Hampshire SLS would like to issue advice around Cloud Services.  A Cloud Service may be a Library Management System, an eBook platform, or a literacy improvement tool like Accelerated Reader. Schools need to consider some key points for anything where pupil, staff or parent data is held in the Cloud,  whether through a third party company of a schools own Cloud Service .

Action required by the school depends on the type of service and what type of user data that service requires.  All schools are responsible for their own compliance to the Data Protection legislation and each school will have a designated Data Office who is responsible for compliance.  The Data Officer is typically the Head Teacher unless they have delegated responsibility to a Deputy Head or Business Manager. Before implementing any Cloud Service where a person’s data is held in the Cloud the Data Officer needs to have agreed the deployment after following the School’s internal procedures, in line with their Data Protection Policy.  Schools should be completing a Privacy Impact Assessment (PIA) to ensure the deployment does not breach Data Protection legislation. Schools should also ensure they have a robust agreement in place with the company along with a Data Sharing agreement, these may form part of the main contract.

If you have a Cloud Service in your school and you have either been contacted by an individual to report a breach or you suspect a potential Data Breach, the Data Officer must complete an assessment of the incident/breach.  The assessment will follow the School’s Data Protection Policy and will identify what actions the School needs to take and whether or not it has to be self reported to the Information Commissioner’s Office (ICO).  More information for Hampshire County Council (HCC) schools can be found at http://intranet.hants.gov.uk/dp.htm

Where a HCC School has identified a Data Protection breach, that school must report the breach to HCC Children’s Services team via the data reporting tool within 24 hours http://intranet.hants.gov.uk/childrens-services/departmental-ict/cs-dp-is-foi/cs-db.htm  

The DfE have published guidance around Cloud Software Services for Schools https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/584755/Cloud_computing_services_guidance_Jan_2017.pdf

More information for schools can be found at https://www.hants.gov.uk/educationandlearning/dataprotection

The Information Commissioner’s Office has a specific page for schools https://ico.org.uk/for-organisations/education/ The ICO has also produced a guide for schools on Cloud Services in Schools  https://ico.org.uk/media/for-organisations/documents/1540/cloud_computing_guidance_for_organisations.pdf 

Schools will be aware that the current Data Protection legislation will be changing in May 2018.  The new European wide legislation is called General Data Protection Regulation (GDPR); this will pose a challenge to schools as the new legislation is more rigorous than the current law; further information can be found on the ICO site https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ 

If you have any queries regarding Data Protection around Library Systems or any of the Cloud Services offered by SLS please do not hesitate to contact SLS Head Quarters on hq.sls@hants.gov.uk or 01962 826660.

(Edited by Andy Macfarlane - original submission Monday, 18 September 2017, 4:54 PM)

(Edited by Andy Macfarlane - original submission Tuesday, 19 September 2017, 7:43 AM)