Defines leading practices for secure use of cloud computing applications
This document provides guidance to members of the Ohio State University community who wish to use applications and services available on the Web, including social networking applications, file storage, and content hosting. These tools, which often reside on complex, dynamic networks, are collectively referred to as "cloud computing."
I. Internet Applications at Ohio State
Internet application and service providers may require users to consent to their Terms of Service, frequently via a "click-through" agreement, which is a legal contract. Faculty, staff, and students are not authorized to enter into legal contracts on behalf of OSU and may not consent to click-through agreements for the purposes of university business. If individuals approve these agreements, they would be personally responsible in any legal actions related to the services.
Ohio State provides a variety of applications and services that support instructional, administrative and research activities by faculty, staff and students while meeting Ohio State's guidelines. Ohio State may have agreements with specific vendors or offer university-hosted solutions that meet your needs. Check OSU Site License Software for a list of existing campus agreements and services.
II. Challenges with Cloud Computing
Applications and services that are not purchased or licensed by Ohio State "” including those freely available on the Internet, such as popular social media sites "” may not meet university standards for user privacy, security, intellectual property protection, and records retention.
Potential problems with non-university approved applications include:
Intellectual Property and Copyright
Terms of Service from many providers include provisions about who owns intellectual property rights when content is created or uploaded to the application or service that may confuse intellectual property ownership claims.
Note, also, that cloud computing providers may reserve the right to change their Terms of Service at will.
Privacy and Data Security
Security of data uploaded to Internet services is rarely guaranteed. "Free" services frequently depend on data aggregation and data mining about users to attract advertising revenue. The privacy and/or security of that data is then potentially at risk.
State and federal law mandate protection of sensitive information such as student data, social security numbers and credit card information.
See OSU Policy on Institutional Data and OSU Policy Concerning Privacy and Release of Student Records.
Data Availability, Accessibility and Records Retention
All Ohio State business and educational records are subject to public records law, regardless of where they are stored.
However,many providers assume no responsibility for archiving content or ensuring availability, which places the burden on the user to ensure availability.
Additionally, OSU is committed to ensuring that information,including any materials provided through Internet applications and services, meet reasonable standards of accessibility for all.
Ohio State also requires that instructional, administrative, and research records be retained according to the university's record retention schedule. See OSU Records Retention Policies.
III. Best Practices for Using Cloud Computing
Sensible practices apply when using any Internet application.
Intellectual Property and Copyright
- Remember that many OSU images and symbols are owned by the university and not freely available for reproduction. Review and understand OSU Policy on Patents and Copyright.
- Remember that students, except in a limited number of circumstances, own their work.
- Ensure that students understand appropriate use of copyrighted materials, particularly when content is publicly available.
Privacy and Data Security
- Never divulge information that the university has classified as "restricted" on the Internet. Examples include social security numbers, credit card information, and driver's license numbers. See OSU Policy on Institutional Data.
- Comply with FERPA requirements to protect student privacy. Do not place grades or evaluative comments on Internet sites. Contact the Office of the Registrar at 292-9330 for assistance interpreting FERPA. See OSU Policy Concerning Privacy and Release of Student Records.
- Never use personally identifying information without explicit permission, unless the university has classified the information to be "public," for example, in the University Directory ("Find People").
Data Availability and Records Retention
- Ensure that all records "” whether instructional, administrative, or research "” are retained according to the records retention schedule. See OSU Records Retention Policies.
- Ensure that applications or services are accessible to all. See OSU Minimum Web Accessibility Standards. Contact the Web Accessibility Center at 292-1760 for assistance evaluating a tool or service.
- Back up materials regularly to ensure that records are available when needed, as many providers assume no responsibility for data-recovery of content.
IV. Relevant Campus Documents and Policies
- OSU Policy Concerning Privacy and Release of Student Records - http://registrar.osu.edu/policies/privacy_release_student_records.pdf
- State and Federal Laws and Contracts - /itsecurity/buckeyesecure
- OSU Copyright Help Center - http://library.osu.edu/sites/copyright
- OSU Records Retention Policies - http://library.osu.edu/sites/archives/retention/records.php
- OSU Responsible Use Policy - /policy/policies/responsible-use
- OSU Policy on Institutional Data - /policy/policies/policy-on-institutional-data
- OSU Minimum Web Accessibility Standards - http://wac.osu.edu/standards
- OSU Site License Software - /software
- OSU Policy on Patents and Copyright - http://fisher.osu.edu/centers/tlc/resources
- OSU Trademarks - http://www.osu.edu/identity
- Human Research Protection Program - http://orrp.osu.edu/irb/osupolicies/documents/HumanResearchProtectionProgram.pdf