Use of Third Party and Cloud Services

"Non-UC technology services" are computer-related services that you can sign up for online, often for free or nearly-free.  For example, click-through agreements or Google marketplace apps.

Non-UC technology services may not have the appropriate security protections in place that are required for university data.

It is therefore your individual responsibility to take privacy and security into consideration when making decisions about when it is and is not appropriate to use non-UC technology services.

When it comes to storing, sharing, and transmitting university data use approved UC technology, products, and services.

Some ground rules and important pointers:

  • Know the data, what is the data classification and data elements involved?
  • Know what the third-party app or service will have access to. 
  • Will the data be used by, shared with or sold to a third-party? 
  • Know the third-party app or service privacy policy.
  • Know the third party app security policies.

First, know the Data

What is the classification of the university data that the non-UC technology service will have access to?

View the UC Protection Levels to determine if the data is P1, P2, P3, or P4.

If the data is P3 or P4, STOP, you must use UC-approved technology, products, and services.

A UC-approved service agreement is required for non-UC systems that store, receive, process, or publish P3-P4 information or are used for essential university business processes. Work with Procurement & Business Contracts our Campus Counsel to establish a service agreement employing UC-approved terms and conditions addressing information security and privacy requirements, including encryption.

If the data is P1 or P2, continue reading to review the risks of using Non-UC technology services.

If any of the following criteria and guidelines raise concerns, using a non-UC service without a UC-approved agreement in place might not be appropriate.

You probably know best the type of information that the cloud service provider will have. The cloud service provider may post other privacy information on their site as “Privacy Policy” or in “Terms of Service” or in Support/FAQs. Review of news items may indicate past privacy issues. For more information, contact privacy@ucsc.edu.

  • Does the provider have a privacy policy?
  • How might UC or individuals be harmed if the information the cloud provider was storing or had access to was compromised?
  • Can you as the user remove or delete your information or account with the cloud service provider?  Is there a tool to export your information?
  • If you remove or delete your information, does the cloud service provider retain any rights to continue storing or using your information?
  • How long does the information remain with the cloud service provider (in online and offline storage), including after you delete it or your account?
  • Under what circumstances will the cloud service provider access content or restrict service without your consent as the user?
  • Will your information be used by, shared with or sold to a third-party?  Is that inconsistent with why you gave the information to the cloud service provider?
  • Will the cloud service provider respond to requests for your information from government officials or law enforcement?
  • Does the cloud service provider have a history of regulatory or legal findings related to privacy?

Answering Yes to any of these questions indicates some risk in the use of the cloud service and that a contract or another service should be considered. For more information on contracts, contact buy4me@ucsc.edu.

You probably know best the type of information that the cloud service provider will have. The cloud service provider may post other security information on their site as “Security” or in “Terms of Service” or in Support/FAQs. Review of news items may indicate past security issues. For more information, contact itpolicy@ucsc.edu.

  • Will the cloud service provider have non-public (P2-P4) information?
  • Will the cloud service provider have social security number, driver’s license, health, insurance or financial information?
  • Are there any compliance requirements for the information, e.g. credit cards (PCI) or health information (HIPAA)?
  • Are there export-control restrictions on the information that preclude storing it internationally?
  • Will student information be stored or accessed by the cloud service provider?
  • Does the cloud service provider have a security plan or provide information about their security controls?
  • Has their security plan been mapped or certified to any security frameworks?
  • Has the cloud service provider been audited by a trustworthy and certified third-party?  Is there an available SOC report?
  • Will the cloud service provider contact you, the user, if there is a breach of information or passwords?
  • How will they contact you if there is a breach of information or passwords and in what timeframe?  
  • Does the cloud provider have a history of security breaches or other regulatory or legal findings related to security?

Answering Yes to any of these questions indicates some risk in the use of the cloud service and that a contract or another service should be considered. For more information on contracts, contact buy4me@ucsc.edu.

You probably know best how you intend to use the cloud service. The cloud service provider may post other information on their site in “Terms of Service” or in Support/FAQs. For more information, contact buy4me@ucsc.edu.

  • Does the cloud service provider claim any rights of ownership to your information?
  • Does the user or the University retain rights, e.g. to intellectual property or copyright?
  • Does the cloud service provider restrict your rights for research publication, e.g. how their service is presented?
  • Might your use of the service create liability for the University?
  • How might UC or individuals be liable if the information the cloud service provider was storing or had access to was compromised? Who is liable for the impact if information is compromised or breached?
  • Will you use the cloud service for a business critical function?
  • Does the cloud service provider have service levels that promise availability?  
  • Do you have an exit strategy in case the relationship with the cloud service provider needs to be terminated?  Is there a tool to export your information?
  • Is there an acceptable use policy and are there any restrictions of use that may conflict with your anticipated use?
  • Might the cloud service provider censor your activity based on the acceptable use policy?
  • Is there a charge for the cloud service?  What is the history of price increases? How are you notified?
  • Will you be affected by changes to the service?  How does the cloud service provider notify you of changes?

Answering Yes to any of these questions indicates some risk in the use of the cloud service and that a contract or another service should be considered. For more information on contracts, contact buy4me@ucsc.edu.


Don’t use external information systems or services for anything that you’re not prepared to disclose or lose. It is best to assume that whatever information goes to or through the service may become public. This includes records of activities of those using the service, such as who used the service, what they used it for and when, etc.

Check out the company’s privacy policy – there should be a link to it somewhere on their website. Know what the vendor is going to do with the information you and others provide. This includes who they may provide information to and who they will allow to access it. What permissions have you granted by accepting their agreement/Terms of Use?

Operational, Legal, and Contractual Issues

Also, consider the following when evaluating whether a specific free/low-cost service is the appropriate solution for your needs:

Contracts: When you sign up to use free/low-cost services, you may be agreeing to terms and conditions, terms of service, and acceptable use policies that are different from UCSC’s or UC's. The company can hold you to what you agree to, even if it is just a “click-to-accept”-type agreement. Also, if the service is free or "click wrap" you will probably have little or no recourse against the vendor if something goes wrong or they do something you don't agree with.

Ownership: It is essential to ensure that University data remains the property of the University. Whenever you put data on a commercial service, ensure that the terms do not conflict with University policy in terms of data ownership. UCSC’s Business Contracts Office can help with this.

Accessibility: If use of an application or service will be required, e.g., the only way people can access your online content, complete an assignment, or respond to a request for information, you must make sure that it is accessible to users with disabilities. Ask the vendor whether their product is Section 508 compliant, and test it to make sure that it is. More information about web accessibility and testing web sites for accessibility can be found at UC's Electronic Accessibility website.

 

For More Information and Guidance…

...about privacy considerations, contact UCSC’s Privacy Official: ddolezal@ucsc.edu, 831-459-4003

...about security considerations, contact UCSC’s IT policy office: itpolicy@ucsc.edu, 831-459-2779

...about whether the terms and conditions of an agreement are acceptable from a University perspective, contact UCSC Procurement & Business Contracts