Universities are not free to store data at will in a cloud.
Numerous legal regulations restrict the handling of data. The relevant requirements can be found, for instance, in data protection legislation and in information security provisions. Official secrecy must also be observed. Organisations that are certified to ISO Standard 27001 must comply with additional rules, i.e. have a certified information security management system. All of these provisions must be met if data are to be stored in a cloud.
When processing personal data, the general principles of legality, proportionality, purpose, recognisability and data security must in particular be observed. Cantonal and federal public institutions must also in principle rely on a legal basis for the processing of personal data. This among other things means that documents containing personal data may only be disclosed under certain conditions. This applies not only to their transmission to external parties, but also within the college.
In addition, personal information must be protected against unauthorised processing by means of appropriate technical and organisational measures. These measures are aimed at ensuring the confidentiality, availability and integrity of the data.
The storage of official secrets in a cloud may be punishable by law if third parties gain access to the data. Colleges should therefore identify data that are covered by official secrecy.
Official secrecy is regulated by article 320 of the Swiss Penal Code (StGB). It forbids the publication of secrets by officials or by the staff of an authority. Within the meaning of this provision, secrets are deemed to be facts that, first, are known or accessible only to a limited group of people; that, second, the institution wishes to keep secret; and, third, there exists a justified interest in maintaining their secrecy.
An official secret is namely only considered to be that which must be kept secret in accordance with the freedom of information law. This is for example the case where trade secrets may be revealed through the granting of access to the appropriate information. However, documents should be treated as official secrets once a subjective interest in their secrecy exists, regardless of whether or not in a particular case there exists an official secret in the legal sense. While it is true that publication of the relevant documents cannot be prevented in a particular process, those processing them can be prevented from disclosing the information themselves.
What can a college do to meet all these requirements? It cannot be expected that every member of the college staff should know the legal situation regarding the data currently being processed. It would be easier if colleges would first create categories of data that provided binding rules for the treatment of data. Specific data collections should as a second step then be assigned to these categories.
Such classification is unfortunately not so easy. This is shown by the example of personal data, which cannot be included as an independent data collection as the data can be found in a wide variety of documents. It is possible nonetheless to identify data collections that practically always contain personal data, such as contracts, personal data of students or e-mails. The college could then assign a category to these documents, which restricts their disclosure and provides additional requirements for their management.
Finally, data classification is only as valuable as its effective implementation within the organisation. Perfectionism cannot be the aim of data classification, however, because it is obvious that without data classification, data protection will not be properly respected - and an imperfect solution is often better than no solution at all.