What cloud storage for a very small charity?

[eteb3]

For context, we work with vulnerable people and GDPR 'special category data'.

I've searched up archive posts, and there seems to be no great consensus.

We're using Google Drive at the moment
Pro:

• fantastic for sharing between multiple users
• online document editing
• no 'weakest link' problem: everyone uses the online interface, no idiot has an unlocked laptop and open hard drive
• 2FA as standard

Con:

• online people say it's not secure?
• possibly some loss of confidence from beneficiaries given Google can read everything - not sure how real this concern is, but could find out

I've seen lots of noise about Truly Office, which is said to be built privacy-first. But I can't find a white-paper (not sure I'd understand it, tbh), just lots of "news" articles that look like write-ups of the same press release.

Any guidance much appreciated. Thanking you all.

 

[tertius]

For context, we work with vulnerable people and GDPR 'special category data'.

I've searched up archive posts, and there seems to be no great consensus.

We're using Google Drive at the moment
Pro:

• fantastic for sharing between multiple users
• online document editing
• no 'weakest link' problem: everyone uses the online interface, no idiot has an unlocked laptop and open hard drive
• 2FA as standard

Con:

• online people say it's not secure?
• possibly some loss of confidence from beneficiaries given Google can read everything - not sure how real this concern is, but could find out

I've seen lots of noise about Truly Office, which is said to be built privacy-first. But I can't find a white-paper (not sure I'd understand it, tbh), just lots of "news" articles that look like write-ups of the same press release.

Any guidance much appreciated. Thanking you all.

Not too sure if "Google can read everything"..... There would be a widescale uproar if they were trawling the contents of individual Google drives. Nevertheless you could look at mega

 

[eteb3]

Not too sure if "Google can read everything"..... .

They certainly can. It's only a machine doing it, of course, but it's being scanned and monetised all the same.

Nevertheless you could look at mega

Thanks - does it mean downloading files locally? My worry with our inexpert volunteers is that it makes for a litter of sensitive files in multiple places.

 

[Ozzy]

My worry with our inexpert volunteers is that it makes for a litter of sensitive files in multiple places.

You are only going to get over this with training I’m afraid, as you will find them all saving copies to their desktop etc.

However, as an online techie person and considering your comment above, I would suggest you still with Google but upgrade to workspace if you haven’t already. That way you can use their workspace controls on data sharing to set rules up on access. That way have some confidence in who is able to access certain file.

I can’t remember if workspace is free for charities any more, it was when I chaired Young Enterprise EM and we used it, but if it isn’t free UKBF can give you a 15% discount code.

 

[eteb3]

That's super-helpful, Ozzy - thank you.

Will investigate and may well take you up on the -15%!

 

[WaveJumper]

I would also make sure you have proper written procedures in place appoint a data controller etc and as mentioned above lots of training for anyone having access.

What does it mean if you are a controller?

ico.org.uk

 

[antropy]

Have you considered Dropbox?

Paul.

 

[Nico Albrecht]

Any guidance much appreciated. Thanking you all.

I'd opt for a HIPAA-compliant cloud provider. While HIPAA is a US standard, it's notoriously stringent to meet. HIPPA is for medical data and any software or hardware that got hippa certified is normally top notch.

Compliance entails extensive additional security measures. Google offers HIPAA compliance through a Business Associate Agreement (BAA), but it requires a specific request.

Regarding security, assume that anything stored in the cloud is susceptible to being accessed. As the data owner, it's your responsibility to encrypt it on your end rather than relying solely on a third party.

If you search for Google Cloud's board of directors, you'll find retired top CIA and military generals serving. While it's uncertain what this means exactly, having former CIA generals on the board doesn't inspire much confidence in data security.

 

[WaveJumper]

Blimey Google and CIA not sure ill be getting any sleep tonight ?

 

[eteb3]

Have you considered Dropbox?

Hadn't, and good suggestion. A quick look shows it to be out of our league given our income.

 

[eteb3]

Google offers HIPAA compliance through a Business Associate Agreement (BAA), but it requires a specific request.

Is it straightforward to administrate it? Looks mightly complex, but maybe that's the legalese rather than the operation. Or maybe nothing changes except Google's back end?

 

[Nico Albrecht]

A quick look shows it to be out of our league given our income.

Microsoft offers all that free of charge ( HERE ) for charities. Budget cant be a problem than.

 

[Kerwin]

I'm a big fan of Microsoft 365. Not only can you use all the desktop office apps you can also use them in the browser. Also they seem pretty secure. The prices are not bad either and as mentioned above they have plans for non-profits and charities.

 

[Paul Kelly ICHYB]

online people say it's not secure?

Who are these secretive online people?
It is no more or less secure than other systems - the insecurities normally come from users!

possibly some loss of confidence from beneficiaries given Google can read everything - not sure how real this concern is, but could find out

Any document uploaded to any service is read. Do Google use the data - they claim no - https://support.google.com/docs/answer/10381817

Both Google & MS offer free or heavily discounted subscription for charities - a charity I am a trustee of spend almost £2k a year for Google (for 5 accounts!) via a host/registrar and I am trying to convince them to get it for the charity deal/free (of course the host convinced them to take different levels for different users, all with enhanced security....!).

 

[antropy]

Any document uploaded to any service is read.

No that's not true at all, some are encrypted.

Paul.

 

[DontAsk]

Any document uploaded to any service is read.

Only in the sense that the data is transferred from one place to another, i.e., its read from the source and written to the destination.

If you are really worried, encrypt the files first.

 

[Paul Kelly ICHYB]

Many document services allow you to search for documents or words within - to do this, they are read. To get the metadata, they are read.

It all depends to what level they are read (and,in this topics case, what is done with the data).

 

[antropy]

Many document services

Ah but you said "all".

Paul.

 

[Paul Kelly ICHYB]

Sorry!

I could argue that, even encrypted, they are read, but it won't understand them!

But I won't!

 

[Nico Albrecht]

No that's not true at all, some are encrypted.

It varies. When you upload data to a cloud server, the transport and storage might be encrypted, but the cloud company holds the encryption key. If you don't establish an encryption key unknown to the cloud provider, then it's fully encrypted.

Sage provides a solution akin to this with Sage Drive. It alerts customers before setting an encryption password that they won't have access to. If you simply log in with a username and password, the provider can access your data.

Backblaze offers a similar option for cloud backups but allows users to choose.

However, relying solely on the provider's encryption isn't ideal for consumers since they often forget passwords.