Guidance by the Department for Education (‘DofE’) provides advice to local authority-maintained schools, academies and free schools on how to check if a provider of cloud computing complies with the necessary UK legal requirements in relation to data protection. Please see here for details.
The DofE has set up a scheme for providers of cloud software to provide a self-certified checklist on their compliance with data protection obligations. The checklists must be independently verified for completeness and accuracy by a named senior official of the cloud service provider. After submission, providers must notify of DofE if any changes in their services render the checklist no longer accurate or complete. The completed checklists are available from the DofE’s website.
Schools are nevertheless the ‘controller’ of sensitive data on children meaning they determine the purposes for which and manner in which this personal data is processed and it their responsibility the data is processed in accordance with legal requirements. Part of their obligations is to ensure anyone processing the data, such as a cloud computing provider, also complies with the Data Protection Act 1998. Whilst the checklists may assist in this process, schools will also need to make their own assessment of providers and have a written contract in place with them covering data protection issues.