External Hosting of Personal Data
From time to time, you may wish to avail of the services of an external hosting solution. If this involves personal data (e.g. staff and student data), UCC is still responsible, from a legal perspective, when it is hosted externally. As such, the External Hosting Policy applies (see Externally Hosted Personal Data Policy (91kB) ) and is designed to provide a process whereby requests to host personal data externally are evaluated and that associate data risks are managed appropriately. The process is described below.
This is a two stage process:
- The process will begin with a request to IT Services (contact Mr. Jerry Buckley, Head of Enterprise Applications at firstname.lastname@example.org) who will carry out a brief exploration with OCLA (and, if required, the data owner) to get an overview of:
- the data to be hosted externally,
- the proposed service provider, and
- standard contracts.
The purpose of this is to anticipate any barriers to approval by the Third Party Hosting Group and either mitigate these, or, as is more likely, look to contractual arrangements to remove or limit UCC’s liability under Data protection.
- The second stage will either be:
- A submission to the Third Party Hosting Group, or
- Liaison with OCLA re contractual arrangements.
1) The request will consist of the request form, technical questionnaire, and information about the service provider all consolidated into a single document
2) A copy of any contracts, order forms, etc. that require UCC signatures must accompany the request
3) Decision boxes with Y/N represent outcomes that can be pre-determined by the requestor. It is expected that the pre-screening will ensure positive outcomes.
4) Decision boxes with OK? represent outcomes based on technical, business and legal review and will be decided by the Third Party Hosting Group. Sufficient Information must be provided to enable the Third Party Hosting Group to carry out a reasonable assessment.
5) The technical prerequisites are:
- Service Provider must have an IT Security Policy (url to be provided)
- Service Provider must be amenable to a Third Party Technical Audit if requested
6) Data Owners are defined as:
- The Registrar – for data student data
- The Director of HR for staff data
- Heads of Department/Office where the system is solely used by that department or office and no data is extracted or gleaned from central systems
7) The final decision rests with the Corporate Secretary.
Summary: A service to ensure the safekeeping of UCC personal data when it is hosted externally.
Primary users of this service: Staff, Researchers
Who to contact to use this service: Mr Jerry Buckley | E: email@example.com | T: +353 (0)21 490 2489 | IT Services |
Contact to discuss this service: IT Services |
Strategic Focus: Business Systems