This page contains a Flash digital edition of a book.
as ISO 9001 (Quality Management Systems), or ISO 27001 (Information Management Security Systems)? Does the CSP use specialist cloud security technologies which provide ongoing verification of the integrity of the school’s cloud infrastructure and ensures that other cloud users and hackers cannot accidentally or deliberately view or access the school’s data and applications? Looking at the wider data protection implications, the school may


need to amend its data protection policy and privacy policy. For example, where the school plans to use the cloud for email service provision, how will data subjects react to this and will their consent be required? Additionally, the school should check that the CSP can extract school data quickly out of the cloud should the need arise e.g. where the school receives a request for information under the Freedom of Information Act or the Data Protection Act.


In conclusion So, before signing a contract with a CSP, a school must check that the contract is Data Protection Act compliant. While one CSP’s prices may seem cheaper than others, this may be because the data is being stored cheaply outside the EEA or because the standard contract does not contain the data security obligations required by the DPA. The potential penalties for breaching the DPA include criminal and civil proceedings and fines of up to £500,000. So, before putting your IT into the cloud follow this simple data protection checklist: n Choose a CSP that guarantees that the data will only be held within the UK or EEA.


right CSP can actually provide even better security than their own onsite infrastructure. For any school considering cloud services, the top priority is the


security of the CSP and its cloud platform. It is extremely important that schools know the physical location of their data and applications as well as the quality of the facilities used by the CSP. For example, can the CSP ensure that a school’s applications and


data are maintained in appropriate facilities with 24-hour engineering support, security guards, CCTV, restricted access, uninterruptible power supplies etc? Do the CSP’s facilities meet any international standards such


n The contract must contain a Data Processor Agreement. These are specific contract clauses demanded by the DPA and without them the school is in breach of the DPA.


n Data should be readily accessible so that the school can comply with data protection and freedom of information requests.


n Update the school privacy notice and data protection policy to reflect your new cloud operations.


• Paula Williamson is a solicitor at The Information Law Practice and Harvey Davies is director at IstorCloud.


The School Certifi cate in Data Protection All your staff data protection trained in a single, affordable step. Job done.


Designed in consultation with the UK Data Protection Regulator & delivered by a law fi rm at your school


Why Does My School Need this Training? To aid compliance with 2 key legal obligations under the Data Protection Act: 1. The requirement


to take reasonable steps to ensure the reliability of all staff handling personal data and 2. the requirement to take organisational


steps to keep personal data secure. Breaches can bring reputational damage, criminal and civil proceedings, fi nes and compensation claims Who Should Attend? Anyone handling personal data. e.g. all teachers, administrators, business managers & bursars


Why Choose Us? This certifi cated course has been designed specifi cally for schools in consultation with the body that enforces the DPA and being a law fi rm you can be confi dent that your school is receiving the best training available


How Long is the Training Session? Just 2 hours (minimal “downtime”). Daytime, twilight & multiple sessions available Where is it Held?We save your time & budget by coming to you


Training In association with The Information Law Practice


What will Staff Learn? • The school’s basic legal obligations under the Data Protection Act 1998 * Handling requests for access to personal data from pupils, parents and the Police • Data protection requirements for photographs, social networking, biometrics and the school website • The obligation to keep data secure including encryption, secure remote working etc • Managing a data security breach, dealing with the press and whether to report the incident or not


Bookings Now being Taken for Autumn/Winter 2011 Visit: www.theinformationlawpractice.com/SCDP  01386 793632


training@theinformationlawpractice.com 37


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40