1. Home
  2. Connect
  3. Technology Services
  4. IT Governance
  5. External Data Hosting

Technology Services

External Hosting Request Form
Data Protection Impact Assessment Form
External Hosting Questionnaire

External Hosting of TU Dublin Data

The University is obligated under article 28 of the GDPR when personal data is hosted externally. To avail of the services of an external hosting solution, if this involves the processing of personal data (e.g. staff and student data), the Cloud Service Provider (CSP) process applies and is designed whereby requests to host personal data externally are evaluated and that associated data risks are managed appropriately.

Cloud Service Provider Approval Group (CSPAG)

To adhere to this policy, we have established the Cloud Service Provider Approval Group (CSPAG). This group, comprising members from Information Governance, Cyber Security and IT Compliance, and Risk teams, assesses new and existing systems or services that store or access personal data.

To proceed each request must be assessed by CSPAG and are subject to the necessary internal approvals and compliance with the Universities Data Protection Policy and IT policies/procedures.

Engaging in the Process

To request permission for a third-party app or external data hosting service that processes personal data, submit a request using our Microsoft form. Approval from Heads of Discipline, School, or Functional Area is required.

Review Process:

  1. Submission: Completion of the External Data Hosting Questionnaire and Data Protection Impact Assessment (DPIA).
  2. Evaluation: CSPAG reviews the documentation to ensure compliance with IT security and data privacy policies.
  3. Approval: The requester will be notified of the approval or rejection. If approved, you will coordinate with the relevant department for implementation.

FAQ

 

If a third-party organisation or external data hosting service will host or process senstive or personal data, then you must engage with the Cloud Service Provider request process.

Data Processing is defined as “any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

If you are unsure if a third-party service will be processing personal data, please contact the Cloud Service Provider Approval Group at cspag@tudublin.ie 

A request should be made using the following Microsoft form:

https://forms.office.com/pages/responsepage.aspx?id=yxdjdkjpX06M7Nq8ji_V2jQbTFC3jM1Bs6ZN8L7QZUxURVhTQkdFSjNXUElIMlUyMlkyUkNONFBZRy4u

Please note: Heads of Discipline, Heads of School or Heads of Functional Area will need to approve any requests being submitted for review by CSPAG.  The Cloud Service Provider Assessment Group will then log and process the request.

Once it has been logged by CSPAG, the requester will receive an email with links to the External Data Hosting Questionnaire and the Data Protection Impact Assessment form. The completed documents should be returned to CSPAG@tudublin.ie

External Data Hosting Questionnaire

The third-party service provider must complete the External Data Hosting Questionnaire. This will allow Technology Services assess the security of the Cloud Service provider.

www.tudublin.ie/media/website/connect/technology-services/documents/External-Data-Hosting-Questionnaire-v1.3.docx

Data Protection Impact Assessment (DPIA)

The requester and not the third party must complete the DPIA.  A DPIA aims to identify risks arising out of the processing of personal data and to minimise those risks where possible.

https://www.tudublin.ie/explore/gdpr/data-protection-impact-assessment/

The review process may take 6-8 weeks to complete, commencing once all requested documentation has been received by CSPAG.  

Once all documentation has been received by the CSPAG, the following will happen:

  • The External Hosting Questionnaire, along with any additional documentation will be reviewed to ensure that the Cloud Service Provider have acceptable IT security and data privacy policies and procedures in place to minimise the risk of loss or exposure of TU Dublin data.
  • The DPIA will be reviewed to ensure that TU Dublin are compliant with data protection law.
  • Members of IT Support and IT infrastructure will be consulted to ensure there are not additional concerns with the requested Cloud Service Provider.

Please note: Members of the CSPAG may need to contact the requester throughout this process to seek additional information from them directly or the Cloud Service Provider.  It will be the responsibility of the requester to obtain this information from the Cloud Service Provider when requested.

Engage with the CSPAG request process if there’s any uncertainty.

Information that will allow CSPAG to assess the security of the Cloud Service provider.

The third-party service provider must complete the External Data Hosting Questionnaire. This will allow the CSPAG to assess the security of the Cloud Service provider.

You should email cspag@tudublin.ie

DPIA is an assessment of the data contained within the requested service to identify any risks in processing personal data. 

It is assessed by the CSPAG group who will provide feedback on any risks identified and recommendations on the actions or controls needed to address those risks.

The requester and not the third party must complete the DPIA.  A DPIA aims to identify risks arising out of the processing of personal data and to minimise those risks where possible.

You can find more information on the DPIA process here.

You should email cspag@tudublin.ie

Suggested IT Governance 

All IT Governance
Terms of use Microsoft Teams
IT Exceptions