External Hosting of TU Dublin data
External Hosting of TU Dublin data
When TU Dublin decides to use a third-party organisation or service to process personal data, TU Dublin will remain legally responsible for the security of this data.
When a request is made by staff members to ICT services for the purchase or enabling of a third-party app or service, we need to take into account the sort of personal data we are dealing with, the harm that might result from its misuse, the technology that is available to protect the data and the cost of ensuring appropriate security for the data.
TU Dublin should endeavour to use reputable organisations who offer suitable guarantees as to their ability to ensure the security of personal data.
To assess new systems or services that will store or access personal data, a process has been designed whereby requests to host personal data externally are evaluated and that associate data risks are managed appropriately. These risks will be assessed by the Cloud Service Provider Assessment Group (CSPAG)
What is the Cloud Service Provider Assessment Group?
The Cloud Service Provider Assessment Group (CSPAG) consists of members of ICT services, The Information & Compliance working group, the IT Security Officer, and IT Compliance Officer.
This group is governed by the following policy <link to policy document>
What type of services does this process cover?
The following third-party apps or services should be requested using this process:
- Cloud service provider (CSP) - A cloud service provider is a third-party company offering a cloud-based platform, infrastructure, application, or storage services.
- Software as a Service (SaaS) - Software as a service (or SaaS) is a way of delivering applications over the Internet—as a service. Instead of installing and maintaining software, you simply access it via the Internet
- Third party application or service that integrates with information systems located on premise within TU Dublin.
- Third party application that integrates with data hosted in a private cloud environment managed/owned by TU Dublin (including but not limited to Azure, Office 365, Amazon web services & Google)
- Third party application that requires users to provide personal information directly
How do I request that a third-party app or service is assessed?
If you wish for a third-party app or service to be purchased and/or configured for use within TU Dublin that will be storing or accessing personal data, a request will need to be made on the following Microsoft form:
If applicable, the request will need to be formally approved by your line manager. Once approved, the request will be logged to the Cloud Service Provider Assessment group. At this stage, the requester will receive an email with links to the following documents:
Data Protection Impact Assessment
External Data Hosting Questionnaire
The Data Protection Impact Assessment (DPIA) form will need to be completed by the requester and not the third party. A DPIA aims to identify risks arising out of the processing of personal data and to minimise those risks where possible.
The External Data Hosting Questionnaire will need to be completed by the third-party service provider. This will allow the IT Security Officer and IT Compliance Officer to assess the security posture of the third-party vendor.
Both forms, once completed, should be sent to CSPAG@tudublin.ie
How long will the assessment take?
It is expected that the review process can take from 6-8 weeks to complete. This time frame will begin as soon as all documentation has been received by the CSPAG.
If the third-party service incurs a cost, the requester should wait for the service to be reviewed and officially approved by the CSPAG before raising a PO for the service.
How do I know if I need to use this process?
If there is any possibility that a third-party service will store personal data, whether it be an app that integrates with Office 365, a piece of software that is installed on a device, or a standalone service that requires users to submit personal information), then this process should be followed so that the associated data risks can be managed appropriately.
If you are unsure if a third-party service will be storing such information, the advice would be to complete this process anyway.