11.1 Cloud Storage
1.0 Overview
Cloud storage provides Middle Georgia State University (MGA) with enhanced accessibility, cost efficiency, and opportunities for collaboration. However, without proper oversight and security controls, the use of cloud environments can introduce significant risks, including data breaches, unauthorized access, and loss of sensitive institutional information. This policy establishes the framework for the secure and compliant use of cloud storage services approved by MGA and/or the University System of Georgia (USG).
2.0 Purpose
The purpose of this policy is to ensure that only cloud storage services formally approved by MGA and/or USG are used for storing institutional data, and that all data stored or shared within these environments is protected in accordance with applicable MGA, USG, and BOR policies. This policy is designed to safeguard the confidentiality, integrity, and availability of University data and to mitigate risks associated with cloud-based storage and collaboration.
3.0 Scope
This policy applies to all MGA personnel, students, contractors, and third-party providers who store or share university data using cloud services. It governs the use of approved cloud platforms for institutional purposes and applies to all devices used to access such services.
4.0 Policy
Approved Use: Middle Georgia State University data may be stored in the cloud only when the cloud service provider is operating under a contract formally approved by MGA and/or the USG.
Data Sharing: Data stored in approved cloud environments may only be shared with current MGA faculty, staff, students, or with external individuals and organizations that have a formally approved contract with MGA and/or the USG.
Security Compliance: It is the responsibility of both contracted cloud service providers and MGA personnel to ensure full compliance with all applicable data protection policies established by MGA, USG, and the BOR. This includes safeguarding institutional data stored in cloud environments and securing any data shared between these environments and MGA entities.
Prohibited Use: The storage of personal data in cloud environments approved by MGA and/or USG is strictly prohibited. All data stored must pertain solely to institutional operations and comply with applicable data classification and privacy standards.
Note: OneDrive for Business is different from the individual consumer version of OneDrive. Only the business version approved by MGA/USG should be used for institutional data.
5.0 Regulatory Compliance
Middle Georgia State University complies with all applicable federal, state, and institutional regulations governing the privacy and security of data stored in cloud environments. Key regulations include:
- Family Educational Rights and Privacy Act (FERPA): Protects the confidentiality of student education records and requires reasonable safeguards when storing or sharing personally identifiable information (PII) in cloud environments.
- Health Insurance Portability and Accountability Act (HIPAA): Applies to any cloud storage of protected health information (PHI), including student health records or services provided through university health programs.
- Gramm-Leach-Bliley Act (GLBA): Requires institutions that offer financial services (e.g., student loans, financial aid) to protect customer financial data through administrative, technical, and physical safeguards.
All cloud service providers approved for use by MGA and/or USG must demonstrate compliance with these regulations and ensure appropriate contractual, technical, and procedural safeguards are in place. Users must not store regulated data in cloud environments unless the platform is explicitly approved for such use.
6.0 Enforcement
All Middle Georgia State University faculty, staff, students, and affiliated entities are expected to comply fully with this cloud storage policy. Non-compliance may result in disciplinary action in accordance with applicable MGA policies, University System of Georgia guidelines, and BOR regulations.
Violations of this policy—including unauthorized storage or sharing of institutional or personal data in cloud environments not approved by MGA or USG—may lead to sanctions up to and including revocation of access to university IT resources, disciplinary action, and/or legal consequences.
MGA’s Office of Technology Resources (OTR) is responsible for monitoring compliance, investigating potential violations, and coordinating with appropriate university offices to enforce this policy. Questions regarding the interpretation or application of this policy should be directed to OTR.
Exceptions to this policy must be formally requested through and approved by the Chief Information Officer (CIO) or their designee.
7.0 Definitions
Cloud storage: refers to the digital storage of data on remote servers that are accessed via the internet. These servers are owned, managed, and maintained by third-party service providers under contractual agreements. In MGA policy, cloud storage refers to services formally approved by MGA and/or USG for storing, accessing, and managing institutional data—such as Microsoft OneDrive or Salesforce.
Institutional Data: Information created, collected, maintained, or managed by MGA in the course of conducting university operations. This includes administrative, academic, financial, and research data.
Personal Data: Information that relates to an identifiable individual and is not collected or maintained for institutional purposes. Examples include personal photos, personal financial records, or non-university-related documents.
Approved Cloud Provider: A cloud service vendor that has entered into a formal agreement with MGA and/or USG and meets all applicable data security, privacy, and compliance requirements.
Sensitive Data: As defined by the USG Business Procedures Manual Section 12.4.2, sensitive data includes information that requires special precautions to protect from unauthorized access, use, or disclosure. This includes student records, financial data, health information, and other regulated data.