The Department for Education (“DfE”) has issued some new guidance to help academies understand their duties and obligations in relation to the Data Protection Act (“DPA”), particularly when considering the use of internet-based “cloud” service provision.
The advice is underpinned by a self-certification scheme in which suppliers of cloud services use a checklist to confirm their compliance with the requirements of the DPA. The checklist must be independently verified by a named senior official of the supplier, and must be kept up to date. The supplier may also be required to submit to further independent verification where required.
The DfE will make self-certification statements available via its website to enable academies to make informed decisions about which providers to choose. Suppliers who have already completed their responses include Google and Microsoft.
It is important to remember that cloud suppliers themselves are not directly subject to the UK data protection legislation – responsibility for safeguarding personal information remains with the academy as the data controller. Suppliers’ self-certification statements should therefore be treated with caution and should not be a substitute for academies doing their own detailed due diligence when deciding whether cloud services are a suitable and secure means of storing and processing personal information. Academies should also ensure that they have reasonable measures in place to cope with the risk of disruptions, such as the accidental loss of network connectivity between the academy and the service provider.
Data processed in a cloud service aimed at academies is likely to be particularly sensitive, and this raises concerns about the use of advertising and data mining. Cloud providers cannot process personal data for their own advertising purposes unless this has been authorised by the academy and the academy has explained this process to the individuals about whom it collects and processes personal information. Academies would therefore have to agree to the advertising and would then have a duty to explain this to these individuals. This presents obvious difficulties with deciding whether children are competent enough to understand that their data will be used in this way. The DfE therefore advises academies to avoid agreeing to allow their data to be processed for the purpose of direct marketing.
Note of caution
Whilst the guidance provides a useful starting point, it is not a comprehensive guide to your legal duties and obligations in this area, which are complex. For example, the DfE guidance states that the best way to ensure that data processing is carried out by a provider in accordance with the DPA is to have a contract in place – in fact this is a legal requirement. It is therefore also recommended that academies ensure they are familiar with the further data protection advice for academies which can be found on the ICO website. If you are unsure of the implications of using a cloud service you should seek legal advice.