A Cloud Service is a free or paid service or software solution delivered over the internet by an external vendor. This service provides access to applications and resources, using infrastructure or hardware external to McGill. Personal and institutional (enterprise and research) data is stored, processed and transmitted outside of McGill infrastructure, “in the cloud”.
See Cloud 101 for an overview of Cloud Services.
What is the Cloud Directive and related Cloud Service Acquisition Process?
The Cloud Directive outlines McGill's obligations in securely acquiring and using Cloud Services. It describes the necessary protections (controls) to use cloud services, depending on the type of data involved and its required security and privacy needs.
The Cloud Service Acquisition Process describes in detail what steps need to be followed to acquire a Cloud Service. The process requires that a privacy, a contractual and an IT risk assessment be performed to evaluate if the vendor can deliver on their commitments to safeguard our data against theft, loss and corruption.
Why do we need the Cloud Directive and Cloud Service Acquisition process?
The main objective of the Cloud Directive and the Cloud Service Acquisition process is to:
protect personal information (PI) as well as personal health information (PHI). Examples include: SIN number, date of birth, address, gender, medical records or bank account information (to just name a few)
safeguard our institutional (enterprise) data, research data, proprietary information and intellectual property (IP)
comply with applicable laws, regulations and standards
Students who leverage solutions that have been assessed and approved by McGill, can do so knowing that their personal information is managed securely.
What happens if we don’t follow the Cloud Directive and Cloud Service Acquisition process?
If we don’t follow this directive and process, then we don’t have any assurance that our data is properly safeguarded, and as a result, our data privacy and Intellectual Property rights are not guaranteed. Our data could be prone to unauthorized use or loss.
In addition, we have a legal responsibility to safeguard our data. For example, personal information must be protected. In other words, if we are not safeguarding our data appropriately, we are in violation of the law.
What data needs to be protected in the cloud?
Any data that is confidential needs to be protected. This includes data whose protection is required by law or regulation, or governed by contract or McGill policies.
Here are a few examples of data to protect:
Faculty members need to protect student personal information, and hence ensure that educational software for teaching and learning has been evaluated and approved.
Researchers (including students working on research projects) need to protect their research data and the intellectual property associated with their research
Staff members need to protect other people’s personal information, such as employee files, medical information, student records
Who needs to comply?
All members of the McGill University community must comply with the Cloud Directive and the Cloud Service Acquisition Process when acquiring and/or using paid or free Cloud Services. Research data and educational software used for teaching and learning are subject to the Cloud Directive as well.
How to get support?
We realize that it may be difficult to understand the details of McGill policies and directives. We, therefore, encourage you to contact itgovernance.its [at] mcgill.ca if you have questions or concerns. It will be our pleasure to assist and guide you through the process.