Providers of cloud-computing services including Google and Dropbox may lose the business of Swiss schools because they fail to protect students' privacy.
Privacy groups have issued cloud computing guidelines because they are concerned about violations. Swiss schools increasingly use Internet-based computer applications, information processing and data storage.
Schools which are already using or considering using cloud services are the main focus of the leaflet entitled Cloud Computing in the School Sector, which was adopted and issued by Privatim, the Swiss Association of Privacy Groups, on Monday.
Cloud computing is on the increase at Swiss companies, in public administration, and also at schools, because it offers economic and security benefits. As a result, organisations no longer store data on their own networks, but rent space from a provider of cloud services such as Dropbox, Microsoft Office 365 or Google Drive.
The main concerns, however, are the lack of control over personal data being processed in the cloud and insufficient information with regard to how, where and by whom the data is being processed and sub-processed. Cloud computing typically involves an outsourcing chain consisting of multiple processors and sub-processors.
“It is important that the key is with the user of the cloud and not with the cloud provider,” Baeriswyl told the Swiss New Agency. Dropbox and Google Drive fail to meet that specification. Or in other words, if Dropbox and Google Drive do not adjust their policies, they will no longer be an option for schools, he added.
In May, the Swiss cabinet pointed out the risks involved with the use of cloud services. In an answer to a motion by parliament it wrote that the decentralised storage of data created “great opportunities” for surveillance.
In August, data protection officers had warned schools in the cantons of Lucerne and Solothurn about the dangers of programmes like Microsoft Office 365, because they fear that the providers would use the names and addresses of students who use the cloud to access the school’s network from their homes. Microsoft denied any such claims.
The new guidelines put the legal requirements in concrete terms, Baeriswyl told the Zurich-based daily newspaper Tages-Anzeiger on Saturday. The data protection officers will in future check whether the cloud solutions used at Swiss schools meet the legal requirements.
The more sensitive the data, the higher the challenges for the cloud service, the guidelines state. For example, data from the school psychologist, who is bound by professional confidentiality, has to be particularly protected.
swissinfo.ch and agencies