This online version is for convenience; the official version of this policy is housed in the University Secretariat. In case of discrepancy between the online version and the official version held by the Secretariat, the official version shall prevail.
Approving Authority: Board of Governors
Original Approval Date: February 8, 2017
Date of Most Recent Review/Revision: N/A
Office of Accountability: Office of the Chief Information Officer
Administrative Responsibility: Information and Communication Technologies
1.01 This policy is presented to provide guidance and assistance to all members of the Wilfrid Laurier University (“Laurier”) community who use or wish to use externally hosted information technology products in the conduct of study, research, teaching and administration. The following guidelines are intended to establish a process whereby members of the Laurier community can use Cloud Computing Services and other External Information Technology without jeopardizing Laurier information and computing resources.
2.01 Laurier Information Technology (as defined in Policy 9.1) includes, but is not limited to, any:
a) computing or communication devices and associated peripherals, including desktop computers, laptop computers, mobile, handheld or wearable devices, video and other multimedia devices, classroom technology, fax machines, scanners, copiers, printers, and telephones;
b) computing or communications infrastructure and related equipment, including servers, switches, wired and wireless networks;
c) programs or software, including desktop applications, mobile apps, websites, and online or cloud-computing services;
d) services and accounts including internet and intranet access, email, network storage, and voicemail that is owned, managed, hosted, or provided by Wilfrid Laurier University or a third-party provider on Laurier’s behalf.
2.02 External Information Technology (“External IT”) is technology, and the information it processes, whose physical location is not on Laurier’s premises. Other commonly used terms to describe external technology are “outside”, “outsourced”, “off-premises” (or “off-prem”), or “vendor hosted”.
2.03 Cloud Computing Services is a general term for the delivery of External IT services over the Internet. Many commercially and publically available cloud services leverage economies of scale to spread out pooled resources in many different locations, often across multiple jurisdictional boundaries.
Open Data: Information that is readily available to any member of the University community or to the general public, either by request or by virtue of its being posted or published by the university through proper administrative procedures. This type of information has no legal restriction on access or usage. It may include personal information collected for the express purpose of public release with the knowledge and consent of the individuals the information is about.
Internal Data: Information whose unauthorized release could reasonably be expected to cause minor, short-term harm to individuals or to the University and is intended for only limited dissemination. Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations, and must be protected from unauthorized access, modification, distribution, storage or other use.
Restricted Data: Confidential and controlled information that may only be accessed by limited internal and Authorized Users for University purposes. This type of information is strictly protected by provincial or federal statutes or regulations, University policy, or contractual agreement(s), and must be protected from unauthorized access, modification, distribution, storage, destruction, or use.
2.05 A Privacy and Security Impact Assessment (PSIA) is a tool used to identify and mitigate privacy and security risks.
3.01 This policy applies when external information technology is procured or used at Laurier by employees of the University, or persons or companies contracted by the University.
Whenever External IT is being considered for institutional procurement and/or use at Laurier, the following provisions shall apply.
a) All reasonable efforts shall be made to secure hosting, where possible, in Canada.
b) Any contract or agreement entered into with a third party to provide External IT to Laurier must conform with applicable provincial and federal laws, including requirements under the Accessibility for Ontarians with Disabilities Act (AODA), this policy, and other Laurier policies, including procurement and tendering guidelines.
c) For all External IT hosting of Internal and Restricted Data, a PSIA must be completed to consider privacy and security risks and to ensure compliance with Policy 9.4 Information Security Policy. In the event that the PSIA identifies risks, ICT, with the assistance of the General Counsel and Privacy Office, will determine if this solution meets the risk threshold of the University and may be used.
Any External IT provisioned by ICT to a member of the Laurier community for the purpose of carrying out university business can be assumed to have met all the provisions outlined in section 4.01 above. Such technology will have been vetted by ICT and Laurier legal counsel for technological and legal appropriateness.
Members of the Laurier community should be aware of the following important factors when using External IT that has not been provisioned by ICT:
a) Terms of Service agreements for companies providing such technology can change frequently without notification.
b) Cloud computing services often provide little to no guarantee about residency of a user’s data and as such may be subject to laws of multiple jurisdictions.
c) Little or no notice may be provided about interruptions or disruptions in service.
d) Providers of External IT may not have proper controls in order to provide privacy, security, or preservation of data in the event of a disaster or malicious act.
e) Publishing materials to such sites may constitute a violation of copyright, trademark or other intellectual property laws.
f) Users are responsible to ensure that only Open Data is used. Changes to use that include Internal or Restricted Data will require PSIA review.
FAQs for using External IT are available from ICT.
5.01 Related Policies:
5.02 Related Documents:
We see you are accessing our website on IE8. We recommend you view in Chrome, Safari, Firefox or IE9+ instead.×