We use cookies on this site to enhance your experience.
By selecting “Accept” and continuing to use this website, you consent to the use of cookies.
9.5 External Information Technology and Cloud Services
This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.
Approving Authority: Board of Governors
Original Approval Date: February 8, 2017
Date of Most Recent Review/Revision: February 10, 2022
Office of Accountability: Office of the Chief Information Officer
Administrative Responsibility: Information and Communication Technologies (ICT)
1.00 Purpose
1.01 This policy is presented to provide guidance and assistance to all Members of the Wilfrid Laurier University (“Laurier”) Community who use or wish to use externally hosted Information Technology products in the conduct of study, research, teaching and administration. The following guidelines are intended to establish a process whereby Members of the University Community can use Cloud Computing Services and other External Information Technology without jeopardizing Laurier information and computing resources.
2.00 Definitions
2.01 Information Technology: Information Technology (IT) refers to the totality of technologies that are acquired or developed for campus use in the creation, processing, accessing and distribution of information. It includes computers, computer software, audio-visual media, communications devices, scanners and printers, and web technologies.
2.02 Laurier Information Technology: includes, but is not limited to, any:
a) computing or communication devices and associated peripherals, including desktop computers, laptop computers, mobile, handheld or wearable devices, video and other multimedia devices, classroom technology, fax machines, scanners, copiers, printers, and telephones;
b) computing or communications infrastructure and related equipment, including servers, switches, wired and wireless networks;
c) programs or software, including desktop applications, mobile apps, websites, and online or cloud-computing services;
d) services and accounts including internet and intranet access, email, network storage, and voicemail that is owned, managed, hosted, or provided by Wilfrid Laurier University or a third-party provider on Laurier’s behalf.
2.03 External Information Technology (“External IT”): is technology, and the information it processes, whose physical location is not on Laurier’s premises. Other commonly used terms to describe external technology are “outside”, “outsourced”, “off-premises” (or “off-prem”), or “vendor hosted”.
2.03 Cloud Computing Services: is a general term for the delivery of External IT services over the Internet. Many commercially and publicly available cloud services leverage economies of scale to spread out pooled resources in many different locations, often across multiple jurisdictional boundaries.
2.05 Classes of Data
Open Data (Type 1): Information that is readily available to any member of the University community or to the general public, either by request or by virtue of its being posted or published by the university through proper administrative procedures. This type of information has no legal restriction on access or usage. It may include personal information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about.
Internal Data (Type 2): Information whose unauthorized release could reasonably be expected to cause minor, short-term harm to individuals or to the University and is intended for only limited dissemination. Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, distribution, storage or other use.
Restricted Data (Type 3): Confidential and controlled information that may only be accessed by limited internal and Authorized Users for University purposes. This type of information is strictly protected by provincial or federal statutes or regulations, University policy, or contractual agreement(s), and must be protected from unauthorized access, modification, distribution, storage, destruction, or use.
2.06 Privacy and Security Impact Assessment (PSIA): a process used to identify and mitigate privacy and security risks associated with storing and/or processing Laurier information in a cloud-based solution. A PSIA template is utilized to conduct a thorough assessment of the use of cloud services and to apply due diligence in protecting the University’s information.
2.07 Member(s) of the University Community: persons who currently work or study (in person or online) on any Laurier campus. Members include Students (including student groups), Employees, adjunct and visiting faculty, and volunteers at Laurier.
3.00 Jurisdiction/Scope
3.01 This policy applies when External Information Technology is procured or used at Laurier by Members of the University Community, or persons or companies contracted by the University.
4.00 Policy
4.01 Procurement
4.01.01 Whenever External Information Technology is being considered for institutional procurement and/or use at Laurier, the following provisions shall apply.
a. All reasonable efforts shall be made to secure hosting, where possible, in Canada.
b. Any contract or agreement entered into with a third party to provide External IT to Laurier must conform with applicable laws, including requirements under the Accessibility for Ontarians with Disabilities Act (AODA), all applicable Laurier policies, including this policy, policy 5.7 Signing Authority and procedures, and, procurement and tendering guidelines.
c. For all External IT hosting of Internal and Restricted Data, a PSIA must be completed as part of an assessment of privacy and security risks and to ensure compliance with Policy 9.4 Information Security Policy . In the event that the PSIA identifies significant risk, the ICT CIO and the General Counsel and Privacy Officer (or their designate) will review the identified risks with the solution and determine if mitigation strategies are available to allow the solution to be used in a way that meets the University’s risk threshold for use. Approval of the IT solution also includes implementation of all required risk mitigation strategies.
4.02 ICT provisioned External IT
4.02.01 Any External IT provisioned by ICT to a member of the Laurier community for the purpose of carrying out university business can be assumed to have met all the provisions outlined in section 4.01 above. Such technology will have been vetted by ICT and Laurier legal counsel for technological and legal appropriateness.
4.03 Use of External IT
4.03.01 Members of the University Community may use External IT not provisioned by ICT for Open Data only. Such use comes without any expectation of assistance or technical support from ICT or any designate, unless explicitly agreed to by both parties via a Service Level Agreement (“SLA”) or similar contract. All Internal and Restricted Data must be stored, processed, and shared with an ICT approved product for this type of data that meets the procurement requirements in section 4.01 and has acceptable terms of use.
4.03.02 Members of the University Community should be aware of the following important factors when using External IT that has not been provisioned by ICT:
a. Terms of Service agreements for companies providing such technology can change frequently without notification.
b. Cloud computing services often provide little to no guarantee about residency of a user’s data and as such may be subject to laws of multiple jurisdictions.
c. Little or no notice may be provided about interruptions or disruptions in service.
d. Providers of External IT may not have proper controls in order to provide privacy, security, or preservation of data in the event of a disaster or malicious act.
e. Publishing materials to such sites may constitute a violation of copyright, trademark or other intellectual property laws.
f. Users are responsible to ensure that only Open Data is used. Changes to use that include Internal or Restricted Data will require PSIA review.
Related Policies, Procedures and Documents
Related Policies:
- 9.1 Use of Information Technology
- 9.4 Information Security Policy Statement
- 10.1 Information Availability and Privacy Protection
- 10.4 Records Management
Related Documents: