External Hosting of TU Dublin Data
TU Dublin is obligated under article 28 of the GDPR (General Data Protection Regulation) to review and approves all cloud services in use within the university.
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.1”
All information held in the cloud is considered to be a record held by the university and therefore may be the subject of a Data subject request or Freedom of Information access request.
Cloud Service Provider Approval Group
To ensure this policy is adhered to, a Cloud Service Provider Approval Group (CSPAG) has been established within the University. The approval group is known as the Cloud Service Provider Approval Group (CSPAG). The group consists of members of the Information Governance team and the Cyber Security, IT Compliance and Risk Team.
The purpose of CSPAG is to assess new/existing systems or services that will store or access personal data, a process has been designed whereby requests to host personal data externally are evaluated by the Cloud Service Provider Assessment Group (CSPAG) and that data risks are identified and managed appropriately.
Systems covered by this approval group are listed below:
- Cloud service provider (CSP) - A cloud service provider is a third-party company offering a cloud-based platform, infrastructure, application, or storage services.
- Software as a Service (SaaS)-Software as a service (or SaaS) is a way of delivering applications over the Internet—as a service. Instead of installing and maintaining software, you simply access it via the Internet
- Third party application or service that integrates with information systems located on premise within TU Dublin.
- Third party application that integrates with data hosted in a private cloud environment managed/owned by TU Dublin (including but not limited to Azure, Office 365, Amazon web services& Google)
- Third party application that requires users to provide personal data directly.
Examples of a CSP include, but are not limited to the following:
- VLE’s (Brightspace, Moodle)
- Adobe
- Polling apps (Vevox, Padlet)
- Storage services
- Social media platforms
A list of currently approved cloud services can be found below:
The intention of Article 28 (1) is to flow down the security principle and security requirements into the processor’s organisation and sub processors
- Compliance is a shared responsibility.
- Controllers need to assess processors to ensure they have sufficient guarantees around appropriate organisational and technical measures
- Failure to establish proof of the processor’s competence means the controller is in automatic breach of the GDPR
This processes is designed to aligned with legal and regulatory standards, including but not limited to the General Data Protection Regulation (GDPR) and the NCSC (National Cyber Security Centre) Cyber Security Baseline Standards.
FAQs
How do I engage in this process?
If you wish for a third-party app or external data hosting service to be purchased and/or configured for use within TU Dublin that will be processing personal data, a request should be made using the following Microsoft form:
Please note: Heads of Discipline, Heads of School or Heads of Functional Area will need to approve any requests being submitted for review by CSPAG. The Cloud Service Provider Assessment Group will then log and process the request.
Once it has been logged by CSPAG, the requester will receive an email with links to the External Data Hosting Questionnaire and the Data Protection Impact Assessment form. The completed documents should be returned to CSPAG@tudublin.ie
External Data Hosting Questionnaire
The third-party service provider must complete the External Data Hosting Questionnaire. This will allow the IT Security Officer and IT Compliance Officer to assess the security of the Cloud Service provider.
Data Protection Impact Assessment (DPIA)
The requester and not the third party must complete the DPIA. A DPIA aims to identify risks arising out of the processing of personal data and to minimise those risks where possible.
https://www.tudublin.ie/explore/gdpr/data-protection-impact-assessment/
How long will the process take?
The review process may take 6-8 weeks to complete, commencing once all documentation has been received by CSPAG.
Once all documentation has been received by the CSPAG, the following will happen:
- The External hosting questionnaire, along with any additional documentation will be reviewed to ensure that the cloud service provider have acceptable IT security and data privacy policies and procedures in place to minimise the risk of loss or exposure of TU Dublin personal data.
- The DPIA will be reviewed to ensure that TU Dublin are compliant with data protection law.
- Members of IT Support and IT infrastructure will be consulted to ensure there are not additional concerns with the requested cloud service provider.
Please note: Member of the CSPAG may need to contact the requester throughout this process to seek additional information form them directly or the cloud service provider. It will be the responsibility of the requester to obtain this information from the cloud service provider when requested.
Once the review has been completed, the requester will receive an email back from the CSPAG outlining if the application has been approved or rejected.
Once the requester receives this email, it will be their responsibility to contact IT support and/or IT Infrastructure to ensure resources can be assigned to setup the cloud service provider
If the third-party service incurs a cost, the requester should not raise a PO until the service has been approved as Safe and Compliant by CSPAG and IT services officer and/or IT infrastructure have confirmed that the service can be implemented.
How do I know if I need to make a submission under the CSP request process?
If a third-party organisation or external data hosting service will process personal data, then you must engage with the CSP request process.
Data Processing “means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording ,organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
If you are unsure if a third-party service will be processing personal data, you should engage with the CPS request process.