Third party software application and services
Guidance for University staff on data protection and information compliance issues for using a specific piece of cloud software or services
Before you start using any new third party based software or services for University business, you must carry out due diligence to ensure that University information will be secure and appropriately managed.
This guidance is relevant to software or services where the University intends to transfer data to the relevant service provider so it is hosted in the cloud, as well as the use of cloud based or other software where the University asks users to provide data directly to a software or service provider.
This checklist covers some of the main points you need to consider from a data protection and records management perspective.
Before you start
Check with Information Services if any existing centrally supported University software meets your requirements. This will usually be the simplest option.
Our wiki also has a list with some of examples of software that have come up in previous enquiries.
1. Personal data must be stored inside the UK or in a country approved by the European Commission as offering adequate protection for personal data. (This includes personal data held on back ups and anyone accessing personal data remotely). If the company is not able to guarantee this, you should not use the cloud service.
If the company is based anywhere else, you will have to complete an International Data Transfer Assessment. Contact the DPO for this at firstname.lastname@example.org
2. Does the company offer an appropriate level of security for the sort of data that will be processed by the cloud service? Consider the level of security needed for personal data and any other sensitive University information, as well as the risks to the University or data subjects if the data was lost or damaged. Contact the Information Security Division for advice.
3. Will you be able to manage information retention?
- Is it possible to delete or take down information once your need for it has ended?
- Will the service provider remove information once their need for it has ended?
- If you need to keep the information for many years (e.g. because of research funding council policies on data retention), does the external service provider have arrangements in place to ensure the long-term survival and security of the data despite risks such as technological obsolescence and software and data standard changes, or is it possible for you to make arrangements to preserve the data yourself locally?
6. Carry out a data protection impact assessment (DPIA) for your project.
Ensure you obtain the appropriate approvals. This must include agreement from the data steward or owner of data, for example if your project involves sharing personal data about students from EUCLID it should be approved by the Director of Student Systems.
Refer to the University's Delegated Authority Schedule for information about who is required to sign any contract.
Powers of delegation
Legal Services have useful guidance on who you should contact for different kinds of contracts.
Legal Services contracts guidance
You also need to make sure you comply with any relevant University procurement regulations.