The Data Protection Act 1998 (DPA) restricts the transfer of personal data to countries within the European Economic Area (EEA) (the eighth data protection principle). The transfer of personal data outside the EEA is not permitted unless the country has an adequate level of protection for the individual in relation to the processing of personal data.
A college or university as data controller will remain responsible for the adequate protection of the personal data of their staff, learners and others and will need to find out where the cloud computing service provider is processing data in order to assess how to proceed.
To achieve compliance with the DPA a college or university may consider using a cloud computing provider in a country already assessed by the European Commission as having adequate protection, or a US provider who has signed up to the Safe Harbor arrangements or use European Commission approved contract terms with its provider. Another option is to obtain informed consent from the individuals whose data will be stored to transfer it to a location outside the EEA. However this presents difficulty in that consent will not be valid if the individual has no choice but to consent and also where an individual who has consented subsequently withdraws their consent.
A college or university may use a cloud computing provider within the EEA, or in a country assessed by the European Commission as having adequate protection or a US provider who has signed up to the Safe Harbor arrangements. Where the institution is aware that there may be a further transfer of the data to another country or territory not within the EEA then the protection given in that final destination will be relevant in assessing whether there is adequate protection for the personal data.
Can an institution use a cloud service provider that is unable to give assurances that personal data will not be transferred to a country outside the EEA?
Further information regarding transfer of data abroad can be found on the ICO website.