Cloud Process: How-to

Note: Terms in italic are defined in the glossary.

Before using a Cloud solution at McGill (“using” includes storing, processing or transmitting data in the solution), we need to properly assess this solution to ensure it is adequately protecting our institutional (enterprise & research) and personal data. A privacy assessment, an IT risk assessment and a contract assessment must be done.

Topics covered:

  • Define in what context you will use the Cloud solution. Will you use it in a “research” or an “enterprise” (i.e. non-research) context?
  • Is the Cloud solution subject to the Cloud Directive?
  • Has the solution already been assessed for use at McGill (i.e., approved or rejected) or has the assessment been deferred?
  • Steps to follow to acquire a Cloud solution for your context
  • Who is involved in the process and who can assist you?
  • Special cases: approved classes, deferrals and derogations

When planning for the acquisition of a Cloud solution, you need to consider that the required assessments take time. They involve information exchanges between the supplier, the supplier’s own sub-suppliers, subcontractors and sometimes independent auditors, as well as the solution requestor and several departments within McGill, in order to assess the supplier’s ability to adequately safeguard the data within their cloud solution.

Critical questions to determine how to proceed

To acquire a Cloud solution, you need to first answer 3 critical questions to determine how to proceed:

In what context will you use this Cloud solution?

The Cloud Service Acquisition Process must be followed in all cases, however, depending on the context in which you will use the Cloud solution, and the level of sensitivity of the data that is processed within that solution, the assessments are done with a varying degree of diligence.

First, determine in which of the following contexts you plan to use the solution:

  1. Research context with only research data: this can for example refer to a situation where data is collected into a Cloud Solution for the purpose of research (including Personal Information such as name, birth date, medical information).
    • Note: Software or cloud services that support the administration of research fall under the “enterprise context”. This can for example refer to solutions which manage research grant applications or solutions that are used to manage inventory of chemical reagents.
    • Note: Some software or cloud services used for research data can be pro-actively assessed university-wide; they will fall under the “enterprise context” where a more rigorous review will be performed.
  2. Enterprise context: this typically refers to administrative or teaching data. It also relates to data for the administration of research. Ex. Personal Information of staff that is collected in a non-research context, employee evaluations, course descriptions, Grade Point Averages (GPA), etc.

Is this Cloud solution subject to the Cloud Directive?

In general, Cloud solutions (free or paid) are subject to the Cloud Directive, and as such, need to be assessed for use at McGill. Given that Cloud solutions and the data used in the solution evolve over time, the cloud solution not only needs to be assessed for the initial acquisition but also needs to be re-assessed each time the contract is renewed. A Cloud solution is out of scope of the Cloud Directive in the following cases:

Cloud solutions are OUT OF SCOPE of the Cloud Directive when:
  • The contract is not signed by McGill but only by an external party, such as student associations
  • It is used for conducting clinical research
  • It is used locally only, i.e.:
    • You use basic personal information (ex. name and email) to download an app/data that you will use on your device locally (i.e., you are not subscribing to a Cloud solution)
    • You use basic personal information (ex. name and email) to register & activate an account for an app that you will use on your device locally (i.e., your registration allows you to run this software on your device)

All other Cloud solutions must be assessed for use at McGill.

Has the Cloud solution been approved or rejected in the past, or has a deferral been granted?

Some Cloud solutions may have already been assessed and approved for certain uses by McGill. Leveraging a solution that has already been assessed, and is in line with your current needs, is beneficial in terms of assurance of compliance, procurement timeline and total cost. If your usage differs, for example in regards to your data sensitivity and classification (regulated, protected, public), the solution may have to be re-assessed. In the Approved Cloud Services list, you will see if your Cloud solution has already been approved, and under what conditions (restrictions).

The following classes of Cloud solutions are automatically approved, in the context of the Cloud Directive only, for use under specific conditions. Please contact itgovernance.its [at] mcgill.ca for assistance on these classes of solutions.

Approved classes of cloud solutions Special conditions
Cloud solutions managed by Quebec public bodies (ex. BCI) Low/medium/high sensitivity
Cloud solutions managed by Canadian/US/European public bodies (e.g., Compute Canada, Calcul Quebec) Only if low/medium sensitivity
Cloud solutions processing Personal Information that is supplied voluntarily by the user and not by McGill (e.g., voluntary and fully optional virtual events) Disclaimer text is required
Cloud solutions processing public information only N/A
Cloud solutions solely providing content for consumption (ex. Gartner, LinkedIn Learning) provided that the solution was acquired through a Purchase Order and Simplified Privacy Addendum Only if low/medium sensitivity and purchased via Purchase Order
Cloud solutions where the only Personal Information collected is name & email (of staff, faculty, students) Only for solutions in use by research, faculty, staff & students
  • For some categories of Cloud solutions, a deferral may have been granted by Procurement Services to use the Cloud solution without carrying out the privacy assessment, the IT risk assessment, and the contract assessment. A deferral is only provided for a specific duration and under special conditions, therefore, the Cloud solution will need to be assessed at a later stage
    • Note: If a solution has not been previously assessed under the Cloud Directive, and a renewal is imminent, Procurement Services will exceptionally defer the assessments. This will be allowed only once. At the next renewal, the Cloud Service Acquisition process must be respected and initiated well in advance of the next renewal date
  • Some Cloud solutions may have been rejected for use at McGill for a specific data category, such as Personal Information. If a solution was rejected in this manner, it doesn’t automatically mean that it is also rejected for your needs. The Rejected Cloud Services list explains for which data categories the Cloud solution has been rejected. If your conditions are different from the rejection conditions (restrictions), a new assessment will be required for the solution to be used.

What's next...?

Once you have determined:

  • In what context you will use the Cloud solution
  • Whether the Cloud solution is subject to the Cloud Directive
  • Whether there is an approval, rejection or assessment deferral in effect for the Cloud solution

Then you can proceed to perform the assessments if required.

Steps to follow to perform the assessment

Based on the context for which you wish to use the Cloud solution, follow the steps in the appropriate section below.

The extent of due diligence required is based on the risk level associated with the acquisition of the cloud service.  The IT risk assessment necessary to ensure due diligence can range from a limited to a full assessment of the cloud service, and the contract assessment can range from a basic review (for Public data) to a basic review and IT Clauses assessment (for Protected and Regulated data). Some exceptions may apply. See the IT Risk assessment and Contract assessment glossary terms for a more detailed explanation of these terms.

If a solution is used in multiple contexts (research, teaching and/or other) or if independent requests for the same solution are made by multiple requestors, Procurement Services will determine whether the solution should be assessed for each context/requestor independently, or as a university-wide solution for all purposes.

To acquire/use a Cloud solution for Research data (not including Research management administration)

A Cloud solution for Research Data refers to the use of the Cloud solution in the context of conducting research.

As a researcher, you are responsible yourself to assess Cloud solutions from a compliance and risk perspective.

Given that evidence of due diligence must be kept for the duration of the contract and 3 years thereafter, researchers must document the results of the assessments. Additional tools and templates will be provided to support researchers in this task.

If you have any questions related to research data management, research software or advanced research computing, feel free to contact Digital Research Services.

If you would like to be supported in the assessments, please complete the Software or Cloud Service Acquisition request form.

See image description in the table below this image

Accessibility logo View description of image for accessibility

Process steps Researcher Who to contact if you require assistance?
Data assessment 1. Evaluate data elements in scope to determine data sensitivity level
  • If assistance is required, contact Digital Research Services
IT risk assessment 2. Complete IT risk review, ranging from:
  • No assessment for Public data
  • Limited assessment for all Protected data, and Regulated data of low/medium sensitivity, TO
  • Full assessment for Regulated data of high sensitivity
  • If assistance is required, complete the Software or Cloud Service Acquisition request form
  • If credit card information is processed in the Cloud solution, a PCI assessment will be required, which will be completed by IT Services
Privacy and contract assessments 3. Perform a contract assessment, ranging from:
  • Basic review for Public data, TO
  • Basic review and IT clauses assessment for Protected and Regulated data
  • If assistance is required, contact the buyer or email Procurement Service Desk
  • Procurement binds the supplier with the Privacy obligations by incorporating the Privacy Addendum into the contract
Decision 4. Based on all assessment results, decide whether or not to proceed with the Cloud solution
  • If required, Procurement can provide guidance on how to document a derogation

To acquire/use a Cloud solution for Enterprise data (including Administration, Teaching, Research management administration)

A Cloud solution used in an enterprise context refers to the use of the Cloud solution for administration, teaching or the administration of research.

Please complete the Software or Cloud Service Acquisition request form if you are planning to acquire a solution in this context.

The solution requestors must fill and submit the Data Assessment form.

Some solution requestors have a portfolio manager who can complete the data assessment form on your behalf or provide support in completing the form.

The image below provides an overall view of the steps that will be initiated once your request has been submitted.

For more information about how to fill the Data assessment form, see the How-to: Data Assessment form.

  • All instructors should contact TLS: tls [at] mcgill.ca (for teachers)
  • Administrative units can reach out to a Portfolio Manager for support

The image below provides an overall view of the steps that will be initiated once your request has been submitted.

See image description in the table below this image

Accessibility logo View description of image for accessibility

Process steps Requestor Central services
Data assessment

1. Complete Software or Cloud Service Acquisition request form

2. Complete data assessment form

3. Submit data assessment form for approval

IT Portfolio Manager:

  • Review data elements in scope
  • Assist requestor or Business PFM in completion and submission of data assessment form

Data trustee:

  • Review data assessment form and determine whether it is acceptable
IT risk assessment  

IT Services:

  • Perform an IT risk assessment, ranging from:
  • No assessment for Public data
  • Limited assessment for all Protected data, and Regulated data of low/medium sensitivity, TO
  • Full assessment for Regulated data of high sensitivity
  • If credit card information is processed in the Cloud solution, a PCI assessment will be required, which will be completed by IT Services
Privacy and contract assessments  

Procurement:

  • Procurement binds the supplier with the Privacy obligations by incorporating the Privacy Addendum into the contract
  • Perform a contract assessment, ranging from:
    • Basic review for Public data, TO
    • Basic review and IT clauses assessment for Protected and Regulated data
Decision  

Procurement:

  • Based on all assessment results, decide whether to proceed with the Cloud solution
  • If required, complete a derogation request

Derogations

If a solution failed the privacy assessment, the IT risk assessment and/or the contract assessment, under exceptional circumstances, on a case by case basis, a derogation may be granted to use the Cloud solution under specific conditions and for a specific timeframe. This happens rarely, and it requires special written approval by the Contract Compliance Officer (CCO) and Chief Information Officer (CIO).

Examples:

  • Specific Cloud solutions that provide an essential service where another acceptable alternative does not exist.
Back to top