Click-Through Services and Allowable Data Use

"Click-through services" are computer-related services that you can sign up for online for free or nearly-free. Examples include non-UCSC Google accounts, Dropbox, MobileMe, Apple or Microsoft's cloud, Flickr, Picassa, Skype, Facebook, Twitter, Instagram, instant messaging (IM), and the list goes on.

These free/low-cost services often seem like good options to meet our business (and personal) needs, and under certain circumstances they are appropriate to use. It is important to remember, though, that when you use these services, your data is in someone else's hands without the assurances of UC negotiated contracts. Instead, you are subject to the vendor's terms and conditions, often accepted with a "click" on "I agree".

UC and UCSC privacy and security policies apply to all University data, whether it is on UC or non-UC systems. The click-through agreements that these services use have not been reviewed or approved by UC and may introduce security risks for your information.

It is your individual responsibility to take privacy and security into consideration when making decisions about when it is and is not appropriate to use non-UC services.


Considerations when using "click-through" services:

When using click-through services, it is important to first determine if you are entering into a contract for services with the supplier on behalf of yourself personally or on behalf of the University.

When a procurement of services is being made on behalf of the University that involves terms and conditions, Business Contracts needs to be engaged for review to confirm the terms are policy compliant. If there is a cost associated with the services, submit a requisition via CruzBuy, attaching a copy of the terms and conditions to the requisition for Business Contracts review. The requisition will automatically reach Business Contracts via the CruzBuy workflow process. If there is no cost associated with the services, e-mail the terms to buy4me@ucsc.edu for Business Contracts review.

If you are entering into a contract on behalf of yourself personally, you do not need to go through Business Contract for review. The below table is a tool to help you safeguard information, for which the campus and you are a steward, associated with personal contracts only. Always employ due care when handling sensitive information.


Know your Information

  • What type of information is collected by the cloud service provider and for what use?

Know the impact if it is compromised

  • How would UC or others be harmed if the information the cloud service provider was storing or had access to was compromised?

Know the impact if the service is unavailable

  • How would UC or others be affected if the cloud service provider was unavailable?

Privacy Criteria

You probably know best the type of information that the cloud service provider will have. The cloud service provider may post other privacy information on their site as “Privacy Policy” or in “Terms of Service” or in Support/FAQs. Review of news items may indicate past privacy issues. For more information, contact privacy@ucsc.edu.

  • Does the provider have a privacy policy?
  • What type of information is collected by the cloud service provider? Is it clear how the information will be used? Is the use consistent with the intended purpose for which it was provided?
  • Will the cloud service create, store, manage, use, or transmit UC institutional information?
  • Is this institutional information about you, the primary user, or provided by you about others, e.g. are you a faculty member providing info about students in your class to enable the use of a service or tool for that class?
  • How might UC or individuals be harmed if the information the cloud provider was storing or had access to was compromised?
  • Can you as the user remove or delete your information or account with the cloud service provider?  Is there a tool to export your information?
  • If you remove or delete your information, does the cloud service provider retain any rights to continue storing or using your information?
  • How long does the information remain with the cloud service provider (in online and offline storage), including after you delete it or your account?
  • Under what circumstances will the cloud service provider access content or restrict service without your consent as the user?
  • Will your information be used by, shared with or sold to a third-party?  Is that inconsistent with why you gave the information to the cloud service provider?
  • Will the cloud service provider respond to requests for your information from government officials or law enforcement?
  • Does the cloud service provider have a history of regulatory or legal findings related to privacy?

Answering Yes to any of these questions indicates some risk in the use of the cloud service and that a contract or another service should be considered. For more information on contracts, contact buy4me@ucsc.edu.


Security Criteria

You probably know best the type of information that the cloud service provider will have. The cloud service provider may post other security information on their site as “Security” or in “Terms of Service” or in Support/FAQs. Review of news items may indicate past security issues. For more information, contact itpolicy@ucsc.edu.

  • Will the cloud service provider have restricted or confidential information  (see here for more information)?
  • Will the cloud service provider have social security number, driver’s license, health, insurance or financial information?
  • Are there any compliance requirements for the information, e.g. credit cards (PCI) or health information (HIPAA)?
  • Are there export-control restrictions on the information that preclude storing it internationally?
  • Will student information be stored or accessed by the cloud service provider?
  • Does the cloud service provider have a security plan or provide information about their security controls?
  • Has their security plan been mapped or certified to any security frameworks?
  • Has the cloud service provider been audited by a trustworthy and certified third-party?  Is there an available SOC report?
  • WIll the cloud service provider contact you, the user, if there is a breach of information or passwords?
  • How will they contact you if there is a breach of information or passwords and in what timeframe?  
  • Does the cloud provider have a history of security breaches or other regulatory or legal findings related to security?

Answering Yes to any of these questions indicates some risk in the use of the cloud service and that a contract or another service should be considered. For more information on contracts, contact buy4me@ucsc.edu.


Data Ownership, Service Levels, Legal/Contract Criteria

You probably know best how you intend to use the cloud service. The cloud service provider may post other information on their site in “Terms of Service” or in Support/FAQs. For more information, contact buy4me@ucsc.edu.

  • Does the cloud service provider claim any rights of ownership to your information?
  • Does the user or the University retain rights, e.g. to intellectual property or copyright?
  • Does the cloud service provider restrict your rights for research publication, e.g. how their service is presented?
  • Might your use of the service create liability for the University?
  • How might UC or individuals be liable if the information the cloud service provider was storing or had access to was compromised? Who is liable for the impact if information is compromised or breached?
  • Will you use the cloud service for a business critical function?
  • Does the cloud service provider have service levels that promise availability?  
  • Do you have an exit strategy in case the relationship with the cloud service provider needs to be terminated?  Is there a tool to export your information?
  • Is there an acceptable use policy and are there any restrictions of use that may conflict with your anticipated use?
  • Might the cloud service provider censor your activity based on the acceptable use policy?
  • Is there a charge for the cloud service?  What is the history of price increases? How are you notified?
  • Will you be affected by changes to the service?  How does the cloud service provider notify you of changes?

Answering Yes to any of these questions indicates some risk in the use of the cloud service and that a contract or another service should be considered. For more information on contracts, contact buy4me@ucsc.edu.


Student Information Criteria

For more information on the privacy of student records, including FERPA training, please see: http://registrar.ucsc.edu/records/privacy/index.html

  • Do you require students to use the cloud service provider to participate in a University function, e.g. submit homework in a class?
  • If use of a cloud service is required to participate in the class, is student directory information (e.g. CruzID, campus email, name) necessary for enrolling in the cloud service?
  • If use of a cloud service is optional to participate, is other student record information used in the service, e.g. course name or title or quarter?

Answering Yes to any of these questions indicates the cloud service may not comply with FERPA. Use of the cloud service may require additional FERPA language in the contract recognizing the cloud service provider as a contractor/campus official performing an institutional service or function otherwise performed by faculty or staff, and that the cloud service provider is compliant with FERPA. For more information on contracts, contact buy4me@ucsc.edu.