Protecting your school’s data is more important than ever — does the cloud service your school uses meet EU Data Protection rules?
Cloud services are convenient, simple, and popular with both teachers and students. The cloud is here to stay. But how can you make sue that the cloud services you’re using meet your data protection requirements, particularly if the service is hosted in another country?
For schools within the EU we have the US-EU Safe Harbor Program, which gives a legal framework for organisations based in Europe to ensure US companies are adhering to EU data protection laws.
What is the US-EU Safe Harbor Framework?
The European Commission’s Directive on Data Protection which went into effect in October 1998 prevents the transfer of personal data to countries outside of the EU.
Wow, that sounds really dull. Basically it means that companies outside of the EU cannot store your personal data on servers outside of the EU.
Clearly this poses a problem. Most of the big cloud service providers — Google, Amazon, Microsoft, and Apple — are based in the US. To get around this the US-EU Safe Harbor Framework — yes, I’m sticking with the US spelling here — was created. In simple terms the framework is a set of standards that US company can use to evaluate and then join the Safe Harbor Program thereby meeting EU data protection requirements and allowing the personal data of EU citizens to be stored on US servers.
When you store data in the cloud using a service such as Dropbox, Google Drive, OneDrive, or iCloud you need to make sure that the company providing the service meets Safe Harbor standards.
Is my cloud service provider on the Safe Harbor list?
So, how do you know if the service you or your school are using is approved for Safe Harbor? Luckily it’s really simply to check.
Simply visit the official US Safe Harbor website and use the Search by Organization Details box to find your cloud service provider.
Assuming you’ve found your service listed, you are given details of the type of data the company stores.
If you click through the link you’ll get specific information on which parts of the agreement the company meets. In the case of Dropbox:
Dropbox provides a website, software and mobile applications that allow people to store files, synchronize files across multiple devices, and collaborate with others. Dropbox’s service may also be accessed by APIs. Some Dropbox accounts are free of charge and others are paid. Dropbox also offers a service called Mailbox that lets people manage their third-party email accounts. Dropbox collects personal information from individuals in the EU/EEA and Switzerland for the purposes of providing and improving these services, entering into contracts, providing customer support, and enforcing its Terms of Service. Dropbox also collects personal information from employees to provide human resources services, to comply with applicable laws, and to provide internal security services.
If your service isn’t listed then the company does not meet the standards for EU data protection and should not be used by any organisation within the EU.
What happens if a company withdraws from the Safe Harbor Program?
A company can withdraw at any time from the Safe Harbor Program but it still has to deal with the data of current users as though they are still under the agreement.
Safe Harbor and Schools
The Safe Harbor agreement makes it simple for schools to understand how their data is being stored on servers which are physically out of reach. Giving the responsibility to manage your school’s data to an external company is always going to cause some concern, but Safe Harbor gives some legal framework to support schools and other organisations.
Of course, just because a cloud service is Safe Harbor listed doesn’t mean that they meet the data protection requirements set out by your school or local authority. You should always thoroughly check through each services’ terms of service first.
