dataseclegal

Background	live@UCL Programme	Migration Preparation
Diligence Review	Information & FAQs	Migration Experience
Progress	Programme Structure	Policy

Live@UCL Data Security/Legal

Whether alleviating any concerns about secure data transfer/storage, or covering areas of compliance such as the Data Protection Act. We hope these Q&A's discuss the questions important to you!

Question,

Will my data be private?

Yes, UCL owns all data stored in and administers the new live@UCL. It is subject to EU, not US, Data Protection law. Although Microsoft may advertise to alumni they will not to staff and students. Their business model is not dependent solely on advertising and they do not scan the contents of your mail.

Question,

Will my email be secure?

Yes, The data is encrypted in storage and in transit. Physical security is at least as high as at present. Private Key encryption is an option for extremely sensitive data if needed. In the first instance any request for mail disclosure would come to UCL for action. In time both UCL and Microsoft could become subject to proposed “black box” surveillance laws.

Question,

How are my interests being represented?

Three separate project groups have been formed with representation of IT support staff and end users from across the college to garner feedback during the projects phases. Find out more about the Technical, User and Legal project groups here. Any specific questions or queries can be sent to the project team (email unifiedemail@ucl.ac.uk).

Question,

Will this service comply in all respects with the UK Data Protection Act, which in some areas is more specific or stricter than EU-wide privacy regulations? Will such DPA compliance be a requirement of all contracts/agreements with Microsoft in a way that is enforceable by UCL under UK law?

Yes, the legal contract agreed between UCL and Microsoft complies with the UK Data Protection Act and has been approved by the project legal group (which includes the Chair of the Security Working Group, the UCL Data Protection Officer and Head of Computer Security).

Question,

Can you provide a link explaining “black box” surveillance laws?

UCL data held in the service is private. UCL has tools available to respond to requests from government agencies to search this data. However neither UCL nor Microsoft have controls over government requirements as applied to Internet Service Providers (ISP).

Question,

I have grave concerns sending/storing my research-based email on a system not 100% managed and controlled by UCL, especially one that is run by Microsoft who aren’t exactly saints in the IT world.

The contract with Microsoft means that the data continues to be owned and managed by UCL. This means that UCL continues to be responsible for user account provisioning and de-provisioning and undertaking legal searches.
Microsoft are responsible for the hardware, backup and recovery in the event of a disaster. The current service is hosted in a data centre in Dublin and there are three copies of the data. In the future there are plans to hold an additional copy of the data in a second data centre in Europe.
In addition, if you are using a thick email client, such as Outlook UCL will encourage you to keep a cached copy of your data on your local desktop computer. This will mean that you are able to continue to work even when you are not on-line. Depending on your departmental IT service, it may be possible to keep a backup of this copy of your data on UCL infrastructure.

If you have a question which is not covered here please contact unifiedemail@ucl.ac.uk.

A A A