Skip to main content

Join us at Laurier

Being a Golden Hawk means more than just cheering on our (really good) varsity teams – it means being a student who cares about your community, who works hard in the classroom, and who takes advantage of all the learning opportunities that can happen outside the classroom, too.


This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.

Approving Authority: Board of Governors

Original Approval Date: February 8, 2017

Date of Most Recent Review/Revision: N/A

Office of Accountability: Office of the Chief Information Officer

Administrative Responsibility: Information and Communication Technologies

Purpose

1.01 This policy is presented to provide guidance and assistance to all members of the Wilfrid Laurier University (“Laurier”) community who use or wish to use externally hosted information technology products in the conduct of study, research, teaching and administration. The following guidelines are intended to establish a process whereby members of the Laurier community can use Cloud Computing Services and other External Information Technology without jeopardizing Laurier information and computing resources.

Definitions

2.01 Laurier Information Technology (as defined in Policy 9.1) includes, but is not limited to, any:

a) computing or communication devices and associated peripherals, including desktop computers, laptop computers, mobile, handheld or wearable devices, video and other multimedia devices, classroom technology, fax machines, scanners, copiers, printers, and telephones;

b) computing or communications infrastructure and related equipment, including servers, switches, wired and wireless networks;

c) programs or software, including desktop applications, mobile apps, websites, and online or cloud-computing services;

d) services and accounts including internet and intranet access, email, network storage, and voicemail that is owned, managed, hosted, or provided by Wilfrid Laurier University or a third-party provider on Laurier’s behalf.

2.02 External Information Technology (“External IT”) is technology, and the information it processes, whose physical location is not on Laurier’s premises. Other commonly used terms to describe external technology are “outside”, “outsourced”, “off-premises” (or “off-prem”), or “vendor hosted”.

2.03 Cloud Computing Services is a general term for the delivery of External IT services over the Internet. Many commercially and publically available cloud services leverage economies of scale to spread out pooled resources in many different locations, often across multiple jurisdictional boundaries. 

2.04 Classes of Data (as Defined in Policy 3.4)

Open Data: Information that is readily available to any member of the University community or to the general public, either by request or by virtue of its being posted or published by the university through proper administrative procedures. This type of information has no legal restriction on access or usage. It may include personal information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about.
 
Internal Data: Information whose unauthorized release could reasonably be expected to cause minor, short-term harm to individuals or to the University and is intended for only limited dissemination. Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, distribution, storage or other use.
 
Restricted Data: Confidential and controlled information that may only be accessed by limited internal and Authorized Users for University purposes. This type of information is strictly protected by provincial or federal statutes or regulations, University policy, or contractual agreement(s), and must be protected from unauthorized access, modification, distribution, storage, destruction, or use.
 
2.05 A Privacy and Security Impact Assessment (PSIA) is a tool used to identify and mitigate privacy and security risks. 

Jurisdiction/Scope

3.01 This policy applies when external information technology is procured or used at Laurier by employees of the University, or persons or companies contracted by the University.

Policy

4.01 Procurement

Whenever External IT is being considered for institutional procurement and/or use at Laurier, the following provisions shall apply.

a) All reasonable efforts shall be made to secure hosting, where possible, in Canada.

b) Any contract or agreement entered into with a third party to provide External IT to Laurier must conform with applicable provincial and federal laws, including requirements under the Accessibility for Ontarians with Disabilities Act (AODA), this policy, and other Laurier policies, including procurement and tendering guidelines.

c) For all External IT hosting of Internal and Restricted Data, a PSIA must be completed to consider privacy and security risks and to ensure compliance with Policy 9.4 Information Security Policy. In the event that the PSIA identifies risks, ICT, with the assistance of the General Counsel and Privacy Office, will determine if this solution meets the risk threshold of the University and may be used.

4.02 ICT provisioned External IT

Any External IT provisioned by ICT to a member of the Laurier community for the purpose of carrying out university business can be assumed to have met all the provisions outlined in section 4.01 above. Such technology will have been vetted by ICT and Laurier legal counsel for technological and legal appropriateness.

4.03 Use of External IT

Members of the Laurier community may use External IT not provisioned by ICT for Open Data only. Such use comes without any expectation of assistance or technical support from ICT or any designate, unless explicitly agreed to by both parties via a Service Level Agreement (“SLA”) or similar contract. All Internal and Restricted Data must be stored, processed, and shared with an ICT approved product for this type of data that meets the procurement requirements in section 4.01 and has acceptable terms of use.

Members of the Laurier community should be aware of the following important factors when using External IT that has not been provisioned by ICT:

a) Terms of Service agreements for companies providing such technology can change frequently without notification.

b) Cloud computing services often provide little to no guarantee about residency of a user’s data and as such may be subject to laws of multiple jurisdictions.

c) Little or no notice may be provided about interruptions or disruptions in service.

d) Providers of External IT may not have proper controls in order to provide privacy, security, or preservation of data in the event of a disaster or malicious act.

e) Publishing materials to such sites may constitute a violation of copyright, trademark or other intellectual property laws.

f) Users are responsible to ensure that only Open Data is used. Changes to use that include Internal or Restricted Data will require PSIA review.

FAQs for using External IT are available from ICT.

Related Policies, Procedures and Documents

5.01 Related Policies:

5.02 Related Documents:

  • PSIA Template  
  • FAQs
×

We see you are accessing our website on IE8. We recommend you view in Chrome, Safari, Firefox or IE9+ instead.

×