It is important to recognise that in any situation where a data controller is using a data processor, the data controller remains responsible for compliance with the Data Protection Act 1998 (DPA).
If a UK data controller uses a data processor within the United States that participates in the Safe Harbor scheme, this would be equivalent to using a provider within the EEA or an adequate country and therefore compliant with the eighth principle of the DPA.
If the institution (A) is aware that the processor (B) may process that personal data in a jurisdiction not in the EEA and not on the list of countries considered by the European Commission to have an adequate level of protection the institution can still use processor B as long as it is satisfied that any information transferred outside the EEA to a non-adequate country will enjoy an adequate level of protection.
This can be, for example, by having a contract in place to the effect that B will not process the data other than as instructed by the data controller, and that it will take security measures equivalent to those that would be required by the DPA.
When using a cloud service where the cloud provider is unable to give assurances that the information will not be transferred outside the EEA, the data controller should assume that such a transfer will occur and it will be necessary to take appropriate precautions to ensure that the personal data will enjoy an adequate level of protection. As described above this can be, for example, by having appropriate contractual safeguards in place.
Can a college or university use a cloud computing service if this will mean personal data being transferred outside the EEA?
Further details on assessing adequacy is available on the ICO website at - http://www.ico.gov.uk/for_organisations/data_protection/the_guide/principle_8.aspx.