Privacy groups have issued cloud computing guidelines because they are concerned about the violation of privacy as Swiss schools increasingly use Internet-based computer applications, information processing and data storage.
Schools which are already using or considering using cloud services are the main focus of the leaflet entitled Cloud Computing in the School Sector, which was adopted and issued by Privatim, the Swiss Association of Privacy Groups, on Monday.
Cloud computing is on the increase at Swiss companies, in public administration, and also at schools, because it offers economic and security benefits. As a result, organisations no longer store data on their own networks, but rent space from a provider of cloud services such as Dropbox, Microsoft Office 365 or Google Drive.
The main concerns, however, are the lack of control over personal data being processed in the cloud and insufficient information with regard to how, where and by whom the data are being processed and sub-processed. Cloud computing typically involves an outsourcing chain consisting of multiple processors and sub-processors.
The pamphlet drafted by Privatim states, for example, that cloud computing requires a signed contract between the schools and the cloud providers, clearly specifying the terms of use. The terms of use have to specify that the power of disposition lies within the school, and that the data may only be processed for the purposes of the school.
The problem is that schools are often not able to draw up contracts concerning standard products and that the terms of use do not comply with data protection requirements. So schools basically have to drop standard products, unless there is an option to encrypt the data, according to Privatim President Bruno Baeriswyl.
Privacy concerns
«It is important that the key is with the user of the cloud and not with the cloud provider,» Baeriswyl told Swiss newswire SDA. Dropbox and Google Drive do not meet that specification. Or in other words, if Dropbox and Google Drive do not adjust their terms of use, they will no longer be an option for schools, he added.
In May, the Swiss cabinet pointed out the risks involved with the use of cloud services. In an answer to a motion by parliament it wrote that the decentralised storage of data created «great opportunities» for surveillance.
In August, data protection officers had warned schools in the cantons Lucerne and Solothurn about the dangers of programmes like Microsoft Office 365, because they fear that the providers would use the names and addresses of students who use the cloud to access the school’s network from their homes. Microsoft had denied any such claims.
The new guidelines put the legal requirements in concrete terms, Baeriswyl told the Zurich-based daily newspaper Tages-Anzeiger on Saturday. The data protection officers will in future check whether the cloud solutions used at Swiss schools meet the legal requirements.
The more sensitive the data, the higher the requirements for the cloud service, the guidelines state. For example, data from the educational psychologist, who is bound by professional confidentiality, have to be particularly protected.