The seventh data protection principle in the Data Protection Act 1998 (DPA) requires a college or university to ensure that personal data relating to its staff, learners and others remains secure, including protecting such data from accidental loss . The DPA provides that where an organisation uses a third party, in this case a cloud computing service provider, to process personal data on their behalf they will be responsible for what the third party does with the data. This means that a college or university could incur liability where it loses data stored using a cloud computing service.
The college or university has an obligation to ensure that its cloud computing service provider has adequate measures in place to protect personal data securely against unauthorised or unlawful processing and against accidental loss, destruction and damage. A college or university should consider due diligence, prior to agreeing to a contract, to establish how the cloud computing service provider handles personal data, assurances provided with respect to the security of data and use of security measures: for example, segregation or encryption.
The college or university will need to consider whether the security level offered meets both its requirements and that of the DPA and ensure that the terms of the contract with the cloud computing service provider reflect these requirements. The college or university must take reasonable measures to ensure that the provider is putting the agreed security measures into practice for example through audit. The ICO has an overview of security requirements on its website.
Beyond the requirements of the DPA, it is also possible for an institution to be liable in contract (where it has agreed to ensure the security of data and fails to do so) and in negligence (where it fails to take the precautions reasonably expected, and someone else suffers loss as a result).