Lewisham Council's head of information and communications technology, Neil Iles, has written to educators within the borough to explain the dangers of using US-based cloud services to store data about students. The ICO points out that it is not law yet (to avoid US cloud use), so there is no need to rush into other services or panic buy new subscriptions.
The warning comes after a ruling by the Court of Justice of the European Union which declared the Safe Harbour Laws, used to authorise personal data transfers to the US, as invalid.
"If you still use Dropbox as a quick-win cloud storage solution for your school please consider that recent changes in rulings regarding the validity of the Safe Harbour Agreement means that data stored outside the EU is now officially at risk for EU based Data Owners - ie schools in the UK!" said Iles.
The Information Commissioner's Office told schools they do not need to abandon leading internet services just yet and to refer to current regulations on the topic, presumably because the new data protection laws are still being debated by the European Commission.
ICO spokesman David Murphy acknowledged this was a "complicated area of law" but in a blog post said: “Don't panic and don't rush to other transfer mechanisms that may turn out to be less than ideal. The impact of the judgment on standard contractual clauses and binding corporate rules is still being analysed."
Speaking to SCMagazineUK.com, a spokesperson for the Department of Education said its message is much like the ICO's and explained that there is documentation for anyone wanting to brush up on their knowledge about keeping data safe when using online cloud services.
Looking to reassure schools and other customers. A Dropbox spokesperson spoke to SCMagazineUK.com and said: “In light of the recent ruling on Safe Harbour, we have put alternative legal mechanisms in place, including Data Processing Agreements with Model Contract Clauses, that enable customers to continue to use our cloud services.”
“At Dropbox we have always been committed to upholding the security and privacy of our customers' data. We were one of the first, and are still one of the only, major cloud service providers to achieve ISO 27018 certification, a global standard for cloud privacy and data protection.”
“Along with the rest of the industry, we eagerly await guidance from the European Commission on the revised Safe Harbour framework, which will help determine the most effective long-term solutions.”
It has been three weeks since the European Court of Justice ruled that US firms signed up to the Safe Harbour scheme could no longer be automatically considered to provide "adequate protection" to personal data they had received from the EU.
The judgement came about when Max Schrems took Facebook to court to argue that the US don't abide by these laws, after it came to light by leaks by whistleblower Edward Snowden that the NSA and other US authorities engage in mass surveillance of data held by US tech giants.
The EU forbids personal data from being transferred to and processed in parts of the world that do not provide "adequate" privacy protections. So to make it easier for US firms to conduct cross-atlantic business, they have been allowed to self-certify that they are carrying out the required steps, which Max Schrems proved they weren't.