Op-Ed at Huffington Post: Educational Institutions and Cloud Computing: A Roadmap of Responsibilities
In an opinion column at the Huffington Post, George Washington University law professor Daniel Solove discusses the risks that schools should consider as they debate whether to use cloud-computing services. (“Cloud computing” is where you upload, store and access your data at an online service owned or operated by others. Microsoft, Apple and many others offer these services. Read a previous post for more on privacy and security questions surrounding cloud computing services.)
Increasingly, educational institutions and state entities handling student data are hiring outside companies to perform cloud computing functions related to managing personal information. […]
The risks of cloud computing are that educational institutions no longer have as much control over the personal data. They must rely on the cloud computing provider to have the appropriate practices and policies to ensure that data is properly maintained, handled, used, or disclosed.
One risk is that a cloud computing provider can outsource some functions to countries that have little to no legal privacy protections. In one instance, a university medical center outsourced transcription of its medical records to a company in California, which then subcontracted with a person in Florida, who subcontracted with a person in Texas, who ultimately subcontracted with a person in Pakistan. The person in Pakistan wasn’t paid by the person in Texas, so she wrote to the medical center and threatened that she would expose all the records unless the medical center got involved and made the Texas person pay. This example illustrates how easy it is to lose control over information when it is outsourced.
There are benefits and risks to cloud computing, but the benefits can be enhanced and the risks greatly reduced if educational institutions take care and vigilance in selecting cloud computing providers and in monitoring the relationship to ensure that the provider is adequately protecting the data. […]
Prior to engaging in business with a cloud computing provider, an educational institution should conduct due diligence on the provider and make sure that the provider has a good reputation and good privacy and security practices. The educational institution should ask the provider for details about how it stores the data, how it protects the data, and where that data is stored, as the data might be stored in a country where the government can access data without adequate restrictions.When contracting with a cloud computing provider, an educational institution should be sure that the contract have sufficient provisions to ensure that the data is protected. An educational institution should never just outsource it and forget about it. Even when the data is outsourced to others, the buck always stops with the educational institution, which remains the primary institution with responsibility over that data.