Cloud Computing Services Guidelines

for Grand Valley State University March 2010

INTRODUCTION The term ‘cloud computing’ refers to services that are hosted on non-GVSU servers or on the internet and include long term storage services or software applications. These services are simple to use, free and bypass the involvement of GVSU’s Information Technology services.. They typically involve the user committing to some type of service agreement or Terms of Use by clicking an ‘I Accept’ button in order to access the service. Examples of Cloud Computing services include Google Apps, Google Sites, Microsoft Live, and many storage services.

CAUTIONS These services are not always secure in terms of protecting the data for which the university and its employees are liable for protecting. Posting information on one of these sites could violate FERPA, HIPAA, or other privacy protection laws for students and faculty. Other risks of storing data in cloud computing resources include but not limited to:

  • disruptions of service
  • loss of sensitive or confidential data
  • unauthorized access or use of this data by the host service provider or unknown third parties


RULES The university expressly prohibits the use of Cloud Computing services in storing the following types of data unless specific contractual agreements are signed and approved by university legal counsel and information technology:

  • Institutional confidential data (e.g., protected health information, academic records, etc.)
  • Institutional business records
  • Student, faculty and staff intellectual property

Please refer to the GVSU Secure Office Procedures posted on the website under Policies for an explanation of protected data and guidelines that must be followed at GVSU.

GUIDELINES These guidelines are intended to assist individuals in making decisions on appropriate use of cloud computing resources.

GOOGLE APPS In February of 2009, GVSU signed an agreement with Google to use Google Apps Education Edition which includes contractual terms that ensure appropriate use and ownership of GVSU content. However, it is advised that content containing confidential data, intellectual data or university protected records should not be stored within Google applications.

OTHER CLOUD COMPUTING SERVICES The following guidelines should be used to determine whether cloud computing services are appropriate for specific purposes.

Terms of Use Review carefully the stated terms of use for the service provided.. Can the provider change the terms and if so, will the user be notified? Can the provider change the use of the service or stop service at any time? Can the provider change the use of its service and begin charging the user for space? Document and date the answers to these questions before agreeing to the terms..

Rights of Use Do the terms of use state that the content is solely owned by the original user or does the service provider have rights to access and use of the content? Make sure you understand and document and date in your records how your data can be used by others prior to storing sensitive data on any non-GVSU site.

Security Do the terms of use provide an explicit statement that the data is secure, i.e., will not be shared by any other users of the service or the service provider? That the user’s identity cannot be sold? Document in your records the description and date of the security assurance provided by the service provider.

Backups Do the terms of use state that the data is routinely backed up and will be recovered if a hardware failure occurs on the service provider’s end? Consider whether you should have your own backup of the data or rely solely on the copy stored with the service provider.

Indemnity How important is this service to the operation of the University? What if the data was lost, destroyed or stolen? What sort of harm might occur and who potentially would be harmed? Typical terms of use hold the service provider harmless of any damages to the user’s data or access to the data. Is this a risk worth taking to gain access to the desired services?

If you are uncertain if the data you are considering posting is protected data or are unsure about using cloud computing resources, please contact the Director of Information Technology for assistance, 616-331-2035 or and/or the University Legal Counsel Office at 616-331-2067.

Page last modified March 10, 2011