Follow this guidance if you’re a civil servant or government contractor to use cloud tools safely.
Software as a Service (SaaS) tools are also known as cloud-based applications, open internet tools, web tools and cloud tools. We use the term cloud tools in this guidance for clarity.
Cloud tools provide increased collaboration, productivity and project management capabilities. However, there are risks when using these tools as they are operated by third parties and are often hosted outside the UK. You can easily transfer information across the internet and this creates the risk of data being intercepted or used by the wrong person.
When you’re working for a government organisation, it’s your responsibility to make sure you use tools safely and protect data within tools. You must follow your organisation’s security, data protection and information management (IM) policies, which takes into account the:
Read this guidance if you need help:
- setting up an account for a cloud tool
- using cloud tools responsibly
- protecting data in cloud tools
- managing information in cloud tools
Setting up an account
First check with your IT department or team to confirm the tool you want to use is suitable, supported, and has been through an information assurance process before you buy the tool or set up an account.
You should use any security settings the IT team suggest you use, such as Single Sign-On (SSO) or two-factor authentication.
Always use your work email when setting up any SaaS accounts. This makes it easier for your organisation to manage the tool.
You should also talk to your IT team about who has access to the tool and their responsibilities. They can also tell you what you need to do if there is a security incident involving the tool.
Using cloud tools responsibly
When using cloud tools you must:
- use the tool to meet the business needs of your organisation
- protect data from unauthorised access and use
- not use the tool to process or store information that has a security classification above OFFICIAL
- not share an account with anyone else or give anyone access to the tool with your login details
- hand over information or administrator permissions if you leave the organisation to avoid pages, sites, documents and groups being locked or lost
Protecting data stored
To protect data you should:
- make sure any operating systems, browsers or apps you use to access the tools are up to date
- avoid collecting and sharing personal data, unless you have a legal basis to do so
- delete personal data if the legal basis for collection has expired
- follow your organisation’s bring-your-own-device (BYOD) policy and NCSC guidance on end user device security
- check settings when you share content to make sure that only the relevant people have access to the information, for example within your project team
- do not make information publicly visible unless there is a business reason to do so, for example for communications or consultation purposes
If you think someone else is using your account or you see any suspicious activity, tell your IT team immediately.
Information you store and exchange in cloud tools is subject to disclosure through:
- the Freedom of Information Act (FOIA)
- the Data Protection Act (including GDPR guidelines)
- a court order
- other legal requirements
Create an audit trail to show why you made decisions. This can help your organisation respond quickly to Freedom of Information, data protection or court order requests. It also helps your organisation move important records to The National Archives to comply with the Public Records Act.
When storing information you should follow any guidance from your IT team and make sure you:
- name and organise documents and information clearly
- export any data in a reusable format, for example as a CSV file
- make sure the right people have access to information in cases of staff or organisational change
- only keep information that’s valid and delete it when it’s no longer needed
If you need to use a SaaS tool to process any personal citizen data check with your security or Knowledge and Information Management (KIM) teams as they will help you assess this need. For example if crowdsourcing ideas in an open policy making exercise, you must complete a Data Protection Impact Assessment (DPIA). You should also consider how you will tell citizens how their data will be processed.