Below is a version of what I posted (with typos / language corrections)
When considering the use of cloud storage there are a number of areas to consider.
- Under the Data Protection Act the most relevant of the 8 principles is principle 7.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
In previous years the ICO has talked about reasonable steps, but they now make it clearer that it is ‘appropriate’ measures, and consideration of this has to be based on the type of data being stored / processes and the likely impact / damage should it be compromised.
Translation? Before you decide where you can store things you have to consider what you are storing.
- When looking at cloud based storage you need to complete a risk assessment of what is being stored, where it is being stored (location of actually servers, company history, T&Cs, etc), what measures are being taken (technical and organisational) to protect it and what are the alternatives?In the past there has been lengthy discussion about the suitability of certain services. Google Apps, Microsoft’s Office365, Dropbox and so on. The principles above stay the same. The ICO talks about data being processed outside of the EEA, companies that have signed up the Safe Harbor agreement between US and EU, advice on cloud computing in general and so on. The important differences between private cloud, community cloud and public cloud (and the resulting hybrid model that is possible with some use of all 3) should be considered here.Translation? Putting things in the cloud is fine, but you have to plan what you are doing and take care to make sure about the partner / service you are working with.
Previous conversations about the use of dropbox can be summarised in the following points
- Do we know where the data is? Yes, we now know they use Amazon storage based in the US.
- If the Data is outside of EEA can we still use them? DropBox have now signed Safe Harbor so there is nothing there stopping you anymore.
- Is it safe? Yes, for a given value of ‘safe’ … the data when stored it is not so much how the data is transferred, or how it is stored when it gets there … more a case of how is access controlled. This takes us back to the ‘appropriate technical and organisational measures’ part of theDPA.
Now let’s look at what considerations should be taken for *any* cloud based service. This is not a definitive check list, but it is a darned good place to start from chatting with most folk.
- Check where and how the data is stored.
- Consider if it is within EEA or in US and with Safe Harbor signed. If it is with a US company who has signed Safe Harbor but there is no guarantee the data is held in EEA or US then you have to consider the locations where it is stored and the impact any local laws there may have (e.g is it stored in Australia, Brazil, Thailand, etc and do any local laws mean data could be seized differently to if UK / EU / US laws were applied?) and how this affects you.
- What are the guarantees around the company? Anyone can set up a service but do you trust the company? Have they passed any security audits? If they are a specific education company do you need to consider DRS checks?
- Now the data is stored outside of the school what are the restrictions on access / processing? Technical? Organisational? What are your audit trails for this?
Bringing it back to DropBox again … the main concern here is how the data is accessed and cached on local drives. Is the account a ‘personal’ account that is being used? What guarantee that you can control the data should that personal account no longer have the right to access the data?
- Scenario 1 – HoD needs data to be shared with teachers in her department. She has a DropBox account, as do others. She uploads a coursework logging spreadsheet into a shared folder and others access / complete it. A member of staff leaves so that access needs to be removed. Who removes it? As the service used is personal then it has to be the HoD? Is she aware of this?
- Scenario 2 – HoD needs data to be shared with HoDs for other departments to target intervention children. The spreadsheet will contain reasons for intervention, including details of personal circumstances (which can include Sensitive, Personal Data). A member of staff is suspended due to allegations … how is that data then secured? The school has no oversight of the methods used to share the data and is reliant on all staff taking ownership of controlling data. The audit trail for this is horrendous!
- Scenario 3 – The same data is being shared between HoDs. One HoD installs the client on their home computer which is used by all family members. At this point the school has not control over how the data is controlled. Guidance is needed to be provided (using organisational measures rather than technical measures) but again, the audit trail on this is horrendous.
- Scenarion 4 – The same data is being shared between HoDs. One HoD installs the client on a personal mobile device. The device is then stolen. Is this a data breach? How was the device encrypted? Can it be remotely wiped?
The above scenarios would make most people shy away from using *any* cloud service … but actually, the ways of dealing and mitigating the risk is pretty much the same as if you are using school hosted services.
- Make sure that your AUP for staff covers the use of cloud services and the personal responsibility that each member of staff has to ensure that they only share data by controllable means. The school needs to assess whether their staff have a good understanding of Data Protection and Information Management, and then they can chose appropriate training as well.
- Make sure staff understand what levels of data are being processed. DPA talks about two levels, Personal Data and Sensitive Personal Data. Becta also worked on the use of Business Impact Levels and the UK Govt still gives advice around this too. CESG has the specific information if needed.
- When using email make staff understand what sort of data can be shared on that service. Good practice is to store the data in a controlled location and email the link to it, rather than emailing the file around. This is also good practice for managing mailbox size too. win-win!
- Where cloud storage and email are accessed on a device then make sure it is encrypted, secure and wipeable. If desktops the physical security is taken into account, for laptops the device encryption, but for mobile devices (phone / tablets) there is a strong level of importance on device encryption, strong passphrase for access and the ability to remotely wipe. It might be that tablet devices need to have 3G access purely to allow them to be remotely wiped. The company position on how this is dealt with on personal devices (and the audit trail for verification too).
So, back to the question. Can you use DropBox?
Yes … but make sure you consider the above 4 points, factor in the cost (both technical and organisational) for implementing it (and yes, that includes training, checking staff personal devices, etc), the politics involved (not usually dealt with by NMs but by SLT …) and the timescales involved.
Make sure that SLT know and understand that this is to do with the application of a Law within the school … and that you are not being negative or trying to stop people doing things …
Look at alternatives. Remote access to school systems so that the data never leaves your walled garden are very good but can get very expensive.
Instead of using personal tool have a look at verified cloud based services. Some have not licence costs (O365) but you then get limitations on it being a free service, shared with others … and you have to factor in school staff time on it, and other have a cost but you then know that the service is backed up by SLAs, etc (declaration of interest … I do work for such a cloud-based service!).
I hope this covers off most of the areas you needed to look at, answered some of the questions that might arise within the school too.