Note: Terms in italic are defined in the glossary.
Before using a Cloud solution at McGill (“using” includes storing, processing or transmitting data in the solution), we need to properly assess this solution to ensure it is adequately protecting our institutional (enterprise & research) and personal data. A privacy assessment, an IT risk assessment and a contract assessment must be done.
Topics covered:
- Define in what context you will use the Cloud solution. Will you use it in a “research” or an “enterprise” (i.e. non-research) context?
- Is the Cloud solution subject to the Cloud Directive?
- Has the solution already been assessed for use at McGill (i.e., approved or rejected) or has the assessment been deferred?
- Steps to follow to acquire a Cloud solution for your context
- Who is involved in the process and who can assist you?
- Special cases: approved classes, deferrals and derogations
When planning for the acquisition of a Cloud solution, you need to consider that the required assessments take time. They involve information exchanges between the supplier, the supplier’s own sub-suppliers, subcontractors and sometimes independent auditors, as well as the solution requestor and several departments within McGill, in order to assess the supplier’s ability to adequately safeguard the data within their cloud solution.
Critical questions to determine how to proceed
To acquire a Cloud solution, you need to first answer 3 critical questions to determine how to proceed:
In what context will you use this Cloud solution?
The Cloud Service Acquisition Process must be followed in all cases, however, depending on the context in which you will use the Cloud solution, and the level of sensitivity of the data that is processed within that solution, the assessments are done with a varying degree of diligence.
First, determine in which of the following contexts you plan to use the solution:
- Research context with only research data: this can for example refer to a situation where data is collected into a Cloud Solution for the purpose of research (including Personal Information such as name, birth date, medical information).
- Note: Software or cloud services that support the administration of research fall under the “enterprise context”. This can for example refer to solutions which manage research grant applications or solutions that are used to manage inventory of chemical reagents.
- Note: Some software or cloud services used for research data can be pro-actively assessed university-wide; they will fall under the “enterprise context” where a more rigorous review will be performed.
- Enterprise context: this typically refers to administrative or teaching data. It also relates to data for the administration of research. Ex. Personal Information of staff that is collected in a non-research context, employee evaluations, course descriptions, Grade Point Averages (GPA), etc.
Is this Cloud solution subject to the Cloud Directive?
In general, Cloud solutions (free or paid) are subject to the Cloud Directive, and as such, need to be assessed for use at McGill. Given that Cloud solutions and the data used in the solution evolve over time, the cloud solution not only needs to be assessed for the initial acquisition but also needs to be re-assessed each time the contract is renewed. A Cloud solution is out of scope of the Cloud Directive in the following cases:
| Cloud solutions are OUT OF SCOPE of the Cloud Directive when: |
|---|
|
|
|
All other Cloud solutions must be assessed for use at McGill.
Has the Cloud solution been approved or rejected in the past, or has a deferral been granted?
Some Cloud solutions may have already been assessed and approved for certain uses by McGill. Leveraging a solution that has already been assessed, and is in line with your current needs, is beneficial in terms of assurance of compliance, procurement timeline and total cost. If your usage differs, for example in regards to your data sensitivity and classification (regulated, protected, public), the solution may have to be re-assessed. In the Approved Cloud Services list, you will see if your Cloud solution has already been approved, and under what conditions (restrictions).
The following classes of Cloud solutions are automatically approved, in the context of the Cloud Directive only, for use under specific conditions. Please contact itgovernance.its [at] mcgill.ca for assistance on these classes of solutions.
| Approved classes of cloud solutions | Special conditions |
|---|---|
| Cloud solutions managed by Quebec public bodies (ex. BCI) | Low/medium/high sensitivity |
| Cloud solutions managed by Canadian/US/European public bodies (e.g., Compute Canada, Calcul Quebec) | Only if low/medium sensitivity |
| Cloud solutions processing Personal Information that is supplied voluntarily by the user and not by McGill (e.g., voluntary and fully optional virtual events) | Disclaimer text is required |
| Cloud solutions processing public information only | N/A |
| Cloud solutions solely providing content for consumption (ex. Gartner, LinkedIn Learning) provided that the solution was acquired through a Purchase Order and Simplified Privacy Addendum | Only if low/medium sensitivity and purchased via Purchase Order |
| Cloud solutions where the only Personal Information collected is name & email (of staff, faculty, students) | Only for solutions in use by research, faculty, staff & students |
- For some categories of Cloud solutions, a deferral may have been granted by Procurement Services to use the Cloud solution without carrying out the privacy assessment, the IT risk assessment, and the contract assessment. A deferral is only provided for a specific duration and under special conditions, therefore, the Cloud solution will need to be assessed at a later stage
- Note: If a solution has not been previously assessed under the Cloud Directive, and a renewal is imminent, Procurement Services will exceptionally defer the assessments. This will be allowed only once. At the next renewal, the Cloud Service Acquisition process must be respected and initiated well in advance of the next renewal date
- Some Cloud solutions may have been rejected for use at McGill for a specific data category, such as Personal Information. If a solution was rejected in this manner, it doesn’t automatically mean that it is also rejected for your needs. The Rejected Cloud Services list explains for which data categories the Cloud solution has been rejected. If your conditions are different from the rejection conditions (restrictions), a new assessment will be required for the solution to be used.
What's next...?
Once you have determined:
- In what context you will use the Cloud solution
- Whether the Cloud solution is subject to the Cloud Directive
- Whether there is an approval, rejection or assessment deferral in effect for the Cloud solution
Then you can proceed to perform the assessments if required.
Steps to follow to perform the assessment
Based on the context for which you wish to use the Cloud solution, follow the steps in the appropriate section below.
The extent of due diligence required is based on the risk level associated with the acquisition of the cloud service. The IT risk assessment necessary to ensure due diligence can range from a limited to a full assessment of the cloud service, and the contract assessment can range from a basic review (for Public data) to a basic review and IT Clauses assessment (for Protected and Regulated data). Some exceptions may apply. See the IT Risk assessment and Contract assessment glossary terms for a more detailed explanation of these terms.
If a solution is used in multiple contexts (research, teaching and/or other) or if independent requests for the same solution are made by multiple requestors, Procurement Services will determine whether the solution should be assessed for each context/requestor independently, or as a university-wide solution for all purposes.
To acquire/use a Cloud solution for Research data (not including Research management administration)
A Cloud solution for Research Data refers to the use of the Cloud solution in the context of conducting research.
As a researcher, you are responsible yourself to assess Cloud solutions from a compliance and risk perspective.
Given that evidence of due diligence must be kept for the duration of the contract and 3 years thereafter, researchers must document the results of the assessments. Additional tools and templates will be provided to support researchers in this task.
If you have any questions related to research data management, research software or advanced research computing, feel free to contact Digital Research Services.
If you would like to be supported in the assessments, please complete the Software or Cloud Service Acquisition request form.
View description of image for accessibility
| Researcher | Who to contact if you require assistance? | |
|---|---|---|
| Data assessment | 1. Evaluate data elements in scope to determine data sensitivity level |
|
| IT risk assessment | 2. Complete IT risk review, ranging from:
|
|
| Privacy and contract assessments | 3. Perform a contract assessment, ranging from:
|
|
| Decision | 4. Based on all assessment results, decide whether or not to proceed with the Cloud solution |
|
To acquire/use a Cloud solution for Enterprise data (including Administration, Teaching, Research management administration)
A Cloud solution used in an enterprise context refers to the use of the Cloud solution for administration, teaching or the administration of research.
Please complete the Software or Cloud Service Acquisition request form if you are planning to acquire a solution in this context.
The solution requestors must fill and submit the Data Assessment form.
Some solution requestors have a portfolio manager who can complete the data assessment form on your behalf or provide support in completing the form.
The image below provides an overall view of the steps that will be initiated once your request has been submitted.
For more information about how to fill the Data assessment form, see the How-to: Data Assessment form.
- All instructors should contact TLS: tls [at] mcgill.ca (for teachers)
- Administrative units can reach out to a Portfolio Manager for support
The image below provides an overall view of the steps that will be initiated once your request has been submitted.
View description of image for accessibility
| Requestor | Central services | |
|---|---|---|
| Data assessment |
1. Complete Software or Cloud Service Acquisition request form 2. Complete data assessment form 3. Submit data assessment form for approval |
IT Portfolio Manager:
Data trustee:
|
| IT risk assessment |
IT Services:
|
|
| Privacy and contract assessments |
Procurement:
|
|
| Decision |
Procurement:
|
Derogations
If a solution failed the privacy assessment, the IT risk assessment and/or the contract assessment, under exceptional circumstances, on a case by case basis, a derogation may be granted to use the Cloud solution under specific conditions and for a specific timeframe. This happens rarely, and it requires special written approval by the Contract Compliance Officer (CCO) and Chief Information Officer (CIO).
Examples:
- Specific Cloud solutions that provide an essential service where another acceptable alternative does not exist.
