Using external Cloud Services

If not else confirmed, any data, uploaded on an external cloud provider, gets basically stored in a data center that can be located everywhere on the world. This aspects collide with the ETH compliance regulations that describes some stipulations regarding different classes of data. A further aspect of using external cloud providers is, that a direct dependency exists with an external provider which may lead into a lack of control over the data on your side (data owner).

When using Cloud Services you have to note the following:

  1. Be aware that you work in a Cloud environment.
  2. This implies augmented risk for the information which you handle over the Cloud System (writing or annotating, sharing, sending or receiving documents).

To safeguard ETH Zurich’s pool of information against the loss of confidentiality, integrity and availability, the following rules apply:

  • Information classified or declared “confidential” is not allowed in Cloud Services.
  • If you violate this rule you and/or the information owner are responsible (depending on the individual facts of the violation)
  • If you are not sure about classification and confidentiality, ask the information owner.
  • The information owner is responsible for classifying information properly (Art. 21 of the Directive on “Information Security at ETH Zurich” dated 9 April 2018). Special attention shall be paid on maintaining privacy and intellectual property rights. That means: 
  • if you use (upload, annotate, share in a Cloud Service) information someone else had created, follow her/his instructions. If unclear, ask her/him for the classification status.
  • If you create new information yourself (you write a document), you decide on the sensitivity of information.
  • If you classify it as “confidential” keep it out of the Cloud.

As a guideline for you, information usually classified “confidential” includes:

  • research data subject to contractual confidentiality with third parties
  • research findings before publication
  • important ETH Zurich business data (e.g. financial data, lawsuits, expert opinions) 
  • sensitive personal data (health data, qualification reports, HR files) 
  • evaluation reports in the recruitment/ appointment process (for employments or professor-ships)

ETH Zurich must retain access to and control over confidential data at all times. If you are the information owner, we suggest you carry out a risk assessment. Answer the question “How would data loss affect me, my research group and the ETH Zurich?” The use of cloud and social media services in research, for exchange with researchers at other universities, or in teaching for exchange with students (lecture folders, etc.) is permitted as long as no confidential ETH Zurich data are affected and no third party rights, in particular privacy or intellectual property rights, are infringed.

Reasons for the rules set out above are, generally:

  • The tight dependence on the Cloud provider and its service. 
  • Availability, safety, security and quality of service depend on the Cloud provider. 
  • Loss of data or loss of control over the data lie within the Cloud provider. 
  • Terms and conditions and data protection regulation are often inconsistent or do not comply with ETH Zurich (Swiss) standard. Cloud providers often use sub-Cloud providers to perform their service. That leads to contradicting terms and open questions. 
  • In its terms, Cloud providers often reject liability for data damage or loss 
  • Even data-encryption only offers limited security. 
  • If the Cloud provider is acquired by another company or ends its service, data retransmission is an issue. 
  • Cloud providers can be obliged to disclose information stored on its servers to authorities (especially in the United States).
  • (Industry) Espionage is a reality. Cloud services are prone to such activities.

 

Further information

Compliance Guide 

Leaflet on Cloud Computing

Guidelines for Research Integrity and Good Scientific Practice at the ETH Zurich 

Consulting

If you are unsure about your use-case and whether your data can be stored and processed with external cloud services, please do not hesitate to contact us. We can help you to clarify your individual use-case and we can involve our legal department if needed to support us.