Cloud computing may save money but choose the wrong cloud service provider and the school could find itself in breach of the Data Protection Act. Paula Williamson and Harvey Davies look at the possible pitfalls
There has been huge media coverage recently on the topic of cloud computing and the benefits it brings for schools. But what exactly is it and how can it help your school? Put simply, cloud computing is where an organisation uses an application hosted and delivered over the internet by a third party. So, instead of your school purchasing and building its own IT infrastructure, it uses a cloud service provider (CSP) instead to host all its servers, software, databases, desktops and applications. These are all then delivered to the school over the internet meeting all of the school’s IT needs “on-demand”. This approach to school IT infrastructure brings significant benefits including:
Lower costs – there are virtually no upfront costs and schools can pay monthly or annually based on the computing resources they actually use. Also, most software products can be licensed on the same basis. IT solutions can be deployed extremely quickly and managed, maintained, patched and upgraded remotely by your service provider. Technical support can be provided, reducing the burden on IT staff. This means that they are free to focus on critical tasks, and schools can avoid incurring additional manpower and training costs. As costs are more predictable, IT budgets can be managed much more easily.
Flexibility/mobility – learners and staff can access their applications and data from anywhere and at anytime, without consuming any of the school’s bandwidth – ideal for staff that work from home who will have access to most of your systems “on the go”.
Resiliency – CSPs usually have superior disaster recovery and security capabilities to those that schools can afford. This is because they have access to multiple state-of-the-art data centre facilities and technologies to protect schools’ IT infrastructure with round the clock engineering support. Some CSPs also offer additional data backup and IT support packages which can further ease the pressure on school resources.
Scalability – a genuine cloud computing platform allows schools to provision resources on a fine-grained, self-service basis near real-time, without users having to constantly monitor and engineer for peak loads.
Research is the key
However, before choosing a CSP, do your research. While price is important, not all CSPs’ solutions are compliant with the Data Protection Act 1998 (DPA) and some may be cheaper for a reason. So, what has data protection got to do with cloud computing?
Where a school uses cloud services it will almost certainly engage the DPA because these services will be used to hold and manage all sorts of personal data relating to pupils and staff. The responsibility for complying with the DPA rests on the “data controller” which, in this case, is the school and not the CSP. This legal obligation continues even when the school’s personal data is being held in the CSP’s cloud. Where a school contracts with a CSP it is likely that the cloud provider will be a data processor, processing the personal data on the school’s behalf.
Why is all this important? Well, if the CSP causes a breach of the DPA, it is the school and not the CSP that will be legally liable for potential legal action. So how do you go about choosing a CSP that will not land the school in data protection hot water? The trouble is that CSP’s vary wildly. Fledgling CSP’s arguably have a higher failure risk than the larger more established providers. But do not assume that a large well-established CSP will automatically be DPA compliant. Some large CSPs are unaware of the fact that their solutions could bring a school in breach of the DPA, while others are so big and powerful that a school would find it almost impossible to exert the necessary bargaining power upon them to amend the contract so as to make it comply with the DPA.
So, what exactly are the data protection implications of buying cloud services?
Location of the data
Firstly, the DPA says that you cannot ship personal data outside the European Economic Area (EEA) without jumping through complex legal hoops. So if a school in Sussex puts its pupil database into the cloud and the CSP stores that data in New York, the school could be breaching the Data Protection Act. But many CSP’s will not guarantee to keep school data in the UK or EEA but instead will transfer it anywhere in the world to wherever there is capacity to be had – indeed this is where many of the cost savings can be generated. Also, some CSP’s think that they do not have to comply with European data protection laws if the personal data is not going to be held physically within the EEA. This is simply not true. If your preferred CSP contract guarantees that the school’s data will remain in the UK or EEA then this data protection rule will not be breached. If it does not, seek legal advice before signing.
Obligation to keep data safe and secure
When a school puts its personal data into the cloud, the DPA requires the school to ensure that technical and organisational steps are taken to keep it safe and secure. This critical legal obligation (known as principle 7) rests on the school’s shoulders and not the CSP’s. Any breach of principle 7, especially involving children’s data, will undoubtedly attract unwanted attention from the media and the data protection regulator. The DPA also requires the school to choose a CSP that is capable of offering sufficient data security guarantees and then to ensure that the CSP is sticking to those guarantees. This implies pre-contract audits and on-going due diligence inspections. A further formal requirement is that there should be a Data Processor Agreement in place between the school and the CSP. This is a written contract that imposes security obligations upon the CSP which are equivalent to those imposed on the school by the DPA. This contract must stipulate that the CSP must act only on the instructions of the school. The problem here is that while it is the school that is legally liable to keep the data secure, it is the CSP that usually decides what security and service standards will apply.
Infact most CSP’s will present their services on a “take it or leave it” basis and the school may not have the bargaining power to persuade them to include such strong security guarantees in the contract because of the liability and cost implications for the CSP. Yet without them the school is in breach of the DPA. So, schools need to check very carefully what security standards are adhered to by the CSP. For many schools, the right CSP can actually provide even better security than their own onsite infrastructure.
For any school considering cloud services, the top priority is the security of the CSP and its cloud platform. It is extremely important that schools know the physical location of their data and applications as well as the quality of the facilities used by the CSP.
For example, can the CSP ensure that a school’s applications and data are maintained in appropriate facilities with 24-hour engineering support, security guards, CCTV, restricted access, uninterruptible power supplies etc? Do the CSP’s facilities meet any international standards such as ISO 9001 (Quality Management Systems), or ISO 27001 (Information Management Security Systems)? Does the CSP use specialist cloud security technologies which provide ongoing verification of the integrity of the school’s cloud infrastructure and ensures that other cloud users and hackers cannot accidentally or deliberately view or access the school’s data and applications?
Looking at the wider data protection implications, the school may need to amend its data protection policy and privacy policy. For example, where the school plans to use the cloud for email service provision, how will data subjects react to this and will their consent be required? Additionally, the school should check that the CSP can extract school data quickly out of the cloud should the need arise e.g. where the school receives a request for information under the Freedom of Information Act or the Data Protection Act.
In conclusion
So, before signing a contract with a CSP, a school must check that the contract is Data Protection Act compliant. While one CSP’s prices may seem cheaper than others, this may be because the data is being stored cheaply outside the EEA or because the standard contract does not contain the data security obligations required by the DPA. The potential penalties for breaching the DPA include criminal and civil proceedings and fines of up to £500,000. So, before putting your IT into the cloud follow this simple data protection checklist:
- Choose a CSP that guarantees that the data will only be held within the UK or EEA.
- The contract must contain a Data Processor Agreement. These are specific contract clauses demanded by the DPA and without them the school is in breach of the DPA.
- Data should be readily accessible so that the school can comply with data protection and freedom of information requests.
- Update the school privacy notice and data protection policy to reflect your new cloud operations.
• Paula Williamson is a solicitor at The Information Law Practice and Harvey Davies is director at IstorCloud.
This material is protected by MA Education Limited copyright.
See Terms
and Conditions.