16 March 2022
Did you know you may need to fill in a Cloud Assurance Questionnaire (CAQ) and submit it to email@example.com BEFORE commissioning an external (non-LSE) cloud provider to handle personal data?
A CAQ is not just for cloud storage systems. You should also consider completing one if you and your project team want to use a cloud application that would store and process your data. There are many types of cloud computing, but the three most common covered by a a CAQ are SaaS, IaaS, and PaaS.
A CAQ asks questions about the provider's cyber security posture for the Project Team to consider before commissioning. Part A is completed by the Project Team, and Part B by the cloud provider.
- Learn what data they handle, where the data is physically stored, how long the data is kept for, and what the data is used for.
If you are carrying out a research project, please plan ahead. You may need to write a data management plan (DMP), and a CAQ will help you and your project team decide if a non-LSE cloud provider is an appropriate solution for your DMP.
- Remember, you need to inform your research participants how their personal data may be used (for example, transcription apps may use your audio files to improve their voice recognition).
To summarise, always use LSE-provided storage and sharing facilities before considering an external cloud provider. DTS provides full support for OneDrive/SharePoint/Teams and filedrop. But if you think a external (non-LSE) cloud provider is necessary:
- For academic research projects only: Write your DMP and share it with the Data Library, either directly within DMPOnline or by email at firstname.lastname@example.org;
- For research projects & PSS commissioned projects: Complete a CAQ! The project team and the cloud provider need to answer the questions. Please email the completed CAQ to email@example.com who will share feedback about the cloud provider's cyber security posture. You and your team can then decide whether it's appropriate to commission this cloud provider.