Legal, regulatory, contractual, or funding agency requirements
Consider whether legal, regulatory, contractual or funding agency requirements apply. Is the data subject to legal, regulatory, contractual, funding agency or other privacy and security requirements, including:
- FERPA (Family Educational Rights and Privacy Act) – privacy of education records
- HIPAA (Health Insurance Portability and Accountability Act) – medical insurance information privacy and security
- PCIDSS (Payment Card Industry Data Security Standard) – credit card security
- GLBA (Gramm-Leach-Bliley Act) – privacy of financial account information
- Other laws and regulations?
- Does the contract or funding agency require contractual protections with any outsourced cloud provider? Is sending data to third parties permissible?
- Is the data subject to export restrictions that require the information to remain in the US – e.g., ITAR (International Traffic in Arms Regulations)?
- Are there jurisdictional issues with where the data must reside – e.g., there may be legal implications if the data are physically stored in another country – whose laws would apply – and risk of the government’s access to the data?
If the information to be processed or stored in a cloud-based solution is subject to legal, regulatory, contractual or funding agency requirements, a cloud-based service may be appropriate, but it must be governed by a contract that is negotiated between the University and the provider. For example, it is not appropriate to store data regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights Act (FERPA) on Dropbox.com or other cloud services without a contract negotiated by the University.
It may not be appropriate to use commercial cloud providers for certain research applications.
- Human subject research may involve the collection of private information or a promise of privacy or confidentiality to research participants. Do not assume that Dropbox.com—or any cloud provider—is a secure environment for such data.
- For financial reasons, many cloud providers locate some of their servers outside the United States. Because you do not know the physical location of the servers on which a provider stores your information, you should exercise caution if any of the information you store in the cloud is subject to any international or export restrictions.
- Research data with restrictions on export or the participation of foreign nationals (e.g., ITAR), restrictions on publication (prior approval or prior review), or restrictions imposed by non-disclosure agreements should not be stored on a commercial cloud service, including GoogleApps @UDel.edu.
The contract must include terms and conditions to address all legal, regulatory, contractual and/or funding agency privacy and security requirements. Review the terms and conditions that are typically used in cloud/hosted provider contracts. In addition, the cloud service provider’s privacy and security safeguards required to comply with applicable laws, regulations and contracts must be reviewed.
Also, depending on the information, e-discovery may need to be considered. Can the information be retrieved for legal discovery, investigative or compliance reasons, should they arise? What is the cloud vendor’s policy for responding to e-discovery requests? What will/won’t the cloud vendor do in the event of e-discovery?
Next step: Cloud service provider due diligence
If you have comments or suggestions about this Web page or see any errors, contact the IT Communication Group.
