Student Cloud Services

This statement sets out The University of Tasmania policy in relation to the collection and use of your personal information collected by the University in the provision of ICT services.

The University of Tasmania recognises that your privacy is very important to you. As a 'personal information custodian' within the meaning of the Tasmanian Personal Information Protection Act 2004, the University of Tasmania complies with its obligations to protect the integrity  of your personal information.

When you apply to enrol at the University of Tasmania using the eStudent system you are requested to submit information including, but not limited to: a) your name; b) your address; c) your personal email address; d) your telephone number; and e) your date of birth.

Any personal information you submit to the eStudent system will be used to process your Enrolment Application and to provision core ICT services:

• Authentication Services (username & password), to facilitate the use of University information services. 

All of the information collected on behalf of the University of Tasmania in your Enrolment Application will be processed through the eStudent system and stored on premise at the University.

In cases where the University of Tasmania delivers ICT services through a third-party provider either within or outside of Australia, the University is required to take reasonable steps to advise you of this.

As of November 2014, the following student facing ICT services are delivered from outside of the University of Tasmania:

Authentication Services

• Required to ensure continuity of authentication to cloud based services in the event that UTAS on premise services are unreachable;
• Provisioned from the Microsoft Azure data centre in Melbourne and Sydney, Asia Pacific South.

Email & Collaboration Services (Office 365)

What contractual agreements does the University have with Microsoft to protect my data in Office 365 Education?
The University has an Office 365 Education Plus for Faculty licence with Microsoft which is one of the types of Education licences for Office 365 for Business. In addition to what is included in the usual Education licence, this provides the University with further information security capabilities such as Advanced Threat Protection and additional controls over Microsoft support.

What certifications does Microsoft have for Office 365 for Business to show their compliance to information security standards?
Microsoft has obtained independent verification of a range of certifications. A list of the current certifications Microsoft has for its cloud can be found and searched from here: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings and include the following commonly used standards:

• ISO 27001 
  
  • Information technology security techniques Information security management systems requirements. https://www.iso.org/isoiec-27001-information-security.html
• ISO 27018 
  
  • The first international standard for privacy in the cloud https://www.iso.org/isoiec-27001-information-security.html
• NIST 800-53 
  
  • Risk Management Framework that addresses security control in accordance with the security requirements in US Federal Information Processing Standard (FIPS) 200. https://nvd.nist.gov/800-53
• CCSL (IRAP) 
  
  • Australian Certified Cloud Services List (Unclassified DLM) based on the Australian Signal’s Directorate’s IRAP assessment program https://www.asd.gov.au/infosec/irap/certified_clouds.htm
• SSAE 16 audits 
  
  • Statement on Standards for Attestation Engagements (SSAE) 16 is an auditing standard for service organisations. http://ssae16.com/SSAE16_overview.html
• FISMA compliance 
  
  • US Federal Information Security Modernization Act https://www.dhs.gov/fisma
• HIPAA BAA 
  
  • US Health Insurance Portability and Accountability Act, Business Associate Agreement – Contract between HIPAA covered entity and HIPAA business associate to protect personal health information in accordance with HIPAA guidelines https://www.hhs.gov/hipaa/index.html
• EU Model Clauses 
  
  • EU Standard Contractual Clauses are standardised contractual clauses used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the European Economic Area will be transferred in compliance with EU data-protection law and meet the requirements of the EU Data Protection Directive 95/46/EC. https://www.microsoft.com/en-us/trustcenter/compliance/eu-model-clauses, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

How does Microsoft protect my data in Office 365 for Business?
Microsoft protects your data by applying a range of controls at differing layers including Physical, Network, System Administration and Data Layer. These controls enable Microsoft to comply with various recognised information security standards and certifications for the protection of information. Detailed information on how Microsoft provides information security for Office 365 can be found in their Trust Centre page https://products.office.com/en-au/business/office-365-trust-center-welcome with white papers on file security downloadable here https://www.microsoft.com/en-us/download/details.aspx?id=53884 and https://go.microsoft.com/fwlink/p/?LinkId=401240.

In summary, Microsoft provides the following controls for data in Office 365:

Physical Layer protections 

• Physical infrastructure used to store data in the data centres is destroyed on-site – it is never repurposed or sold on.
• UTAS Office 365 data is stored in one or both of the Australian Microsoft data centres in New South Wales or Victoria. Data may be stored in one or both depending on Microsoft backup and mirroring of data.
• Access is restricted 24 hours a day by job function to essential personnel only.
• Multiple authentication and security processes are used including badges and smart cards, biometric scanners, on-premises security officers, continuous video surveillance, and two-factor authentication.
• Datacentres are monitored using motion sensors, video surveillance and security breach alarms.
• Automated fire prevention and extinguishing systems are also in use.

Network Layer protections

• Only necessary ports, protocols and connections are allowed using tiered access control lists on routers, IPsec policies on hosts, firewalls and host based firewall rules.
• Edge router security provides intrusion detection and vulnerability detection with further internal segmentation both physical and network for critical back-end servers and storage devices from public-facing interfaces.

System Administration Layer protections 

• Automation is used as much as possible to reduce inconsistency or malicious activity
• Administrator access is strictly controlled and similar to physical access is on a ‘needs’ basis using a ‘Lockbox’ process involving:
  
  • Personnel level background checks and account management so only those essential to a task have the permissions to perform that task
  • Roles based access control
  • Just-in-time accounts with high-entropy passwords
  • Access for those accounts for a limited time
• Only pre-defined processes can run on servers (via Applocker)
• Auditing and review of all access
• Anti-malware, patching and configuration management is used with patches, updates and hotfixes applied following the change management process and within the timeframe specified by the issuing company.

Data Layer protections

• Data storage and processing for each tenant is segregated.
• Encryption is used on data both at rest and in transit with most up to date information on specifics found in the Microsoft Trust Centre and white paper linked above.

Privacy and Office 365 for Business?

As part of the Office 365 licence, the agreement ensures that any data you put into your account in the cloud remains yours. In addition, Microsoft has had independent verification of Office 365 compliance with ISO 27018 which is the international standard for privacy in the cloud. Microsoft has clarified within https://go.microsoft.com/fwlink/p/?LinkId=401240 to mean:

• They only use your data to provide you with the online services paid for, including purposes compatible with providing those services.
• They will not mine the data for advertising purposes.
• If you choose to leave the service, you can take your data with you with full fidelity
• They tell us where the data resides, who has access and under what circumstances
• Access to the data is strictly limited, non-destructive, logged and audited
• Microsoft redirects government requests for your data to you unless legally prohibited and has challenged government attempts to prohibit disclosure of such requests in court.

Learning Management System (MyLO)

• provisioned from the Desire2 Learn Australian hosted data centre, Equinix, in Sydney.

UTAS Enterprise CRM (Oracle Right Now Service Cloud and Oracle Eloqua Marketing Cloud)

• provisioned from the Oracle data centre hosted within Australia.

Service Management System (ServiceNow)

• Provisioned through Service Now hosted data centres within Australia.

Online Elections and Voting (BigPulse)

• provisioned from the data centres mirroring copies hosted in Canada and United Kingdom.

Careers Services Management System (CareerConnect)

• Provisioned through Symplicity the underlying infrastructure is fully within Australia with data from the production and any test/mirror sites stored and remaining within Australia.