Defines standard practices for secure use of cloud computing applications at St. Charles Community College

July 2012

This document provides guidance to members of the SCC community who wish to use applications and services available on the Web, including social networking applications, file storage, and content hosting. These services, which often reside on complex, dynamic networks, are collectively referred to as "cloud computing."

Internet Applications at SCC

Internet application and service providers may require users to consent to their Terms of Service, frequently via a "click-through" agreement, which is a legal contract. Faculty, staff and students are not authorized to enter into legal contracts on behalf of SCC without prior approval, and may not consent to click-through agreements for the purposes of college business. If individuals approve these agreements, they would be personally responsible in any legal actions related to the services.

SCC provides a variety of applications and services that support instructional, administrative and research activities by faculty, staff and students while meeting the college’s guidelines. SCC may have agreements with specific vendors or offer college-hosted solutions that meet your needs.

One of the approved services is the SkyDrive associated with your @my.stchas.edu account. SCC has entered into a contract with Microsoft to provide a limited amount of FERPA compliant storage for each faculty, staff and student account.

Challenges with Cloud Computing

Applications and services that are not purchased or licensed by SCC— including those freely available on the Internet, such as popular social media sites and cloud based storage sites — may not meet college standards for user privacy, security, intellectual property protection, and records retention.

Potential problems with non-college approved applications include:

Intellectual Property and Copyright

Terms of Service from many providers include provisions about who owns intellectual property rights when content is created or uploaded to the application or service that may confuse intellectual property ownership claims.

Note, also, that cloud computing providers may reserve the right to change their Terms of Service at will.

Privacy and Data Security

Security of data uploaded to Internet services is rarely guaranteed. "Free" services frequently depend on data aggregation and data mining about users to attract advertising revenue. The privacy and/or security of that data is then potentially put at risk.

State and federal law mandate protection of sensitive information. Some examples of sensitive data are:

• Student information that is not considered directory information
• All student information for students who have asserted FERPA
• Personally identifiable information that could lead to identity theft or have a negative impact on an individual’s finances (e.g., name, date of birth, social security numbers, credit card numbers, bank account numbers)
• HR/personnel records
• Certain types of intellectual property
• Certain types of research data or information governed by requirements of a specific grant (e.g., unpublished research or data collected as part of a research project)
• Account names (i.e., login credentials) and passwords
• Academic information

Data Availability, Accessibility and Records Retention

All SCC business and educational records are subject to public records law, regardless of where they are stored.

Many providers assume no responsibility for archiving content or ensuring availability, which places the burden on the user to ensure availability.

SCC is committed to ensuring that information, including any materials provided through Internet applications and services, meet reasonable standards of accessibility for all.

SCC requires that instructional, administrative, and research records be retained according to the college’s record retention schedule.

Best Practices for Using Cloud Computing

Sensible practices apply when using any Internet application.

Intellectual Property and Copyright

• Many SCC images and symbols are owned by the college and not freely available for reproduction.
• Remember that students, except in a limited number of circumstances, own their work.
• Ensure that students understand appropriate use of copyrighted materials, particularly when content is publicly available.

Privacy and Data Security

• Never divulge sensitive information regarding the college or its faculty, staff and students on the Internet. Examples include social security numbers, personal financial information, driver's license numbers and school work.
• Comply with FERPA requirements to protect student privacy. Do not place grades or evaluative comments on Internet sites. Never use personally identifying information without explicit permission, unless the college has classified the information to be "public."

Data Availability and Records Retention

• Ensure that all records — whether instructional, administrative, or research — are retained according to the records retention schedule.
• Ensure that applications or services are accessible to all.
• Back up materials regularly to ensure that records are available when needed, as many providers assume no responsibility for data-recovery of content.