Accessibility statement

Cloud storage services 

Cloud storage services are great for transferring large files, accessing files remotely and working collaboratively with others. 

Approved services

We recommend you use these approved services depending on what you want to do.

Share files

Transfer sensitive files

For example, files that can’t be sent by email for contractual reasons such as restricted research data.

Access files remotely 

Unapproved services

Departments should not approve expense claims for unapproved software and services. 

The University incurs significant costs to provide staff with approved cloud storage, file transfer and collaboration tools, as well as appropriate security tooling to monitor and protect University systems and data.

Dropbox and other similar file hosting or sharing services are not approved for storing University data and must not be used as such, Dropbox installations are no longer approved as standard. An installation may be approved if the file hosting or sharing service is commissioned by an external partner where we have a contract to cover our collaboration, e.g. Research projects with other institutions.

We cannot allow the routine use of these services because:

  • To comply with the UK GDPR and Data Protection Act 2018, the University must have appropriate contracts with third-party providers who handle personal information (eg student grades, staff details and research data). Free or ‘personal’ software licences are often insufficient in meeting these requirements. Staff should not enter into agreements with vendors on behalf of the University without the approval of Procurement, Legal and IT Services.
  • Dropbox doesn't work with our approved methods for user authentication (eg single sign-on), user management and access control. This increases the risk of unauthorised access (eg staff who have left the University) and unnecessary data retention. It also makes the University's password policy unenforceable, increases the risk of password reuse, and bypasses the required two-factor authentication, implemented to safeguard University data.
  • IT Services has limited control of external services, which is challenging for business continuity and disaster recovery (eg in the event of data loss, illness and staff turnover). It means we're unable to detect suspicious login activity, prevent unauthorised access, or perform subsequent security investigations.

If you believe you have an exceptional circumstance, you must get approval from Cyber Security before using an unapproved external service. To discuss your circumstance, please contact IT Services.