External Hosting of Personal Data

External Hosting of Personal Data

External Hosting of Personal Data

About the External Hosting of Personal Data Service

From time to time, you may wish to avail of the services of an external hosting solution. If this involves personal data (e.g. staff and student data), UCC is still responsible, from a legal perspective, when it is hosted externally. As such, the External Hosting Policy applies (see Externally Hosted Personal Data Policy ) and is designed to provide a process whereby requests to host personal data externally are evaluated and that associate data risks are managed appropriately. The process is described below.

Please make sure you read the Externally Hosted Personal Data Policy . Following that, you should familiarize yourself with the External Hosting Service Questionnaire.

Approval Process

This is a two stage process:

  1. The process will begin with a request to IT Services (contact Barry Foley at b.foley@ucc.ie ) who will carry out a brief exploration with OCLA (and, if required, the data owner) to get an overview of:
    1. the data to be hosted externally,
    2. the proposed service provider, and
    3. standard contracts.

The purpose of this is to anticipate any barriers to approval by the Third Party Hosting Group and either mitigate these, or, as is more likely, look to contractual arrangements to remove or limit UCC’s liability under Data protection.

  1. The second stage will either be:
    1. A submission to the Third Party Hosting Group, or
    2. Liaison with OCLA re contractual arrangements.

Approval Process - Stage 1

External Hosting Approval Process Stage 1

Approval Process - Stage 2

External Hosting Approval Process Stage 2

Notes:

1)      The request will consist of the request form, technical questionnaire, and information about the service provider all consolidated into a single document

2)      A copy of any contracts, order forms, etc. that require UCC signatures must accompany the request

3)      Decision boxes with Y/N represent outcomes that can be pre-determined by the requestor. It is expected that the pre-screening will ensure positive outcomes.

4)      Decision boxes with OK? represent outcomes based on technical, business and legal review and will be decided by the Third Party Hosting Group. Sufficient Information must be provided to enable the Third Party Hosting Group to carry out a reasonable assessment.

5)      The technical prerequisites are:

  1. Service Provider must have an IT Security Policy (url to be provided)
  2. Service Provider must have a Data Privacy Policy (url to be provided)
  3. Service Provider must be amenable to a Third Party Technical Audit if requested

6)      Data Owners are defined as:

  1. The Registrar – for student data
  2. The Director of HR for staff data
  3. Heads of Department/Office where the system is solely used by that department or office and no data is extracted or gleaned from central systems 

7)      The final decision rests with the Corporate Secretary.  

Relevant Documentation

These forms apply at Stage 2 of the process. Please contact IT Services (Mr Barry Foley, IT Security Officer, at b.foley@ucc.ie or phone x 3968) for advice before completing any forms.

External Hosting of Personal Data

Summary: A service to ensure the safekeeping of UCC personal data when it is hosted externally.

Primary users of this service: Staff, Researchers

Who to contact to use this service: Barry Foley | E: b.foley@ucc.ie | IT Services |

Contact to discuss this service: IT Services |

Strategic Focus: Business Systems

Service Webpage

IT Services Department

Seirbhísí TF

Room 3.34, 3rd floor, T12 YN60

Top