When acquiring or using a new software app, here's what you need to know...
These days most software used at McGill is provided by third-party vendors and hosted "in the cloud". Because data is exchanged and/or stored outside of McGill's IT infrastructure, we need to perform due diligence to ensure our data is safe and to respect laws and regulations. We are all responsible for keeping McGill data safe.
What is McGill's Cloud Directive?
The Cloud Directive prescribes when and where you can process, transmit and store McGill data, depending on the type of data involved and its required security and privacy needs.
Who needs to comply?
All members of the McGill University community is obliged to comply with the Cloud Directive, even when using free cloud services.
Research data is also subject to the Cloud Directive.
Where should I begin?
For guidance on obtaining and using cloud services, view the sections below, starting with Cloud 101.
- Cloud 101
- Cloud service acquisition process
- Roles & responsibilities
- What to consider when using a cloud service
- McGill-approved cloud services
- Resources & presentations
- Who to contact
This PDF document provides an introduction to Cloud Service, including:
- Risks they pose
- Different types of data and the level of protection they require
- What is expected from you
Cloud service acquisition process
McGill is required to have a process for vetting cloud services to ensure that vendors can deliver on their commitments to safeguard our data against theft, loss and corruption.
This interactive process map provides a high-level overview of the Cloud service acquisition process. Anyone at McGill who wants to acquire or use a cloud service must follow this process.
Roles & responsibilities
Find out where you fit into the Cloud Acquisition Process.
*** Coming soon ***
What to consider when using a cloud service
When using a free or paid cloud service, various factors need to be considered throughout its lifecycle: before acquisition, during use, and at renewal.
Below are questions you will need to ask yourself at each stage. Refer to them often, as they may change over time with changes in technology and the security landscape.
1. What types of data will you be working with, and what do you want to do with them?
Note that only certain types of data are eligible for use with cloud solutions, depending on their level of sensitivity and the protection offered by the vendor.
Cloud services that store, process or transmit data that are normally protected and/or regulated require special consideration, as required by Quebec and/or Canadian law, regulation or industry standard.
2. Is your proposed solution really a cloud service?
Validate that the solution you are considering is in fact a cloud service.
On-premise solutions are not subject to the same considerations.
Refer to Cloud services: Definition in Cloud services 101 on the Cloud Service Directive & Guidance page on the ITS website to find out more.
3. Does McGill already have a similar solution that meets your requirements?
IT Services can identify validated existing solutions in use at McGill.
4. Have you researched multiple alternatives that can meet your needs?
Plan to have more than one option in case the vendor cannot comply with the regulatory obligations that the Institution must abide by. The three assessments (Privacy, IT Risk, and Contract) will identify any compliance gaps.
5. Have you clearly defined your requirements?
Requirements need to be complete, clear, correct and consistent. To be able to identify your requirements, you need to understand how you are working today and identify how you wish to work in the future with the new solution.
6. Most cloud services cannot be customized, so can you work within these constraints?
If your processes cannot be adjusted accordingly, we encourage you to look for alternatives.
7. If it is necessary to leave the vendor in the future, (given your evolving needs, market changes, compliance requirements, etc.) do you understand what happens to your data after termination of the contract?
Formulate an exit strategy which will allow you to migrate your data to another service provider without losing functionality.
8. Are you aware of the funding model for the acquisition of cloud services?
Cloud services at McGill are considered an operational expense, while other types of software are mostly classified as capital expenses.
The requester is responsible for the recurring subscription costs for the use of the cloud service.
9. How soon do you want to start using the cloud service?
Negotiations and obtaining complete information from the vendor can result in delays of 3 months or more.
All free and paid cloud services (except those that solely involve public data) must first undergo an assessment process - see the documents Cloud 101 and Process for evaluating the acquisition and use of a Cloud Service for details.
Be aware that a cloud service may be approved or rejected as a result of the vendor assessment.Ensure that the evaluation period and possible outcomes are taken into account when planning a cloud solution.
10. Do you have the resources and expertise to support the ongoing maintenance and monitoring of the cloud service and vendor?
It is the business’ responsibility to ensure that their unit can support the ongoing maintenance and monitoring. It is strongly recommended to dedicate the right expertise and resources to these activities.
11. Cloud services do not need to undergo the assessment process upon renewal, unless one of the following factors is present:
- Client raises issues with service
- Vendor changes processes, systems, or « flow of data »
- Any breach of contract related to security, performance or privacy compliance
- Scope change by client (which includes further or different access to protected info)
- Significant changes to laws, regulations and industry standards that would necessitate an amendment
Approved cloud services for different types of data
McGill has vetted a number of Cloud Services and determined which ones are appropriate for various uses (types of data).
A list of these will be published soon.
FAQs about the Cloud Directive and where it applies
Do I need to invoke the Cloud Service Acquisition Process if I'm using a Cloud Service for my own personal use, with my own data?
No. The Cloud Directive is aimed at protecting McGill institutional data, including personal data of others under McGill's custodianship. You should, however, learn about the risks associated with data in the cloud to keep your own personal data safe online.
Research data is subject to the Cloud Directive. You must follow the Cloud Service Acquisition Process when acquiring cloud services for research data.
*** Additional FAQs coming soon ***
Resources & presentations
Who to contact
For general questions
|McGill unit / Faculty and Role||Primary Contact|
|feedback.purchasing [at] mcgill.ca|
|Information Technology Services
(for technical guidance and questions about the Cloud Directive)
The Buyer/Lead Buyer for your portfolio / unit is your main point of contact throughout the cloud service acquisition process. For their contact information, see the Contact Us page on the Procurement website.
Data Trustees / Approvers for cloud service requests
Before contacting Procurement Services, validate with the responsible Data Trustee(s) / Approver(s) to determine if the desired data can be hosted in the cloud. Choose the person most closely responsible for the data.
|Area||Data TruSteeS/Approvers or their delegates|
Human Resources Examples: id, employment status, salary, etc.
Associate Vice-Principal (Human Resources)
|Payment Card Industry (PCI)
Example: credit card
Examples: id, grades, registration, etc.
|School of Continuing Studies
Examples: information about courses, students in Continuing Studies, etc.
Carola Weil (acting Dean)
Dean of the School for Continuing Studies
Examples: scholarships, awards, etc.
Director- Office of Scholarships and Student Aid
Contact Procurement Services for Data Trustees / Approvers not listed above.