Answer

Note: External storage refers to publicly available data storage servers not under the control of Georgia Tech, such as personal Dropbox, Google cloud, or Amazon S3. As an alternative to external storage, the Institute has entered into an agreement with DropBox to provide enterprise DropBox services to campus. TSO also makes available upon request space on AdminFS that is suitable for storing sensitive data and is reachable via VPN.


That depends on the data you wish to store. If this is your personal data, you are free to store it on external storage, if you so choose. Sensitive data as defined in the GT Data Security Classification Handbook must be stored on servers that meet certain security requirements. See the answer to question 3 below for further details.

Research data may be stored on external sources if it meets certain criteria. The questions below will help guide you on whether you can and what steps, if any, must be taken to be approved.

  1. What are you trying to accomplish by using online storage to store research data?
  2. Is this sponsored research?
  3. Is the data you want to store a result of research? Is it research data?
  4. Are you researching the effects of storing data in online storage?
  5. Does the data being stored come under export control?


If the answer to 2 is "yes," then it must be cleared by GTRC before you can use it and would require the same level of protection as the answer to question 3.

If the answer to 3 is "yes" (regardless of it being sponsored or internal research data), then it is category III data according to the Data Security Classification Handbook. In this case, Data Protection Safeguards demand that physical security safeguards be in place to protect the data, all of which falls under the Computer & Network Security Procedures. You would be precluded from using a third party to store the data without a contract in place that insures the Data Protection Safeguards have been met. The contract would have to be reviewed GT Legal, GT Internal Audit, and OIT Information Security to insure compliance.

If the answer to 4 is "yes," then it falls into two categories, sponsored or internal research. If it is sponsored research, then see the answer to question 2. If it is internal research then it would need to be reviewed by GT Legal, GT Internal Audit, and OIT Information Security to insure GT is not at risk.

If the answer to 5 is "yes," then the answer is almost certainly no. Most of the online storage vendors do not guarantee that the data will be stored in the U.S. nor do they guarantee that foreign nationals working for them will not have access to the data. The data could be encrypted but we would still need an export waiver to store the data online. It would also require review by GT Legal, GT Internal Audit, and OIT Information Security to insure compliance with the Data Protection Safeguards (see answer to question 3).