Legal, regulatory, contractual, or funding agency requirements

Consider whether legal, regulatory, contractual or funding agency requirements apply. Is the data subject to legal, regulatory, contractual, funding agency or other privacy and security requirements, including:

If the information to be processed or stored in a cloud-based solution is subject to legal, regulatory, contractual or funding agency requirements, a cloud-based service may be appropriate, but it must be governed by a contract that is negotiated between the University and the provider. For example, it is not appropriate to store data regulated by the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights Act (FERPA) on Dropbox.com or other cloud services without a contract negotiated by the University.

It may not be appropriate to use commercial cloud providers for certain research applications.

The contract must include terms and conditions to address all legal, regulatory, contractual and/or funding agency privacy and security requirements. Review the terms and conditions that are typically used in cloud/hosted provider contracts. In addition, the cloud service provider’s privacy and security safeguards required to comply with applicable laws, regulations and contracts must be reviewed.

Also, depending on the information, e-discovery may need to be considered. Can the information be retrieved for legal discovery, investigative or compliance reasons, should they arise? What is the cloud vendor’s policy for responding to e-discovery requests? What will/won’t the cloud vendor do in the event of e-discovery?

Next step: Cloud service provider due diligence


If you have comments or suggestions about this Web page or see any errors, contact the IT Communication Group.