Information Governance documentation: Can I use Dropbox?
The use of cloud-based storage makes collaboration and sharing of information very easy and convenient. In 2015 the University made a strategic decision to standardise on Microsoft Office 365 as the default cloud office collaboration platform for the organisation.
Office 365 should be used as the default secure solution for any file storage and collaboration needs by members of the University. Office 365 is fully supported by IT staff, Information Governance terms have been explicitly agreed, and it allows secure collaboration with colleagues outside of the University.
IT services has a dedicated page for sharing and collaboration with MS Teams.
1.Using Office 365 instead of Dropbox
Office 365 should be used as the default solution for any file storage and collaboration needs by members of the University. Office 365 can be accessed from: Windows, Mac OS X, Linux, Android mobile handsets, and Apple mobile handsets. Files can be edited and transferred from a web browser or synchronised to a physical device (the user has a choice of which directories are synchronised).
º¬Ðß²ÝÊÓƵ and external colleagues can edit and collaborate on Microsoft Office documents at the same time using familiar Office applications like Word and Excel across multiple computers, Windows, and Mac alike. You can also use forms and survey tools.
Office 365 provides the ability for º¬Ðß²ÝÊÓƵ staff and students to store unlimited numbers of files (a quick call needs to be made to the IT Service Desk once 1TB is reached), with a maximum individual file size of 15GB. Your files even have version history, if you accidently overwrite a file, you can restore the previous versions yourself (within 30 days).
2.Using Dropbox within º¬Ðß²ÝÊÓƵ, or using pre-existing Dropbox accounts
Where a member of the University has full control of the choice of collaboration platform, Office 365 should be used.
If Dropbox is already being used by a member of º¬Ðß²ÝÊÓƵ staff, and where they have autonomy, then the content from Dropbox should be migrated to Office 365 by moving the files across in a pragmatic risk-based approach as soon as is reasonably practicable before the end of March 2019.
Individuals should make a judgement based on the sensitivity of the data, life time of the research project, and current level of collaboration. It may be that with a research project that has six months remaining, the data is left on Dropbox until the end of the project, then migrated to Office 365 for long term storage, and where relevant archived in the University Data Repository. The Dropbox account can then be closed and any contract terminated.
Whilst individuals at º¬Ðß²ÝÊÓƵ may have signed up with individual contracts for Dropbox or Dropbox Professional; since 2013, the University has recommended that colleagues use a centrally managed service instead of Dropbox.
There are three core reasons:
- As the University has not undertaken a procurement exercise to provide Dropbox centrally, and already provides an equivalent system in Office 365; Dropbox subscriptions will incur unnecessarily additional costs for the University.
- In 2015 the University made a strategic decision to standardise on Office 365 as the default cloud office collaboration platform for the organisation. Therefore, all support efforts focus on the use of Office 365 and its integration with University systems. IT Service will be unable to help if data is lost from Dropbox accounts, members of the University leave with organisational data stored in Dropbox, and unable to manage confidential data leaving the University via Dropbox. All these data loss scenarios have happened at the University over the last two years and caused significant impacts to multi-million-pound research projects and required incidents to be flagged to the ICO (Information Commissioners Office). For these reasons, where a member of the University has full control of the choice of collaboration platform, Office 365 should be used.
- The University ensures on your behalf that all centrally procured cloud service provider agreements (for example Office 365) include: negotiated Terms and Conditions that are compliant with UK Law, General Data Protection Regulation (GDPR), and the University Statutes and Ordinances. In addition, checks are made to ensure that the contract uses EU Model Clauses, includes Privacy Shield, and the organisation holds ISO 27001 certification (as appropriate).
3. Using Dropbox with an external lead collaborator or PI
There may be the sole exception where the lead collaborator, Principal Investigator (PI), or Co-Principal Investigator at another organisation has standardised on the use of Dropbox for collaboration on work with º¬Ðß²ÝÊÓƵ colleagues. It would be detrimental for the University to recommend that colleagues do not collaborate with others simply because of the sharing platform used.
In this example, the external lead collaborator, PI, or Co-PI as Data Owner, has responsibility for, and takes the risk of, ensuring that the contract with Dropbox includes appropriate and proportionate Information Governance contractual controls. Specifically, Privacy Shield and/or Model Clauses covering the processing of the data being stored in the Dropbox account.
If this is the case, it is critical that you clarify with the PI what data can be shared by Dropbox as part of the research project. Data may be owned by the lead for each research strand rather than the PI. Sharing data between research partners does not necessarily equate to data ownership. Data ownership and sharing agreements may have been drawn up setting out who owns which data. Ideally this would form part of a “Data Management Plan” created in partnership with the University Research Data Manager in the Library.
It is difficult to assure future access to data stored on Dropbox for the University, especially where the owner is external, or the owner leaves their organisation. This consideration should form part of the “Data Management Plan” especially if it is underpinning evidence for published research which should be migrated to a data repository or data archive assuming there are no legal, ethical or commercial reasons why it is not shared.
It is important to note that specific contractual obligations applied in whole or to part of: a research grant, funder’s data policy, collaboration, or an area of work; may supersede any advice within this document. For example, a research contract may explicitly state that “cloud services cannot be used”; “data cannot be hosted in the USA”; or implicitly through export control regulations.
References and further information
Guidance is available in the º¬Ðß²ÝÊÓƵ Information Sharing Policy
The Library's guidance on Research Data Management.
Further advice on these issues can be sought from Information Governance colleagues via: infogov@lboro.ac.uk.