have questions. If the Privacy policy only addresses information collected through website use, e.g., use of cookies and/or beacons, and does not address collection, use, disclosure, protection, etc. of the data generated through use of the product, avoid using the vendor. Some additional items to consider regarding a vendor’s service model: 

  • FREE - The company likely uses and retains your data and your users’ data to generate revenue through advertising, data mining activities, analytics, and/or its sale. 
  • NOMINAL FEE OR LOW INTRODUCTORY FEE - The company generates some revenue through fees charged but most likely also uses and retains your data and your users’ data to generate revenue through advertising, data mining activities, analytics, and rent or sale. 
  • COSTLY - The company more likely relies on user fees as its revenue engine but still review how your data and your users’ data will be used. 

5.      The Terms of Use section contains the nitty gritty legal information. This represents your/Memorial University’s contract with the vendor. Be wary of terms of use that contradict promises in the Privacy policy. Does the vendor share data with third parties? Use data for purposes other than providing the service to you? What are your ownership rights to your data? Your responsibilities as a client? Your users’ responsibilities? 

A vendor’s use of your/your users’ data for its own purposes does not have to be a game changer if 

  • the company fully anonymizes your data before using it for its own purposes – this will be in its Terms of Use
  • you minimize the data shared by you and your users, and
  • you/your users maximize the privacy settings that you can control

6.      Ensure your acquisition of services complies with the university’s Contract Administration policy and consider consultation with the university’s Office of General Counsel

7.      Ensure that the vendor guarantees that your data can be permanently purged from its server(s), including backups, at the end of the contract and if required, a copy provided to you in a usable format. 

Upon Implementation 

8.      Look at the privacy/security settings. Set the default settings to the highest level of security. In the event privacy settings are left to the user, they should be clearly instructed to do the same. You and your users should turn off tracking features. Turn off audio and video recording features, unless you have an operational need to do so. 

9.      Provide as little personal information as possible. Avoid the use of unique identifiers like student numbers, dates of birth, home addresses, telephone numbers, or anything else that can be matched with other information that identifies who an individual is.

10.     Enable multifactor authentication, if it is an option in the application. 

11.      Regularly delete records (including recordings) that are not required to be retained, if possible. 

Upon Termination of Service 

12.     Once you no longer require the service, export a copy of your data (if required) and request your data be purged from the vendor’s servers, including backups, and request written confirmation from the vendor that the purge has been completed.