Choosing a Cloud-Based Application
Per WAC 434-615-020, offices and departments at the UW can use cloud applications to store university records provided that the records are managed properly. Managing records properly includes the ability to respond to audits, public records requests, and litigation, retain records for their full retention period, and delete records at the end of their retention period. Storing records with an outside vendor does not absolve the University from responsibility for proper retention and treatment of its records.
UW Records Management Services created this resource to help offices and departments who are implementing cloud-based applications to establish best practices around the following matters.
For help answering these questions, please contact us at 543-0573 or firstname.lastname@example.org. One of our staff can meet with you to go over these issues.
Cloud-based applications provide several unique and efficient solutions for modern offices. These include:
File storage and sharing applications which store files that you have created outside of the cloud so that the documents can be accessed by you and/or others via the internet. Examples (of varying suitability) include OneDrive, Google Shared Drive, Box, Dropbox, etc.
Productivity tools that allow you to create unique types of records and store them within the application itself. Examples of these include Trello, Slack, Jira, SurveyMonkey, Eventbrite, Facebook, Twitter, as well as a whole host of others.
Software as a Service (SAAS) databases and other structured content systems which store their information in the cloud. Examples include Salesforce, Airtable, Freshdesk, Workday, etc.
Depending on the type of cloud application you're looking at and the kinds of data you intent to place in it, below are some of the issues you'll need to address before committing yourself to a particular offering.
- What kind of information is the application going to contain?
- Business actions/decisions?
- Delegations or approvals?
- Communication with or information gathered from students or people outside the UW?
- Files documenting official University business?
- How long does the retention schedule specify such information needs to be kept?
Are you planning to scan and upload paper records? If so, your office must have an approved scanning policy before you can destroy the original paper documents.
Does deleting actually purge information from their servers or does it simply hide or “archive” the information? (Hiding data does not make the University any less responsible for it.)
Does the service provider have backups for their own use in case of lost data? Does the UW have access to those backups in case of lost or mistakenly deleted data or are they only for the provider’s disaster recovery purposes?
- Who will be responsible for:
- Updating and maintaining accounts/permissions?
- Implementing an annual cleanup and deleting records at the end of their retention period?
- Facilitating the preservation of records of departing employees?
- How are records organized? Will you be able to search to locate records? Will you be able to identify records that are past retention and eligible for deletion?
- Does the system let you retrieve information? How quickly could you produce records stored in the application in the event of an audit, public records request, or litigation?
Privacy & Security
- What are the privacy and security requirements for the information? Does the service provider meet those requirements? For example, Google Drive has some restrictions on use for classified research and student records and is not acceptable for records containing healthcare and/or credit card information. For more information, please contact the UW Privacy Office.
- Does it allow you to delete information? How will you delete information? Manually? Using a query/search criteria? By configuring automated retention? Can you suspend automated retention for records subject to an audit, public records request, or legal hold?
- How are user accounts created? Can they be managed centrally within the UW department or does each user manage their own account?
- Is staff turnover likely to cause problems accessing/managing the application? Is it tied to an individual’s email address or UW NetID credentials? Can a departmental or shared UW NetID be used to prevent control from being lost when an individual leaves the department?
- How are you planning to inform your users of their responsibilities? Are there other office policies or procedures that will be impacted by implementing this new cloud application?
Has all of the above information been reviewed by your department head? Have you received their approval to use this cloud application?
For cloud applications where a contract between the University and the cloud service provider needs to be negotiated, in addition to the above questions, the following requirements must also be addressed
- You must go through UW Procurement Services when seeking out and negotiating the contract.
- The University must retain ownership of data and the service provider will only use the stored information for purposes necessary to and consistent with providing the contracted services.
- All information must be returned to the University’s custody in the event of contract dispute or termination, as well as the deletion of any back-ups and other copies retained by the service provider.
- If you have records covered by regulations such as HIPAA or FERPA, you will be required to have privacy agreements (e.g.., BAA, PDPA, DSPA, etc.) in place with the service provider. For more information on these types of agreements, please contact the UW Privacy Office.
- For all UW Medicine records, you must have a BAA and DSA in place with the service provider. For more information, refer to the UW Medicine IT Services page on Cloud Computing.
- The service provider must notify the UW in the event of an information security breach or other release of University information or any other incident which potentially threatens the security, integrity or availability of the stored records.
- The terms of the agreement should not require the University to indemnify the service provider against legal responsibility for their actions.
Please note, cloud services are covered by the same rules regarding appropriate use that govern all other computing resources. For more information, refer to the UW’s Appropriate Use Guidelines.