Cloud file storage services such as DropBox and GoogleDrive provide a convenient means of accessing files from anywhere, on any device. Did you know that storage of University information containing personal information on personal cloud-hosted storage can contravene the Commonwealth Privacy Act?
Personal accounts with cloud-hosted storage providers put University information outside of the scope and control of our information security protection measures. This exposes us to an increased risk of:
- Intellectual property theft
- Breaches of the Privacy Act
- Data loss (as not all providers allow deleted file recovery)
US based cloud services are also subject to the US Patriot Act and as such, providers are required to grant access to your stored data if requested by the US Government. This is also true of other jurisdictions that have differing legislation to Australia that could have security and copyright implications for overseas cloud storage. There are also other implications if copies of files that infringe copyright are uploaded, therefore content should be checked especially when sharing with others.
Information Technology Services recognise the importance of information sharing and collaboration throughout the University, and are actively working on evaluating a supported University cloud file storage platform to further improve the accessibility and security of University files. This platform is also being evaluated with the full support of University Records and Archives. More information will be provided in late 2015.
Until then, documents and files containing personal information including names, addresses and/or medical information should be stored either in the University’s Records Management System or on the central file server, as both are protected and backups are taken that allow recovery of files.
Cloud-based storage of working documents such as PowerPoint slides, word documents and other curriculum information is permitted as long as such documents do not include personal information. Exceptions to this practice require approval, as defined by the University’s Information Classification Framework located on the ITS Security website.
If further information is required, staff are asked to review the advice on the ITS Security website or contact the Information Technology Services Service Desk via firstname.lastname@example.org or (08) 8201 2345.