Increasingly, educational institutions and state entities handling student data are hiring outside companies to perform cloud computing functions related to managing personal information.
The benefits of cloud computing are that outside entities might be more sophisticated at managing personal data. These entities may be able to manage data more inexpensively and effectively than the educational institution could do itself. In many cases, cloud computing providers can provide better security than the educational institutions can.
The risks of cloud computing are that educational institutions no longer have as much control over the personal data. They must rely on the cloud computing provider to have the appropriate practices and policies to ensure that data is properly maintained, handled, used, or disclosed.
One risk is that a cloud computing provider can outsource some functions to countries that have little to no legal privacy protections. In one instance, a university medical center outsourced transcription of its medical records to a company in California, which then subcontracted with a person in Florida, who subcontracted with a person in Texas, who ultimately subcontracted with a person in Pakistan. The person in Pakistan wasn't paid by the person in Texas, so she wrote to the medical center and threatened that she would expose all the records unless the medical center got involved and made the Texas person pay. This example illustrates how easy it is to lose control over information when it is outsourced.
There are benefits and risks to cloud computing, but the benefits can be enhanced and the risks greatly reduced if educational institutions take care and vigilance in selecting cloud computing providers and in monitoring the relationship to ensure that the provider is adequately protecting the data.
The Family Educational Rights and Privacy Act (FERPA) unfortunately provides little guidance about the selection of cloud providers and the management of these relationships. According to Department of Education, "nothing in FERPA prevents an educational institution from contracting with a person or entity outside the institution to perform services that the institution would otherwise provide for itself." FERPA merely requires one condition - that "the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the parent or eligible student."
But there are many other important responsibilities for cloud computing providers that FERPA ignores, such as providing for appropriate security and having an adequate accountability architecture in place. That architecture consists of having officials responsible for the privacy and security of the data (data stewards), doing routine assessments of risks, having a meaningful system of oversight and monitoring to ensure compliance, and having a training program for employees to minimize security lapses and mistakes. I provide such training programs through my company, TeachPrivacy, and I am doing so because I am a strong believer that education can work. Many privacy and security incidents are caused not be technical issues but by the human factor - the small errors people make out of carelessness or ignorance that can lead to big problems. Educational institutions should insist on cloud computing providers that provide such education - after all, educational institutions should be ardent believers in education.
Prior to engaging in business with a cloud computing provider, an educational institution should conduct due diligence on the provider and make sure that the provider has a good reputation and good privacy and security practices. The educational institution should ask the provider for details about how it stores the data, how it protects the data, and where that data is stored, as the data might be stored in a country where the government can access data without adequate restrictions.
When contracting with a cloud computing provider, an educational institution should be sure that the contract have sufficient provisions to ensure that the data is protected. An educational institution should never just outsource it and forget about it. Even when the data is outsourced to others, the buck always stops with the educational institution, which remains the primary institution with responsibility over that data. A privacy or security incident at a cloud computing provider doesn't just tarnish the reputation of that provider, but it also can injure the reputation of the institution that trusted the cloud computing provider - especially if the institution didn't do enough to ensure that the provider was taking adequate care of its data.
In essence, giving data to a cloud computing provider should be viewed as akin to sending children to daycare. Great care and vigilance is required both in selecting a provider and in ensuring that the provider meets its obligations and performs well.
What should contracts with cloud computing providers require? I recommend the following:
1. The cloud computing provider should agree to maintain the confidentiality of the data.
2. The cloud computing provider should have appropriate technical, administrative, and physical security safeguards to protect the data.
3. The cloud computing provider should destroy all personal data that is no longer needed. If the relationship with the cloud computing provider is terminated, the provider should not retain any of the personal data that it had previously processed for the educational institution.
4. The cloud computing providers should abide by the educational institution's privacy policies.
5. The cloud computing provider should have appropriate training of its employees regarding following the educational institution's policies and safeguarding the security of the data. Policies are meaningless unless there is training to back them up.
6. If cloud computing providers desire to subcontract any of their functions to other cloud computing providers, they should be required to first seek the educational institution's prior approval.
7. The educational institution should circumscribe the ways in which the cloud provider can use the data. Data should only be used for the purposes related to providing the cloud computing service. If the cloud provider engages in uses for other purposes, these purposes should be clearly defined and limited. Educational institutions should be careful when authorizing other uses, as such uses could conflict with FERPA or other federal or state laws. Any such uses should be incorporated into the privacy policies of the educational institutions when they gather the data so that people are on notice about them.
8. The educational institution should ensure that they can impose appropriate sanctions upon the cloud computing providers if the providers fail to live up to their requirements to provide good privacy and security.
Once the contract is underway, that isn't the end of the educational institution's responsibilities. The educational institution should engage in routine assessments about how cloud computing providers are performing in their duties to provide privacy and security safeguards.