What should an educational institution think about before committing to a cloud provider. Daniel Solve the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells provides a great starting point in the following video.
One of the major compliance issues education deals with is FERPA. Solve says FERPA provides little guidance to educational institutions looking at the cloud. The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects students’ privacy by prohibiting disclosure of education records without adult consent. FERPA also allows parents and students over age 18 to inspect and review education records and request that inaccuracies be corrected.
Schools may share basic “directory” information, such as student names and phone numbers, if they give parents the opportunity to opt out. However, advance written permission is required to release all other student-level information, such as student coursework, class discussions, recorded comments, and grades, if they are linked to any information that would enable a member of the school community to identify the student. Several exceptions in the law allow individuals such as teachers and administrators with a legitimate educational interest in the student’s record to access personally identifiable student data without prior parental consent.
Solve’s video is very good, but we thought it might be helpful to have a checklist of items available for you to cut and paste when beginning the conversation with a potential cloud service provider. Institutions should take the following steps before committing to the cloud:
Prior to Contracting with a Cloud Provider:
- Conduct due Diligence on the Cloud Provider
- What is their reputation?
- Do they have References?
- Establish a relationship with the Cloud Provider
- Ask questions such
- How Does it store the data?
- How does it protect the data?
- Where is the data stored?
- What is your accountability infrastructure
- Make sure the contract has provisions for:
- for securing data
- technical administrative and physical security
- deleting data which is no longer needed
- abiding by institutional privacy policies
- training for employees including on institutional client policies
- subcontracting by provider should be allowed only with written permission of the client
- use of data