Privacy groups issue ‘cloud’ guidelines for schools
Providers of cloud-computing services including Google and Dropbox may lose the business of Swiss schools because they fail to protect students' privacy.
Privacy groups have issued cloud computing guidelines because they are concerned about violations. Swiss schools increasingly use Internet-based computer applications, information processing and data storage.
Schools which are already using or considering using cloud services are the main focus of the leaflet entitled Cloud Computing in the School Sector, which was adopted and issued by Privatim, the Swiss Association of Privacy Groups, on Monday.
Cloud computing is on the increase at Swiss companies, in public administration, and also at schools, because it offers economic and security benefits. As a result, organisations no longer store data on their own networks, but rent space from a provider of cloud services such as Dropbox, Microsoft Office 365 or Google Drive.
The main concerns, however, are the lack of control over personal data being processed in the cloud and insufficient information with regard to how, where and by whom the data is being processed and sub-processed. Cloud computing typically involves an outsourcing chain consisting of multiple processors and sub-processors.
The pamphlet drafted by Privatim states, for example, that cloud computing requires a signed contract between the schools and the cloud providers, clearly specifying the terms of use. They must make clear that the data is the property of the school and may only be processed for its own purposes.
The problem is that educational institutions are often not able to draw up contracts concerning standard products and that the terms of use do not comply with data protection requirements. So schools basically have to drop standard products, unless there is an option to encrypt the data, according to Privatim President Bruno Baeriswyl.
Privacy concerns
“It is important that the key is with the user of the cloud and not with the cloud provider,” Baeriswyl told the Swiss New Agency. Dropbox and Google Drive fail to meet that specification. Or in other words, if Dropbox and Google Drive do not adjust their policies, they will no longer be an option for schools, he added.
In May, the Swiss cabinet pointed out the risks involved with the use of cloud services. In an answer to a motion by parliament it wrote that the decentralised storage of data created “great opportunities” for surveillance.
In August, data protection officers had warned schools in the cantons of Lucerne and Solothurn about the dangers of programmes like Microsoft Office 365, because they fear that the providers would use the names and addresses of students who use the cloud to access the school’s network from their homes. Microsoft denied any such claims.
The new guidelines put the legal requirements in concrete terms, Baeriswyl told the Zurich-based daily newspaper Tages-Anzeiger on Saturday. The data protection officers will in future check whether the cloud solutions used at Swiss schools meet the legal requirements.
The more sensitive the data, the higher the challenges for the cloud service, the guidelines state. For example, data from the school psychologist, who is bound by professional confidentiality, has to be particularly protected.
In compliance with the JTI standards
More: SWI swissinfo.ch certified by the Journalism Trust Initiative
You can find an overview of ongoing debates with our journalists here. Please join us!
If you want to start a conversation about a topic raised in this article or want to report factual errors, email us at english@swissinfo.ch.