Guidance to assist both staff and students, who may be considering using a third party organisation, or cloud provider, that will involve the transfer of personal data.
(Generally defined as access to computing resources, on demand, via network)
Many cloud providers are directing their products and services towards the education sector. With promises of high level accessibility, and efficiency, often free, or at a low cost. While these offers can seem attractive, privacy and security implications remain a major concern to many organisations.
The following guidance have been developed to assist both staff and students, who maybe considering using a third party organisation, or cloud provider, that will involve the transfer of personal data, to ensure compliance with data protection law and protects the rights of the participants involved. The guidance is aimed at staff and students that are responsible for personal data for which UCL is the data controller (legally responsible).
To assess whether a cloud service will provide adequate levels of protection to the personal data you will be processing (generally defined and covers all manner of use including obtaining, recording, holding, altering, retrieving, destroying or disclosing data). You should consider the following points before using a cloud service:
• Will the agreement with the third party organisation, or cloud provider involve any transfer of personal data? Personal data relates to living individual who:
• Can be identified from that data
• Can be identified from that data and any other information which is in the possession of, or likely to come into the possession of, the data controller.
Adequacy
Cloud providers will often store personal data in various countries across the world including the USA. In order to comply with data protection legislation, you should not transfer personal data outside the EEA without assessing whether the country it goes to has ‘adequate’ levels of protection for personal data, basically that the data will be protected to the same standard it is in Europe. With this in mind, when you are processing any personal data and particularly sensitive personal data (for example ethnicity), you will need to make sure that the cloud platforms you are intending to use comply with European data protection law.
If your cloud provider cannot provide you with assurances that the personal information you will disclose to them will stay within the European Economic Area (EEA) or somewhere on the approved countries listing (see below), then you must seek further advice from Legal Services before you proceed to ensure that the transfer of the personal data is lawful. Ultimately it may be necessary to use specific model contract clauses approved by the EU unless an exemption, such as consent from the individual data subjects or a contract between the Data Controller (UCL) and the data subjects, applies.
US EU Privacy Shield
Cloud providers whose storage of personal data is on servers located within the EEA, are obliged by virtue of their location to comply with EU data protection law. However, this becomes more problematic when storing personal data on servers based in countries outside the EEA which are obviously not subject to the same laws.
Transfers to the United States of America (USA), will not be legal unless a specific mechanism is in place to facilitate this. One means of complying with European personal data export requirements is for organisations based in the USA, to certify their compliance with a framework called EU – US Privacy Shield. This framework, put simply, protects the rights of anyone from within the EU whose personal data is transferred to the USA by requiring member organisations to certify they will process personal data in a manner compatible with EU data protection law. On this basis and as long as the cloud provider is a member of Privacy Shield transfers to the USA will be compliant. However, you should still be exceptionally careful when contemplating the transfer of any personal data overseas and remember that you are required to comply with data protection law in full, not just those aspects dealing with the international transfer.
Prior to the EU-US Privacy Shield framework the main legal mechanism for legitimising transfers of personal data to the US was called Safe Harbour. In October 2015 the European Court of Justice ruled that the terms of this were not sufficient to meet the EU’s adequacy requirements i.e. they did not offer sufficient protection to EU citizens. The EU-US Privacy Shield has introduced some redress mechanisms for EEA citizens whose personal data is processed in :the USA which were absent from Safe Harbour. Any agreement or terms and conditions document still citing EU – US Safe Harbour (Swiss – EU Safe Harbour remains valid) to transfer personal data to the US will not be valid and cannot be relied upon.
European Commission’s Standard Contractual Clauses
In order to address many of the compliance, the obstacles raised by transfers of personal data to countries outside the EEA a number of organisations, including those offering cloud services have adopted model contract clauses. These organisations have created data processing agreements that includes the European Commission’s Standard Contractual Clauses to facilitate European personal data export requirements. These clauses cannot be amended and provide a guarantee that the personal data processed by the third party will adhere to European Union data protection law. For further information about the use of the model clauses contact Legal Services.
Exemptions
As indicated above there are some exemptions to the adequacy requirements which if applicable may provide a solution that only results in a minimal loss of protection for the individual, however when utilising cloud services consent is likely to be the only possible exemption available.
For consent to be valid, it should be clearly and freely given and the individual must be able to withdraw it later.