Cloud Email – Appropriate Use | Paul G. Allen School of Computer Science & Engineering

Many people want to use cloud services, and often open a "consumer" account (gmail.com, outlook.com) and use that for UW-related work. This raises problems for you and for UW. There is a complicated, and sometimes non-obvious, set of regulations that come into play - your personal (consumer) Google Account doesn't meet FERPA, for instance. This document tries to help you get your work done, using the services you want, while also not running afoul of the regs.

NOTE: Using external (cloud-based) email or other services doesn't change anything about the University Appropriate Use Policies or University Email Policy. In all cases – whether you use internal UW servers, or external cloud-based services – you are responsible for complying with official UW policies, standards and guidelines. Using a sanctioned cloud provider, where UW has a contract, makes things MUCH better – for you and for UW

NOTE: Using "consumer" versions of cloud-based email is NOT the same as using the branded, sanctioned services - even from the same provider. For instance gmail.com or live.com email services is not approved for official UW use, because there is no contract between the UW and the provider. More about this below.

Some examples of things you can use sanctioned cloud services for – which is pretty much everything you already use internal UW services for:

for teaching - the sanctioned services do meet FERPA regulations^†, whereas other external providers (where UW does not have a contract) do not;
for research - provided you are not engaged in any export-controlled activities. No export-controlled information may be stored in any cloud services, because cloud providers often utilize data centers scattered around the globe;
for administrative functions associated with teaching, research and departmental business.

In addition, there are some things that you may not use cloud-based services for, even if the UW has a contract with the service provider. Read on...

Important Details

What is NOT Allowed in the Cloud

In addition to the standard appropriate use rules, there are some additional restrictions for use of ANY cloud services, including UW-contracted and sanctioned services:

HIPAA – The Health Insurance Portability and Accountability Act includes strict provisions to protect the privacy of individual's health information. If you deal with HIPAA data (highly unusual for CSE members), you may not use an external provider for email, or documents that contain protected health-related data.
Export Controlled Information – If you deal with "export controlled" information, or any federally "classified information", you may not utilize any external provider for any such email or data. Check with the UW Office of Sponsored Research if you are unsure if this applies to you.

Personal Email

What if I forward my CSE or UW email to my personal Yahoo or Gmail.com account?

If you are an employee, don't do this. When your UW email is handled by an "approved", sanctioned cloud provider, the provider is contractually obligated to handle security, privacy, and thorny legal issues such as search warrants, litigation holds, and public disclosure requests in appropriate fashion, and in coordination with UW personnel. If you forward your UW email to your personal email account, you may put yourself and the University at substantial risk, because the "End User Agreement" that you make with those providers will not have the necessary provisions to comply with state and federal laws, regulations and procedures. For instance, you would be responsible for acting on legal "eDiscovery" obligations. (Don't know what that means? A good reason to avoid this situation!)

Furthermore, if you are a faculty member, staff member or a TA, you must never use a private email account for sending or storing student educational records (where UW does not have an appropriate contract). This is a FERPA requirement. If you use an approved cloud provider with whom the UW has a contract that includes appropriate FERPA compliance language (currently, only Google and Microsoft), it is acceptable to use that service for FERPA-protected educational records (with Microsoft, only the email service meet FERPA requirements - other Live@edu services currently do not, although this will likely change in the future.)

This bears repeating: forwarding your email to a non-contract provider does not change the laws regarding your email, and it may put you and the University at substantial risk.

Best plan: use a "branded" and sanctioned cloud service for UW-related work, and a personal account provider for personal use.^† Also see: "Separate Work and Personal Email and Files"

Terms of Use

You must abide by the Terms of Use for CSE Cloud Services, in order to use these services. Please understand that cloud services represent a rapidly changing landscape, and while we do not expect the Terms of Use to change frequently, they may occasionally need to be updated to reflect new information or conditions that arise. It is your responsibility to keep up (yeah, we know...). Significant changes will be announced to affected users, or broadly to the department.

^†Currently, Google and Microsoft are the only UW-sanctioned cloud service providers that meet the criteria for employee use for UW-related work, using CSE (or UW) credentials. NB: With Microsoft, only the email service (Outlook Live) meets these criteria; the associated services, such as SkyDrive and Office Live Workspace, do NOT meet these criteria for UW-related work.