External Hosting of TU Dublin data

When TU Dublin uses a third-party organisation or external data hosting service to process personal data, we are legally responsible for the security of this data. To assess new/existing systems or services that will store or access personal data, a process has been designed whereby requests to host personal data externally are evaluated by the Cloud Service Provider Assessment Group (CSPAG) and that data risks are identified and managed appropriately. This ensures compliance with Chapter 4.4 of the TU Dublin Data Protection Policy

What type of services does this process cover?

In relation to this process, third party or external hosting can relate to data being stored or processed by the following:

For the purposes of this request process all of the above will be referred to as a Cloud service provider (CSP)

Examples of a CSP include, but are not limited to the following:

Why should I engage in this process?

We need to consider the type of personal data that is being processed, the harm that might result from its misuse, the technology that is available to protect the data and the cost of ensuring appropriate security for the data.

Chapter 3.9 of the University Data Protection Policy states that, “Each School and Function shall ensure Personal Data security through appropriate physical, technical and organisational measures. These security measures should be in keeping with standards appropriate to the University sector and prevent: Alteration, Loss, Damage, Unauthorised processing, Unauthorised access”

TU Dublin endeavours to use third-party organisations or external data hosting services who offer appropriate technical and organisational measures to ensure the security of personal data.

By completing this process, this will ensure the following:

 

How do I know if I need to make a submission under the CSP request process?

If a third-party organisation or external data hosting service will process personal data, then you must engage with the CSP request process.

Data Processing “means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording ,organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

If you are unsure if a third-party service will be processing personal data, you should engage with the CPS request process.

 

How do I request that a third-party app or external data hosting service be assessed?

If you wish for a third-party app or external data hosting service to be purchased and/or configured for use within TU Dublin that will be processing personal data, a request should be made using the following Microsoft form:

https://forms.office.com/pages/responsepage.aspx?id=yxdjdkjpX06M7Nq8ji_V2jQbTFC3jM1Bs6ZN8L7QZUxURVhTQkdFSjNXUElIMlUyMlkyUkNONFBZRy4u

Your line manager/budget holder should formally approve all requests.  The Cloud Service Provider Assessment Group will then log the approved request. 

The requester will then receive an email with links to the External Data Hosting Questionnaire and the Data Protection Impact Assessment form. The completed documents should be returned to CSPAG@tudublin.ie

External Data Hosting Questionnaire

The third-party service provider must complete the External Data Hosting Questionnaire. This will allow the IT Security Officer and IT Compliance Officer to assess the security of the Cloud Service provider.

https://www.tudublin.ie/media/intranet/ict-/External-Data-Hosting-Questionnaire-v1.3.docx

Data Protection Impact Assessment (DPIA)

The requester and not the third party must complete the DPIA.  A DPIA aims to identify risks arising out of the processing of personal data and to minimise those risks where possible.

https://www.tudublin.ie/explore/gdpr/data-protection-impact-assessment/



How long will the assessment take?

The review process may take 6-8 weeks to complete, commencing once all documentation has been received by the CSPAG.  

Next Steps

Once all documentation has been received by the CSPAG, the following will happen:

Please note: Member of the CSPAG may need to contact the requester throughout this process to seek additional information form them directly or the cloud service provider.  It will be the responsibility of the requester to obtain this information from the cloud service provider when requested.

Once the review has been completed, the requester will receive an email back from the CSPAG outlining if the application has been approved or rejected. 

Once the requester receives this email, it will be their responsibility to contact IT support and/or IT Infrastructure to ensure resources can be assigned to setup the cloud service provider

If the third-party service incurs a cost, the requester should not raise a PO until the service has been approved as Safe and Compliant by CSPAG and IT services officer and/or IT infrastructure have confirmed that the service can be implemented

 

Suggested IT Governance