Cloud Storage Guidelines to Educational and Sensitive Data
WWU-provided cloud services from Microsoft (e.g., SharePoint, Teams, OneDrive) are appropriate for most communication and collaboration; however, care must be taken in setting sharing permissions before you store information on a cloud service.
Types of data requiring special attention before sharing on a cloud service:
- Personal information (e.g., social security numbers, dates of birth, student records, and financial aid data).
- Proprietary information (e.g., College financial data and donor information).
- Regulated information, the disclosure of which is subject to regulatory compliance (including FERPA, GLBA, HIPAA, etc.).
Sharing of documents with internal and external collaborators is possible, but caution should be exercised when doing so. Make sure you understand the sharing mechanisms available before sharing files or folders with anyone – and set up reminders to periodically review any sharing permissions you have setup. You are encouraged to contact an IT specialist if you have any questions relating to setting permissions or would like any assistance
Sensitive information should not be stored on office computers, removable storage devices, or non-Microsoft cloud services like G Suite and DropBox. If a computer must be used to store sensitive information, it must be in a secure location, and each individual authorized to use the computer should have a unique username and adhere to ITS password requirements. Sensitive information should not be stored on a laptop or mobile device unless absolutely necessary (and that device is both password-protected and encrypted).
WWU OneDrive for Business
WWU provides online storage and collaboration options to all WWU students, faculty, and staff. OneDrive for Business provides a secure cloud storage resource for University data. While WWU-local computing resources are preferred mechanisms for storing sensitive data – WWU has specific agreements with Microsoft that allow FERPA- and HIPAA-protected data to be managed within OneDrive for Business when internal business process warrant. Other services such as Office 365 Exchange and SharePoint Online are also covered by the WWU agreement and may also be acceptable for sensitive information. Sharing of documents with internal and external collaborators is possible, but caution should be exercised when doing so. Please note: One Drive for Business is different from the individual consumer version of OneDrive, which does not meet the security requirements for WWU data storage.
WWU Google Workspace
WWU offers authentication to the Google Workspace (formerly GSuite) environment with your WWU credentials (firstname.lastname@example.org). This is an additional option for those that choose to use it, however WWU does not have a specific agreement in place for this storage option to meet HIPAA-protection requirements. While Google is contractually and legally responsible to protect FERPA data, WWU advises the use of Microsoft SharePoint, Teams, or OneDrive for any sensitive data storage or transfer.
WWU’s ability to support Google Workspace is not backed by a support contract with Google, and will amount to “best effort” in many cases. Data loss is a potential risk and WWU does not have a support contract guaranteeing the safety of data stored in Google Workspace's Google Drive for any time after deletion, unlike our ability to recover data from OneDrive deleted accidentally or erroneously.
Again, the sharing of documents with both internal and external collaborators is possible, but caution should be exercised when doing so.
WWU offers many other applications and services that are cloud-based: Canvas, eProcurement, PageUp, etc. These examples are specific tools that enable certain activities within their academic or business processes. These services differ considerably from general file storage solutions like OneDrive for Business and Google Drive – in that the ability to extend sharing permissions are quite different. These services present much lower risk to institutional data.