External Hosting of TU Dublin data
When TU Dublin uses a third-party organisation or external data hosting service to process personal data, we are legally responsible for the security of this data. To assess new/existing systems or services that will store or access personal data, a process has been designed whereby requests to host personal data externally are evaluated by the Cloud Service Provider Assessment Group (CSPAG) and that data risks are identified and managed appropriately. This ensures compliance with Chapter 4.4 of the TU Dublin Data Protection Policy
What type of services does this process cover?
In relation to this process, third party or external hosting can relate to data being stored or processed by the following:
- Cloud service provider (CSP) - A cloud service provider is a third-party company offering a cloud-based platform, infrastructure, application, or storage services.
- Software as a Service (SaaS)-Software as a service (or SaaS) is a way of delivering applications over the Internet—as a service. Instead of installing and maintaining software, you simply access it via the Internet
- Third party application or service that integrates with information systems located on premise within TU Dublin.
- Third party application that integrates with data hosted in a private cloud environment managed/owned by TU Dublin (including but not limited to Azure, Office 365, Amazon web services& Google)
- Third party application that requires users to provide personal data directly.
For the purposes of this request process all of the above will be referred to as a Cloud service provider (CSP)
Examples of a CSP include, but are not limited to the following:
- VLE’s (Brightspace, Moodle)
- Polling apps (Vevox, Padlet)
- Storage services
- Social media platforms
Why should I engage in this process?
We need to consider the type of personal data that is being processed, the harm that might result from its misuse, the technology that is available to protect the data and the cost of ensuring appropriate security for the data.
Chapter 3.9 of the University Data Protection Policy states that, “Each School and Function shall ensure Personal Data security through appropriate physical, technical and organisational measures. These security measures should be in keeping with standards appropriate to the University sector and prevent: Alteration, Loss, Damage, Unauthorised processing, Unauthorised access”
TU Dublin endeavours to use third-party organisations or external data hosting services who offer appropriate technical and organisational measures to ensure the security of personal data.
By completing this process, this will ensure the following:
- A Data Protection Impact Assessment (DPIA) has been reviewed and approved by compliance working group. This will ensure risks are identified arising out of the processing of personal data and to minimise those risks where possible
- An external hosting questionnaire can be reviewed by the IT Security Officer and IT Compliance Officer to assess the security of the Cloud Service provider
- Any support and/or infrastructure requirements are outlined and agreed prior to the purchase and/or deployment of the service.
- If applicable, provides assurance to the budget holder that all of the above have been considered prior to raising a purchase order.
How do I know if I need to make a submission under the CSP request process?
If a third-party organisation or external data hosting service will process personal data, then you must engage with the CSP request process.
Data Processing “means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording ,organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
If you are unsure if a third-party service will be processing personal data, you should engage with the CPS request process.
How do I request that a third-party app or external data hosting service be assessed?
If you wish for a third-party app or external data hosting service to be purchased and/or configured for use within TU Dublin that will be processing personal data, a request should be made using the following Microsoft form:
Your line manager/budget holder should formally approve all requests. The Cloud Service Provider Assessment Group will then log the approved request.
The requester will then receive an email with links to the External Data Hosting Questionnaire and the Data Protection Impact Assessment form. The completed documents should be returned to CSPAG@tudublin.ie
External Data Hosting Questionnaire
The third-party service provider must complete the External Data Hosting Questionnaire. This will allow the IT Security Officer and IT Compliance Officer to assess the security of the Cloud Service provider.
Data Protection Impact Assessment (DPIA)
The requester and not the third party must complete the DPIA. A DPIA aims to identify risks arising out of the processing of personal data and to minimise those risks where possible.
How long will the assessment take?
The review process may take 6-8 weeks to complete, commencing once all documentation has been received by the CSPAG.
Once all documentation has been received by the CSPAG, the following will happen:
- The External hosting questionnaire, along with any additional documentation will be reviewed to ensure that the cloud service provider have acceptable IT security and data privacy policies and procedures in place to minimise the risk of loss or exposure of TU Dublin personal data.
- The DPIA will be reviewed to ensure that TU Dublin are compliant with data protection law.
- Members of IT Support and IT infrastructure will be consulted to ensure there are not additional concerns with the requested cloud service provider.
Please note: Member of the CSPAG may need to contact the requester throughout this process to seek additional information form them directly or the cloud service provider. It will be the responsibility of the requester to obtain this information from the cloud service provider when requested.
Once the review has been completed, the requester will receive an email back from the CSPAG outlining if the application has been approved or rejected.
Once the requester receives this email, it will be their responsibility to contact IT support and/or IT Infrastructure to ensure resources can be assigned to setup the cloud service provider
If the third-party service incurs a cost, the requester should not raise a PO until the service has been approved as Safe and Compliant by CSPAG and IT services officer and/or IT infrastructure have confirmed that the service can be implemented