Lehigh University Cloud Computing Policy (ACIS Policy #11)
Revision effective date: April 5, 2013
Statement of Policy
Institutional or Proprietary Data and any Confidential Data entrusted to the University shall not reside within any cloud computing environment unless Lehigh University has entered into a legally binding agreement with the service provider, approved by Purchasing and/or the Office of General Counsel to ensure that the data is protected and managed in accordance with standards and procedures required by law and acceptable to the University.
Lehigh University is responsible for ensuring the integrity and security of Institutional/Proprietary Data and Confidential Data maintained by it in the regular course of business, regardless of the form or location of such data. The obligation to maintain the privacy of this data is not only governed by University policies, but also by various federal, state and local laws and regulations. Lehigh University takes steps to limit access to this information on a need to know basis. Access to Institutional/Proprietary or Confidential Data is granted only to those individuals who have undergone proper training in the handling of such data and who have acknowledged the confidentiality of the data. Anyone viewing, updating, or releasing data of this type for any reason other than officially authorized University business may be held personally liable and subject to criminal and civil penalties.
Cloud computing, for the purpose of this Policy, encompasses utilizing any external computing, software services, or hosting environment that is not directly controlled by Lehigh University.
Encrypted data refers to information that has been converted through software into a non-human readable form typically via a password or phrase (which is also used to decrypt the file when the information is to be accessed). All encryption referred to within this Policy should conform to prevailing industry standards. See Lehigh's encryption web pages for details.
Confidential Data (highest level of sensitivity) must be protected due to legal requirements, contractual requirements, or University policy or practice. Data of this type includes, but is not limited to, the following types of records: student, financial, health care, employment, legal, and certain business records. See Lehigh University Data Classification for additional details.
Institutional/Proprietary Data (moderate level of sensitivity) must be protected due to privacy, ethical, proprietary, or legal constraints. Data of this type includes, but is not limited to, departmental data, Lehigh internal memos and email, non-public reports, budgets, plans, financial information, contract information (between Lehigh and a third party), and physical plant detail. See Lehigh University Data Classification for additional details.
Public/Unrestricted Data (lowest level of sensitivity) is protected at the discretion of the department or the data steward. Data of this type includes, but is not limited to, all documents intended for public distribution, directory information as defined by FERPA and University policy, and any departmental data not deemed to be Institutional/Proprietary Data.
Implementation of Policy
Any University data residing within a cloud computing environment must be retrievable by the institution and not solely by the individual who placed the data in the cloud environment, and must conform to the Lehigh University Records and Retention Policy.
Confidential Data or Institutional/Proprietary Data placed into a cloud environment must be encrypted in transit and encrypted at rest. The cloud service provider's contract must indicate that they conform to all relevant federal, state and local laws and regulations.
Please contact Library and Technology Service (LTS) for assistance should the need arise to store or share Lehigh information in a manner not currently supported within Lehigh's secure computing environment.