This decision will likely have an impact on any school which relies on cloud based storage where personal data is stored on US based servers (such as Google Apps). It may also be relevant to other online activity (for example, emails, parent portals, etc) if personal data is stored in the US. Even if a school's service provider is based in the UK, often they will have servers located in the US and therefore transfer the school's personal data to the USA as part of their services or back-up procedures.
The ECJ's decision is wide ranging in scope. It means that any school which uses cloud based storage or similar web based services may be in breach of the Data Protection Act.
The good news is that the ICO has no plans to take immediate enforcement action which gives schools a degree of breathing space.
The UK data protection regulator, the Information Commissioner's Office (ICO) has this week issued a statement.
The bad news is that, as the ICO identifies, the ECJ decision goes beyond Safe Harbor and calls into question any data transfer outside of the EEA. This means that the alternatives to Safe Harbor (such as those listed below) might also be found to be inadequate if challenged.
Organisations are being encouraged to consider the alternative measures for US transfers in the absence of Safe Harbor. Such measures include:
It will be interesting to see how this area of law develops as none of these measures represent a perfect solution. For example, cloud providers might not be prepared to agree to the use of the model contractual clauses. Asking staff, pupils and parents to consent to their data being transferred outside of the European Economic Area (EEA) is clearly impracticable and there are risks that this option may not be enforceable. Carrying out an assessment of adequacy can be a mammoth task as it often involves carrying out detailed due diligence on both the contractor's and the destination country's data protection practices.
One option for schools is to adopt a 'wait and see' approach. As the ICO identifies, there is a push to introduce what the ICO calls 'Safe Harbor 2.0' which would hopefully contain sufficient guarantees to satisfy the courts and the regulators.
However, there is no clear timescale on this and accordingly we recommend that schools should be doing what they can now to identify the risks and be ready to take remedial action. Such action might involve:
Of the Safe Harbor alternatives, the use of the model wording has its attractions because it should just be a question of the contractor agreeing to adopt the wording. However, we recommend that any use of the model wording should be 'topped up' by including practical obligations on the contractor around information security which are specific to the data transfer (for example, requiring the contractor to use encryption or to adhere to a relevant recognised information security standard).