Cloud Computing Guidelines for Teaching, Administrative Support, and Research

Defines leading practices for secure use of cloud computing applications

Download PDF version

February 2010

This document provides guidance to members of the Ohio State University community who wish to use applications and services available on the Web, including social networking applications, file storage, and content hosting. These tools, which often reside on complex, dynamic networks, are collectively referred to as "cloud computing."

I. Internet Applications at Ohio State

Internet application and service providers may require users to consent to their Terms of Service, frequently via a "click-through" agreement, which is a legal contract. Faculty, staff, and students are not authorized to enter into legal contracts on behalf of OSU and may not consent to click-through agreements for the purposes of university business. If individuals approve these agreements, they would be personally responsible in any legal actions related to the services.

Ohio State provides a variety of applications and services that support instructional, administrative and research activities by faculty, staff and students while meeting Ohio State's guidelines. Ohio State may have agreements with specific vendors or offer university-hosted solutions that meet your needs. Check OSU Site License Software for a list of existing campus agreements and services.

II. Challenges with Cloud Computing

Applications and services that are not purchased or licensed by Ohio State "” including those freely available on the Internet, such as popular social media sites "” may not meet university standards for user privacy, security, intellectual property protection, and records retention.

Potential problems with non-university approved applications include:

Intellectual Property and Copyright

Terms of Service from many providers include provisions about who owns intellectual property rights when content is created or uploaded to the application or service that may confuse intellectual property ownership claims.

Note, also, that cloud computing providers may reserve the right to change their Terms of Service at will.

Privacy and Data Security

Security of data uploaded to Internet services is rarely guaranteed. "Free" services frequently depend on data aggregation and data mining about users to attract advertising revenue. The privacy and/or security of that data is then potentially at risk.

State and federal law mandate protection of sensitive information such as student data, social security numbers and credit card information.

See OSU Policy on Institutional Data and OSU Policy Concerning Privacy and Release of Student Records.

Data Availability, Accessibility and Records Retention

All Ohio State business and educational records are subject to public records law, regardless of where they are stored.

However,many providers assume no responsibility for archiving content or ensuring availability, which places the burden on the user to ensure availability.

Additionally, OSU is committed to ensuring that information,including any materials provided through Internet applications and services, meet reasonable standards of accessibility for all.

Ohio State also requires that instructional, administrative, and research records be retained according to the university's record retention schedule. See OSU Records Retention Policies.

III. Best Practices for Using Cloud Computing

Sensible practices apply when using any Internet application.

Intellectual Property and Copyright

  • Remember that many OSU images and symbols are owned by the university and not freely available for reproduction. Review and understand OSU Policy on Patents and Copyright.
  • Remember that students, except in a limited number of circumstances, own their work.
  • Ensure that students understand appropriate use of copyrighted materials, particularly when content is publicly available.

Privacy and Data Security

  • Never divulge information that the university has classified as "restricted" on the Internet. Examples include social security numbers, credit card information, and driver's license numbers. See OSU Policy on Institutional Data.
  • Comply with FERPA requirements to protect student privacy. Do not place grades or evaluative comments on Internet sites. Contact the Office of the Registrar at 292-9330 for assistance interpreting FERPA. See OSU Policy Concerning Privacy and Release of Student Records.
  • Never use personally identifying information without explicit permission, unless the university has classified the information to be "public," for example, in the University Directory ("Find People").

Data Availability and Records Retention

  • Ensure that all records "” whether instructional, administrative, or research "” are retained according to the records retention schedule. See OSU Records Retention Policies.
  • Ensure that applications or services are accessible to all. See OSU Minimum Web Accessibility Standards. Contact the Web Accessibility Center at 292-1760 for assistance evaluating a tool or service.
  • Back up materials regularly to ensure that records are available when needed, as many providers assume no responsibility for data-recovery of content.

IV. Relevant Campus Documents and Policies

Additional Tips

Tips for Instructors

  • Communicate the issues, conditions, and risks associated with any tool you choose at the beginning of the academic term, preferably in the syllabus. This allows students who object to withdraw from the course or to request alternate assignments or other solutions. However, be sensitive to the fact that withdrawal may not be possible if the course is required, the course is offered in a sequence, the course is not offered regularly, or the course is only offered by one instructor.
  • Restrict online access to student content as much as possible within the context of your instructional goals. In general, coursework conducted online should always be restricted to members of the course.
  • Always require students to use aliases when creating accounts, particularly if access to student work is public. Also, prohibit use of the OSU Internet name and password as an alias.
  • Never include personally identifying information about yourself or your students in content or in profile information online.

Tips for Researchers

  • Communicate the issues, conditions, and risks associated with any tool you choose to use in the research process. This allows a potential participant who objects to withdraw from the study or to request alternate solutions.
  • Always require participants to use aliases when creating accounts, particularly if access to research is public.
  • Never include personally identifying information about yourself or your participants in online content or in profile information.
  • Delete participant data when no longer required.

Tips for Administrators

  • Clearly define organizational roles and responsibilities in creating a public presence for your unit.
  • Remember that faculty, students and staff may not speak for the university.
  • Set expectations with staff for online conduct.
  • Manage your social media presence strategically and review it regularly.