Cloud Storage Guidelines to Educational and Sensitive Data

Owned by Sean Stockburger (Unlicensed)
Dec 04, 2018
2 min read

WWU-provided cloud services are appropriate for most communication and collaboration; however, the sensitivity and nature of the information must be carefully considered before you choose to store information on a cloud service.

Types of data to avoid storing on a cloud service:

  • Personal information (e.g., social security numbers, dates of birth, student records, and financial aid data).
  • Proprietary information (e.g., College financial data and donor information).
  • Regulated information, the disclosure of which is subject to regulatory compliance (including FERPA, GLBA, HIPAA, etc).

Sharing of documents with internal and external collaborators is possible, but caution should be exercised when doing so.  Make sure you understand the sharing mechanisms available before sharing files or folders with anyone – and setup reminders to periodically review any sharing permissions you have setup.

Whenever technically feasible sensitive information should be stored on network file space in restricted directories - not on an office computer or a removable storage device. If a computer must be used to store sensitive information, it must be in a secure location, and each individual authorized to use the computer should have a unique username with a strong password. Sensitive information should not be stored on a laptop or mobile device unless absolutely necessary (and that device is both password-protected and encrypted). Avoid storing any sensitive information in the cloud unless specifically directed to do so (e.g., G Suite, DropBox, Box, and personal cloud storage providers).

WWU OneDrive for Business

WWU provides online storage and collaboration options to all WWU students, faculty, and staff. OneDrive for Business provides a cloud storage resource for University data. While WWU-local computing resources are preferred mechanisms for storing sensitive data – WWU has specific agreements with Microsoft that allow FERPA- and HIPAA-protected data to be managed within OneDrive for Business when internal business process warrant. Other services such as Office 365 Exchange and SharePoint Online are also covered by the WWU agreement and may also be acceptable for sensitive information. Sharing of documents with internal and external collaborators is possible, but caution should be exercised when doing so. Please note: One Drive for Business is different from the individual consumer version of OneDrive, which does not meet the security requirements for WWU data storage.

WWU Google Drive

WWU offers authentication to the Google Drive environment with your WWU credentials (userID@wwu.edu). This is an additional option for those that choose to use this alternative. WWU does not have a specific agreement in place for this storage option to meet HIPAA-protection requirements. While Google is contractually and legally responsible to protect FERPA data, WWU advises the use of WWU-local storage (or OneDrive for Business) for any sensitive data storage.

WWU’s ability to support the Google for Education space is not backed by a support contract and will amount to “best effort” in many cases.

Again, the sharing of documents with both internal and external collaborators is possible, but caution should be exercised when doing so.

Other Applications

WWU offers many other applications and services that are cloud-based: Canvas, eProcurment, PageUp, etc. These examples are specific tools that enable certain activities within their academic or business processes. These services differ considerably from general file storage solutions like OneDrive for Business and Google Drive – in that the ability to extend sharing permissions are quite different. These services present much lower risk to institutional data.