Use of Free and Low-Cost Services
"Free and low cost technology services" are computer-related services that you can sign up for online for free or nearly-free. Many of us have non-work Google accounts; store our data in Apple or Microsoft's cloud or with an online backup service; share photos with Flickr and Picassa; use Dropbox and MobileMe to store, move, and share documents; stay in touch with others via Skype and instant messaging (IM); share our lives and thoughts on Facebook and Twitter; and the list goes on.
Free/low-cost services often seem like good options to meet our business (and personal) needs, and under certain circumstances they are appropriate to use. It is important to remember, though, that when you use these services, your data is in someone else's hands.
The “click-to-accept” agreements that these services use have not been reviewed or approved by UC and may introduce security risks for your information. UC and UCSC privacy and security policies apply to all University data, whether it is on UC or non-UC systems.
It is therefore your individual responsibility to take privacy and security into consideration when making decisions about when it is and is not appropriate to use free/low cost services.
A UC-approved service agreement is required for non-UC systems that store, receive, process or publish restricted information. Work with Procurement & Business Contracts to establish a service agreement employing UC-approved terms and conditions addressing information security and privacy requirements, including encryption.
- --> Since many UC-approved agreements do not protect unencrypted restricted data, always delete restricted data whenever possible. If you must store it, encrypt it (link to encryption info below)
A UC-approved service agreement is recommended for non-UC systems that store Confidential information or are used for essential University business processes.
Do not use a non-UC service without a UC-approved agreement if any of the following apply.
- Restricted information will be involved;
- You will be conducting University business that should not be disclosed to the general public;
- You need a high level of security;
- Privacy is a concern;
- There are things that wouldn’t be OK for the company to do with your information;
- Your information is subject to export control laws that may be affected by international storage;
- You have specific requirements for availability of data and electronic communications that the service can't guarantee;
- It would be a problem if the service suddenly changes or is no longer available, either temporarily or permanently.
If any of the above apply, consider whether the University offers a solution you could use instead, or work with Procurement & Business Contracts to consider the range of vendor options and establish a UC-approved agreement before using a vendor's service or system solution.
Keep in mind that your privacy and the privacy of everyone using the free/low cost application or service is dependent on the non-UC company. Don’t assume that privacy, security, or business continuity protections will meet UC's standards.
Some ground rules and important pointers:
- Don’t use external information systems or services for anything that you’re not prepared to disclose or lose. It is best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, what they used it for and when, etc.
- Don’t use non-UC information systems or services to collect personal information. If you want to, you must ensure that California Information Practices agency requirements are met: CA Civil Code 1798.14-1798.23. See below for contact information for more information.
- Don’t expect to be informed if a subpoena, search warrant or other legal instrument is presented to the company to obtain information about you or others using the service. This is true even if a UC-approved agreement is in place. While some organizations will try to direct the requester to you/the University first, there is no guarantee that this will happen, and the vendor may even be forbidden from disclosing the request.
If any of these raise concerns, using a non-UC service without a UC-approved agreement in place might not be appropriate.
Also consider the following when evaluating whether a specific free/low cost service is the appropriate solution for your needs:
- Contracts: When you sign up to use free/low cost services, you may be agreeing to terms and conditions, terms of service, and acceptable use policies that are different from UCSC’s or UC's. The company can hold you to what you agree to, even if it is just a “click-to-accept”-type agreement. Also, if the service is free or "click wrap" you will probably have little or no recourse against the vendor if something goes wrong or they do something you don't agree with.
- Ownership: It is essential to ensure that University data remains the property of the University. Whenever you put data on a commercial service, ensure that the terms do not conflict with University policy in terms of data ownership. UCSC’s Business Contracts Office can help with this.
- Availability of Data: Don’t expect to get your information back if the company has a disruption in service, is acquired, changes business models or goes out of business. Keep local copies/backups of any critical data or records just to be safe.
- --> Even if you keep local copies of critical data, what happens to your data if, say, the company that was hosting your data shuts down?
- Record Requests: Keep in mind that you may be required to produce records relating to University business, including email, instant messages, files, etc., regardless of whether those records are stored on University or non-University systems or services. Using a non-UC service may make it more difficult for you to comply.
- Deleting data and accounts: There is no guarantee that deleted content or accounts will really be deleted. It may take a while before the content or the account is completely flushed from all of the company’s archives. Practices will also vary as to how long accounts may remain idle before the account and associated data are destroyed.
- Accessibility: If use of an application or service will be required, e.g., the only way people can access your online content, complete an assignment, or respond to a request for information, you must make sure that it is accessible to users with disabilities. Ask the vendor whether their product is Section 508 compliant, and test it to make sure that it is. More information about web accessibility and testing web sites for accessibility can be found at the Web Accessibility site hosted by UCOP.
- Google Analytics (GA) account administrators must configure GA not to share GA data, so that the usage statistics will only be available for UCSC's local use. (Account admins: for each GA account, check “Do not share my Google Analytics data” on the “Edit Account and Data Sharing Settings” screen.)
- See the supplemental page at http://its.ucsc.edu/policies/free2.html
For More Information and Guidance...
- ...about privacy considerations, contact UCSC’s Privacy Officer: email@example.com, 9-2666
- ...about security considerations, contact UCSC’s IT policy office: firstname.lastname@example.org, 9-2779
- ...about encryption, see http://its.ucsc.edu/security/encryption.html
- ...about whether the terms and conditions of an agreement are acceptable from a University perspective, contact UCSC Procurement & Business Contracts