If you are thinking of signing-up to a US hosted e-learning service, your data will be hosted on US servers so you will have to take into account your obligations under the data protection act.
It is very probable that data submitted or uploaded to the e-learning service will be processed outside the European Economic Area (EEA). If e-learning data is uploaded, it is likely to include the personal data of learners and staff so data protection legislation will apply.
For data that your university collects from learners and staff, you remain the data controller. If you engage the e-learning service to process personal data on your behalf then they are the data processors and you should restrict them to processing in accordance with how you direct. You must also ensure that they comply with your requirements. This is usually done by means of data processor agreements.
They remain the data controller for personal data that they collect themselves from your staff and learners. As such, you are not responsible for data protection compliance with regard to that data.
It is possible for the e-learning service to transfer personal data to the US provided it is done in accordance with the UK’s data protection legislation. As they provide a service in the UK, they are obliged to comply with UK data protection law requirements.
Safe Harbor provide a
list of organisations that have notified the US Department of Commerce that they adhere to the Safe Harbor framework developed by the Department of Commerce in coordination with the European Commission.
Even if the service is not listed on Safe Harbor, if your university can be satisfied that in the particular circumstances there is an adequate level of protection for the personal data for which you are the data controller, then you can go ahead and agree to the data being transferred overseas. You can, in these circumstances, assess adequacy yourself.
The UK Information Commissioner’s recommended approach to assessing adequacy, including consideration of the issue of contractual solutions, binding corporate rules and Safe Harbor, are provided on the ICO website. This guidance outlines a 4 step approach on how to deal with international transfers of personal data.
You can insist that the e-learning service meets certain conditions by contract or otherwise. Details on
standard contractual clauses that are approved by the European Commission as providing an adequate level of protection are available. This document identifies model contract clauses intended to provide adequate safeguards for personal data transferred by data controllers established in the EU, from the EU to data processors established in countries outside the EU (the "model terms").
The
clauses themselves can be accessed on the Official Journal of the European Union website.
Consent
Personal data can be transferred overseas if you have the individual’s consent, which should be given clearly and freely,and which may later be withdrawn by the individual. You can find further information on consent on the
ICO website.
Summary
It is appropriate for you to ask the e-learning service directly about their compliance with UK data protection requirements. As a UK customer you are certainly entitled to clarification of their position. Other similar service providers have engaged with the Safe Harbor process and are committed to European standards of data protection compliance.