The current standard privacy conditions in CERN’s commercial contracts expressively require the processing of personal data on behalf of CERN in our member states, only.
Consequently, the usage of cloud solutions that process personal data in the US, is no longer conform, neither by persons working at CERN nor by CERN’s suppliers.
This is a broad topic, and many issues will depend on the specific case of the cloud service, but here are some key general points to consider:
- When you upload personal data to the cloud (including entering it into a Google doc) you are processing personal data.
- When anyone reads the personal data you have entered, they are also processing personal data.
- Did you consider the privacy rights of the individuals and the personal content you are uploading?
- Is the purpose specific and is this the best method for achieving the purpose?
- Have you obtained the appropriate consent from the individuals or can you justify an appropriate legal basis for the processing you are performing?
- Do you understand the contractual relationship you have with cloud provider? What rights do they have to the content? What commitments do they have to protect personal data and are they sufficient?
- Have you protected the access to the content adequately?
You are accountable for the processing of personal data and the general rule is that if you can avoid it, you should!
There are many types of cloud Services, from applications that you can use to basic cloud storage, from internal solutions to external solutions.
What you should be careful of however, is storing personal data of other people in the cloud without adequate protection. So when working in the CERN professional context, be very careful when using cloud Services. Here are some guidelines to consider.
- Do you know how the cloud provider treats any data that you store with them? Have you checked? Does it offer adequate protection?
- Does your hierarchy know (and approve) of the cloud services you are using in your professional work?
- Is the processing of personal data you are engaged in compatible with the privacy notice for the Service?
Further advice on the use of cloud Services can be obtained from the Cloud Licence Office (CLO).
Doodle is a great tool for organising meetings. There are also security measures you can take to avoid all participants from seeing all the other participants and you would be wise to engage them. Hint: Select hidden poll in settings.
To give an example. Imagine you wish to organise a meeting to get together all people inside CERN that have children, you may accidentally create a public list of people, their profile (having children) and their presence at a given place and time. Furthermore this list will be accessible and viewable by anyone whether they were invited by you or not. You cannot assume the URL you give to possible participants will remain protected.
This is a violation of the privacy rights of individuals as you have created and published a profile by not taking appropriate technical measures to protect their privacy.
So be careful to use all the security measures at your disposal.
The google terms and conditions, that you must agree to, contain a number of specific obligations concerning privacy. Please be aware that these are not optional!
The most important are:
"You will not and will not assist or permit any third party to, pass information to Google that Google could use or recognize as personally identifiable information"
"You must disclose the use of Google Analytics, and how it collects and processes data"
"You will use commercially reasonable efforts to ensure that a Visitor is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the Visitor’s device where such activity occurs in connection with the Service and where providing such information and obtaining such consent is required by law."
"You must not circumvent any privacy features (e.g., an opt-out) that are part of the Service."