New government guidance on use of cloud software services
The Department for Education (’DfE’) has recently produced advice and information designed to help people to understand some of the key principles,…
The Department for Education (’DfE’) has recently produced advice and information designed to help people to understand some of the key principles, obligation and duties in relation to the Data Protection Act (‘DPA’), particularly when considering moving some or all of their software services to internet-based ‘cloud’ service provision. The advice, which is applicable to all maintained schools, free schools and academies, will be of interest to local authorities, school leaders, staff and governing bodies. As well as considering schools’ key obligations, it also advises on security issues relating to suppliers and how the DfE is involved.
The DfE makes the key point that, when considering data protection alongside potential take-up of cloud solutions, schools will need to be aware of the various challenges and responsibilities in respect of personal data that still remain, or indeed are created by this kind of data processing. Whilst school and children’s data may be stored and controlled in the cloud by a supplier, responsibility for all areas of data protection compliance nevertheless remains with the particular school.
The key areas that schools need to address under the DPA are:
- Overarching legal requirements - schools should ensure that their personal data is processed in compliance with the DPA.
- Data processing - as data controllers, schools are responsible for ensuring that the processing carried out by their cloud service provider complies with the DPA. The best way to do this is to have a contract and a data processing agreement in place.
- Data confidentiality - when choosing such a provider, schools should pick a data processor providing sufficient guarantees about the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures.
- Data integrity - data integrity has been defined as “the property that data is authentic and has not been maliciously or accidentally altered during processing, storage or transmission”. To assist schools in understanding if the cloud service being provided by a particular company is likely to comply with the DPA in this regard, suppliers will be asked to confirm compliance.
- Service availability – this means ensuring timely and reliable access to personal data. One threat to availability in the cloud which is often outside the provider’s responsibility is the accidental loss of network connectivity between the client and the service provider. Data controllers should therefore check whether they have adopted reasonable measures to cope with the risk of disruptions such as backup internet network links. Data controllers should also assess the level of risk and whether the school is prepared to accept that risk.
- Data transfers beyond the European Economic Area - to help schools understand whether the cloud service being provided complies with the DPA in this field, suppliers will again be asked to confirm that they meet DPA requirements.
- Use of advertising - recognising the particularly sensitive nature of the data likely to be processed in a cloud service aimed at schools, there is particular concern in relation to the use of advertising and the extent of data mining which providers of cloud-based services may adopt. To help schools understand if the cloud service being provided will involve serving advertisements or engaging in advertisement-related data mining or advertisement-related profiling activities, suppliers will be asked to confirm their policy. Guidance from the Information Commissioner’s Office (‘ICO’) states:
“In order to target advertisements the cloud provider will need access to the personal data of cloud users. A cloud provider may not process the personal data it processes for its own advertising purposes unless this has been authorised by the cloud customer and the cloud customer has explained this processing to cloud users. Remember that individuals have a right to prevent their personal data being used for the purpose of direct marketing”.
The effect of this is that a school would have to agree to the advertising and would then have a duty to explain to staff and pupils what personal data would be collected, how it will be used and by whom and what control they have over the use of their data in this way. Given the obvious difficulties with schools deciding if children are competent enough to understand any explanation of their data being used for advertising, and to understand and exercise their right to object, without parental involvement, the DfE advice is that it would seem sensible to avoid this in solutions for schools, especially where children are concerned.
So that schools can be confident about the accuracy of the self-certification statements made by cloud service suppliers, the suppliers entering into the self-certification process are required to agree:
- that their self-certification checklist (‘SCC’) has been fully and accurately completed by a person or persons competent in the relevant fields
- that their SCC has been independently verified for completeness and accuracy by a named senior official of the provider
- to update their SCC promptly when changes to the service or its terms and conditions would result in their existing compliance statement no longer being accurate or complete
- to provide any additional information or clarification sought by the DfE as part of the self-certification process
- that, if at any time, the DfE is of the view that any element or elements of a provider’s SCC requires independent verification, the provider will agree, supply all necessary clarification requested, meet the associated verification costs, or withdraw their submission.
The DfE is facilitating this checklist procedure and will make the completed self-certification statement from cloud service providers available via its website when it is satisfied that the self-certification checklist is accurate and complete, the checklist is supported by a declaration of accuracy and completeness by a named senior official of the cloud service provider and there are no other outstanding issues.
The self-certification checklist consists of a range of questions comprising the checklist question, the response ‘colour’ (green, amber or black, depending on the response) and the evidence that the supplier will use to indicate the basis for their response. The DfE suggests that schools use the checklist in order to support their assessment of the extent to which the particular supplier’s services meet their own needs, in terms of DPA compliance and any other criteria that a school may have. Checklist statements are currently available from Google and Microsoft and more will be added. Helpfully, the DfE also offers links to further information from the Information Commissioner’s Office – schools will hopefully appreciate this assistance in an area which is potentially fraught with both technical and compliance-related headaches.