Originally posted in 2015: Are you using a cloud service like Office 365, Google Apps, or iCloud in your school? We show you how to make sure that you’re meeting your data protection requirements and not breaking the law.
When I first started using Google Apps in school almost eight years ago I spent a lot of time making sure we could meet our legal requirements for handling data. It wasn’t an easy process, at the time few schools were using cloud services, and even our local authority didn’t have the information we needed to push forward with the project. With the introduction of GDPR this process has become more important than ever.
Luckily we had a solid team of technicians to sift through the information and put together a cloud services policy, but most schools aren’t in such a position. Individual schools simply don’t have the resources to ask the sort of questions that need to be answered when signing up to a cloud service like Google Apps, Office 365, or iCloud.
To remedy this the UK government has put together a checklist and self-certification scheme that schools, local authorities, and school leaders can use to determine if a cloud service provide meets UK law and if they’re suitable to use your school.
The new guidance, entitled Cloud (Educational Apps) Software Services and the Data Protection Act, gives a formal framework for companies like Google, Microsoft, and Apple to complete in order to answer common questions that schools should be asking of cloud companies.
The outcome is a comprehensive checklist of answers to questions like:
- Does your cloud service fully comply with the Data Protection Act?
- Do your services ensure the school can delete data to meet data protection requirements?
- Do you prohibit personal data or metadata being shared with third parties?
- Are appropriate controls in place to ensure only authorised staff have access to client/customer data?
The document, which is updated annually, covers many areas of cloud services that have caused concern in schools recently. It looks at:
Data protection and legal requirements
Does the cloud service allow the school to ensure that their personal data is processed in compliance with the DPA.
Data confidentiality
Schools should ensure that the cloud service provider can meet sufficient guarantees about the technical and organisational security measures.
Service availability
Can your cloud service provide provide timely and reliable access to your school’s data? Has your service provider and school assessed the level of risk and whether the school is prepared to accept that risk?
Data transfers outside of the EU
Where is your data being stored and does it meet your Data Protection requirements?
Use of advertising
Does your cloud service provider target advertising at your users? How does it target the ads? Can they be disabled?
Self-certification
The scheme is designed to provide information to schools when deciding which cloud provider to use, but it doesn’t remove school’s legal requirements to properly investigate cloud providers first.
The particular focus of this document is to help schools by reducing the burden and complexity associated with understanding whether a particular supplier’s cloud service claims to meet the relevant UK legal requirements in respect of data protection. This guidance is not intended to relieve schools of any legal responsibility under the Data Protection Act and any associated legislation.
At the current time there are only responses from Google, Microsoft, and Schoolcomms — Apple has yet to make an appearance — but it’s a great start and provides schools with a good starting point to make sure they are keeping within the law when stepping into the world of cloud services.
Some resources that you may find useful
Full Cloud (Educational Apps) Software Services and the Data Protection Act document
Google’s self-certified statement
