Digital Systems and Cloud Services Policy

This document sets out the Dublin City University (DCU) Policy for evaluating Digital Systems and Cloud Services (also known as “Cloud Computing” or “Cloud”). 

The policy is a statement of DCU’s commitment to ensuring that all its legal, ethical and policy compliance requirements, including cybersecurity needs are met in the procurement, evaluation and use of all digital systems and cloud services. 

Who does this policy apply to?

This Policy applies to all staff of the University, both academic and support, including campus companies and research centres.

What data and information does this policy apply to?

This policy applies to all University data and information including, but not limited to, personal data, sensitive personal data (or special categories of personal data) and confidential business data and information.

Ownership & Implementation

Whereas this Digital Systems and Cloud Services Policy document is owned by the University, it will be maintained by the Director of Information Systems Services on behalf of the University. Compliance with this Policy will be monitored by the IS Governance Committee supported by ISS. A completed checklist, as outlined in Appendix A, must be submitted to ISS for review and/or consultation. ISS will keep a record of all checklists submitted and report to IS Governance Committee as required.

Policy

The steps involved in procuring and evaluating digital systems and cloud services can be complex and subject to legal, ethical and policy compliance requirements. These requirements, outlined below, must be evaluated and met prior to using such services.  This is essential to ensure that personal, sensitive and confidential business data and information owned, controlled, or processed by the University, its staff, students and its agents is adequately protected at all times. 

1. Procurement

The purchasing of all digital systems and cloud services, including cloud services must comply with relevant university procurement policies and procedures. Those involved in the purchase of digital systems and/or services should be cognizant of the risk that purchases by different University units of the same digital system and/or service may inadvertently result in procurement thresholds being breached.

2. Data Protection

The General Data Protection Regulation (GDPR), and related legislation, requires that Data Controllers such as DCU meet significant obligations with regard to how personal data is collected, used and protected. All digital systems and cloud services used to process personal data or information must allow the University to meets those obligations. The University Data Protection Unit should be consulted prior to any new system and/or service implementation. In particular, regard should be given to the possible requirement for a Data Protection Impact Assessment (DPIA) in addition to a comprehensive Data Processing Agreement duly reviewed by the University Data Protection Officer (contact: data.protection@dcu.ie) prior to signing.

3. Approval to use University data

Where a digital service is proposed to host University data or information, appropriate written sign-off must be received from the data or information owner.

4. System / Service Security

Notwithstanding any assurances given by a system vendor as part of any data sharing agreements or vendor literature, all digital systems and cloud services must be thoroughly reviewed to ensure that best industry practice is employed to ensure system or service security.

5. Interoperability

The University places great emphasis on the need for integration and interoperability of systems.  These requirements must be considered and documented as part of any service evaluation.  ISS must be contacted at evaluation stage for advice where data from a proposed cloud service is required to integrate with a University system.  Where integration is required, all University Policies, Guidelines and Procedures must be adhered to.  The prioritisation of projects must be considered as part of service planning.

6. Disaster Recovery / Business Continuity

The service must be selected to ensure that the data and information is secure at all times and that an adequate backup and recovery plan is in place to ensure that data and information can be retrieve in a timely manner to meet business needs.  For more critical systems, the service must be built with high availability, with a business continuity and disaster recovery plan that fits business needs.  ISS must be contacted for advice and sign-off in advance where a cloud services/hosting is being considered to provide a business critical IT system.

7. Vendor Management and Governance

Effective vendor management and governance is key to ensuring that the University derives the best value and service from its investment in digital systems and cloud services. All new and existing vendors of digital systems and cloud services should be subject to ongoing assessments in the areas of contract, financial, performance, relationship and risk management.

The appendices (Apx. A & Apx. B) to this document are intended to assist staff in ensuring that the legal, ethical and policy compliance requirements are met. Where doubt exists in answering the questions outlined in the appendices, staff should seek advice from the appropriate area of the University e.g. ISS, Procurement Unit, Data Protection Unit etc.

This Policy applies to all staff and students and to all agents or organisations acting for, or on behalf of, the University in the evaluation, procurement or use of digital systems and cloud services. In order to comply with this Policy, the individual or agent must ensure that all criteria outlined in this Policy have been met and submit their checklist (Appendix A – Digital Systems and Cloud Services Checklist) to ISS for review/record and DCU Procurement Unit as required, so the service can be evaluated.  In certain instances, the submitted checklist may be submitted to the IS Governance Committee for review.

Legal and policy basis

The procurement, evaluation and use of Digital systems and cloud services must;

• Comply with all existing University Policies;
• Adhere to data protection legislation and the General Data Protection Regulation (GDPR);
• Respect the intellectual property rights of others and not breach copyright when using cloud services;
• Meet University Accessibility Requirements; &
• Comply with the relevant professional ethics and the University code of ethics. Where ethical issues arise in the use of digital systems or cloud services, the guidance of the University’s Ethics Committee must be sought in advance.

Further clarification on this policy can be sought from the Director of ISS.

The Director of Information Systems Services (ISS) will draft necessary changes and have them reviewed and approved by the IS Governance Committee as appropriate. Anyone in the University can determine the need for a modification to the existing policy. Recommendations for changes to this Policy should be communicated to the Director of ISS. This policy should be reviewed annually.