That's actually the first good explanation I've seen about this.
I still think the likelihood of dropbox selling my users data is remote though. Especially as its stored most probably in the USA who you would imagine have similar laws and moral values.
A quick summary then ... and this is almost a stand-alone post so trying not to refer back to lots of previous posts.
1) There is a law in the UK (and equivalent laws within the EU which are compatible with it) called the Data Protection Act. This is a very clear law as to what people can and can't do with data and information of belonging to others, how you let others know you are going to use / handle their data and supported by 8 clear principles.
What this means : The 8 principles are pretty simple to follow and the key areas of concern with cloud based systems is where the data is stored, how it gets there and how access to it is controlled. This is not about risk management where you can be willing to accept the risk, as the law says you *must* comply with all aspects of it.
2) When you provide access to, manage or create a tool which may hold such data you have to apply all aspects of the law. This includes remote access to MIS, WebDAV based storage, cloud-based file sync solutions, IdPs, etc. If you have a contract with a system provider (e.g. VLE provider) they have a responsibility to also be within the law, but you ... as the purchaser of the system ... are also responsible to ensure they are doing.
What this means : If you provide a VLE then you are solely responsible for making sure you follow the law. If you buy a product in then you have to be happy that you know the vendor will also follow the law. If there is a breach then you are both at fault. If you don't know what they are doing and it is pointed out that there is the possibility of a problem (even if there hasn't been yet) then you are also at fault. An example would be that CEOP have had to sign an undertaking because their online forms did not transit over https ... they should have checked the creators of the tools did the job properly. You cannot pass the buck by claiming you didn't know any better.
3) Some systems are aimed at particular groups of people and will have contracts / T&Cs to reflect this. Although the T&Cs will have to operate within the laws of the land, you may be asking them to do more than can be expected to fit in with laws you also have to adhere to.
What this means : If you sign up for Dropbox it is expected that you know what you are doing, that you know that if you are using it for 'business' use that you are happy it fits within the laws you have to follow and that they are not held responsible for when things go wrong (and so begins a long discussion about whether companies can get away with this!) ... because you should have known better. It also expects that you are signing up for it as an individual and that you are not using it to provide a heap of other stuff to others ... If you want that then you go into a different contract and that is why they have Teams. In short ... as tempting as it is just to click 'I Accept' you really do need to read the T&Cs.
I know there are some generalisations in the above points but it should give enough of a background.
Discussion about whether the law is appropriate, will be enforced to the full extent, whether the guidance available (including previous stuff from Becta) covers everything it should do ... these are almost moot points. The law says "do X ... don't do Y!"
Last edited by GrumbleDook; 20th September 2011 at 02:37 PM. Reason: Some formatting for easier reading
OK, all makes sense
Simple question then.....
Assuming A Cloud Service doesn't loose/sell/hack our data: Do I have to worry about anything?
Well - they are not going to sell it and I'd be amazed if the year 7 cat scores ended up in the GuardianAssuming A Cloud Service doesn't loose/sell/hack our data: Do I have to worry about anything?
Obviously you couldn't assess that dropbox's servers have an adequate level of protection if you don't know what country they are stored in.
the ICO page says this:
How do I assess adequacy?
You will need to be satisfied that in the particular circumstances there is an adequate level of protection. For UK personal data the Act sets out the factors you should take into account to make this decision. These relate to:
the nature of the personal data being transferred;
how the data will be used and for how long; and
the laws and practices of the country you are transferring it to.
This means doing a risk assessment. You must decide whether there is enough protection for individuals, in all the circumstances of the transfer. This is known as an assessment of adequacy. To assess adequacy you should look at:
the extent to which the country has adopted data protection standards in its law;
whether there is a way to make sure the standards are achieved in practice; and
whether there is an effective procedure for individuals to enforce their rights or get compensation if things go wrong.
GrumbleDook (20th September 2011)
I had hoped that now referring back to previous posts would have worked ... I didn't quite put enough information in it. I should have repeated that this is in reference to Dropbox and Safe Harbor.
The countries which have been assessed and show an adequate level of protection is covered within the same page. The US is not in the list but
In the example you have given (assessment of adequacy) is an assessment of whether they comply with the law. This differs from a Risk Assessment where there is risk that they might not comply with the law yet you are happy to accept this. Apologies if I didn't explain that bit fully. In the US a company is deemed adequate if they have signed up and been certified under Safe Harbor (remembering to check what they have agreed to within that agreement ... as they may not be covered for everything you want), although it is a voluntary scheme and some sections are restricted from being part of this (and covered under other acts and regulations to do with finance and telecommunications) a company who has not signed up to it (never mind the wooliness of the T&Cs) gives no guarantee of adequacy.Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the “Safe Harbor” scheme is adequately protected. When a US company signs up to the Safe Harbor arrangement, they agree to:
follow seven principles of information handling; and
be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes.
Certain types of companies cannot sign up to Safe Harbor. View a list of the companies signed up to the Safe Harbor arrangement on the US Department of Commerce website.
Paraphrasing from a conversation with a DP expert who worked on the Becta advice ...
If you go down the route of trusting to a contract which has the terms to dictate adequacy then you take the responsibility on yourself as you can only deal with them for breach of contract and not breach of law. At that point the school itself cannot guarantee the law is being complied with. The school has a responsibility to ensure all who process the data comply with the law ... (I forget the exact section of the act but part of principles 7 & 8) and if this cannot be guaranteed then the school is in breach. The example given to me (and pretty relevant) is if you have an insecure online form you don't have to lose data to be in breach ... the fact that it is possible means you have not done your job right. This is pretty relevant right now since this is what CEOP got collared for recently and had to sign an undertaking.
I have probably mangled the explanation a bit now ... (might have to clean it up tomorrow when awake) but I'm just trying to point out the difference between accepting risk and assessing adequacy. Drawing the line of how you then firm up that is looking like a grey area, but all the advice I have had so far (Becta, ICO, Cabinet Office) has been that for US they have to have signed Safe Harbor for the relevant data uses you want. Since Dropbox can't even guarantee using US data centres, have a history of security problems, then I don't think it would be beyond the realms of acceptance to say it is doubtful whether we could say they are taking the right measures to allow users / schools to regard them as adequate. Especially since they will not respond to questions on their forums about it and have yet to respond to 5 requests that I am aware of asking them this question (3 from me and 2 from teachers looking at the same issue). We can only work with hard facts at this point ...
Sleep calls ... out tomorrow so I'll look at any response tomorrow night.
CyberNerd (20th September 2011)
That does make sense to me, although it does seem like a minefield, even without taking into account what actually constitutes private data!
I've already given SLT advice against using dropbox, although we use a google apps domain. I believe that I've made the correct decisions so far with regards to google, dropbox. And MS's track record for complying with the law (assessment of adequacy) kind of put them out of the frame anyway, regardless of where there data sits.
Just to add my twopenneth - did a fair ammount of research on DPA & US Safe Harbor, and I have a BIG issue with Safe Harbor - unlike the DPA, it NOT legally enforcable. So if anyone wanted to be picky, your data stored in a data centre in US is pretty vulnerable. Grumbledook is correct in saying that you do not need to store data in the EU PROVIDED you can insure it will receive the same level of protection. But if Safe Harbor isn't legally enforcable and trigger-happy US government can raid data centres at any time, US for me isn't really an option. The other point which came up during discussions on this issue in my uni course; what happens to the data which crosses country boundaries? That data will have to be encrypted to the level on lowest common denominator between the countries it crosses during the transfer. If I remember correctly, one of our lecturers (from States) was travelling to the States with an encrypted memory stick but the encryption was higher than the US goverment permits and he could have been tried under some obscure weapons law (can't remember which one though) To be honest, it is a maze, I was thinking about all the cloud-centred software schools use (mymaths springs to mind) and we really don't have a clue where these companies really store the data...
so lets stop bothering worrying about it thenI was thinking about all the cloud-centred software schools use (mymaths springs to mind) and we really don't have a clue where these companies really store the data...
Re. "trumping" I posted an angle on thatl last Dec. Re: SkyDrive I thought MS explicitly said data stored there could end up anywhere in the world (unlike Live@edu which is, and Office365 sharepoint which is supposed to bee EU)? Have they changed that?
I use sugarsync, but not for any sensitive information. (sorry if it's already been mentioned, I've not read the whole thread)
Well I'm going to continue to use dropbox as my main storage area.
Will take my chances I think! Its just too convenient.
SimpleSi (22nd September 2011)
zag (22nd September 2011)
There are currently 1 users browsing this thread. (0 members and 1 guests)