A guide to using Dropbox and other cloud-based storage services
What is cloud-based storage?
Personal cloud based storage solutions (such as iCloud, Dropbox, Skydrive, Google and Ubuntu1) have become very popular for storing your own files like photos and family documents, as they provide an easy way to store and share your information.
However at the moment, use of personal cloud based storage services has a limited use when it comes to sharing any data you create or receive in relation to University business because:
- They do not guarantee that our obligations under the Data Protection Act (DPA) are met
- They do not offer sufficient protection for intellectual property (our ideas) or information that we would class as commercially confidential
- They do not keep records as to who accesses the data
Why are you thinking of using cloud-based storage?
There are a number of University systems which may be appropriate depending on why you are considering cloud-based storage as an option.
- If you need to access files or applications from home, are the University’s remote access systems suitable?
- Is it because you need more space? If so you should check that you are managing your files according to the University’s records management policy and archiving files that are no longer required https://www.dur.ac.uk/records.management/local/guidance/ If you are required to create and store particularly large files, you can request an increase in your file-store allocation subject to your departmental budget holder’s approval.
- If you need to move data for a short period, you can encrypt or password protect your file before sending it, however for more peace of mind, we recommend the more secure option of using password encrypted data sticks which you can obtain from the IT Service Desk.
- You need to consider the available University systems first and confirm that they do not meet your needs before contemplating cloud storage.
If you are considering using a personal cloud based storage solution for any University information that you hold or are working on, there are a number of questions you need to ask before using it (N.B. the examples are not exhaustive and are for guidance only):
- Is there any personal or sensitive data in there? (E.g. names, addresses or financial records, etc.)
- Is the information important to the business of the University? (E.g. research data.)
- Does the information require a level of security and/or an audit trail or level of assurance? If you’re not sure, check!
- Could it be commercially confidential to the University or a third party?
- Could it be classed as intellectual property?
In order use personal cloud based storage for University data you need to be certain that the answer to each of these questions is a definite no: if you are in any doubt, err on the side of caution and use an alternative method.
As a University employee you have a duty of care in relation to confidential information, such as personal or commercially sensitive data which you come into contact with as part of your duties. Part of that duty is to exercise all reasonable endeavours to prevent the disclosure of such information, so should you use cloud based storage for University data and it is compromised (amended/lost/published/subject to unauthorised access) you may be subject to University disciplinary procedures.
If you are confident that your use of a personal cloud based storage solution fits within these security requirements for your University data, contact the IT Service Desk and they will be able to assist you with installing it.
General advice for storing information in personal cloud storage
The risks you have to consider when putting your data into personal cloud storage are:
- The data may be stored outside the European Economic Area, so may not be covered by EU data protection laws. In other jurisdictions it may be accessed or removed without your knowledge or consent.
- There are no safeguards about the continuing existence of the data and no guarantee that your right to access it will be maintained.
- The data may be altered or corrupted without your knowledge, and you won’t have any way of getting uncorrupted copies back
- If the files are accidentally deleted there’s no backup nor is there any guarantee of the service continuing to exist.
- There is no guarantee of data confidentiality.
- Most cloud storage providers do not keep records of who has accessed or downloaded your data
- Dropbox administrators can access ANY content on the Dropbox site, and if their access is compromised, it means all Dropbox data is automatically at risk of compromise.
Always read the Terms and Conditions of the particular service provider you choose carefully so you are sure who has access to your data and what level of protection and confidentiality it has.
We understand that there is a demand for a cloud based storage service within the University and are currently keeping an eye on this emerging product in order to identify a solution which would have the additional necessary controls we need such as an audit trail of access, expiry of files and compliance with DPA hosting requirements (E.g. Safe Harbor).