momius - Fotolia

Cloud computing in schools: privacy under threat

While IaaS and SaaS services are spreading in schools, the potential risks to the protection of students’ personal data are also growing

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe – October 2015

Schools are increasingly adopting cloud computing to take advantage of the associated flexibility and cost savings. 

From a budgetary standpoint, schools can achieve better value for money and improved functionality through the cloud. New pedagogical models such as the flipped classroom, which have been largely associated with massive open online courses (Moocs), are improving both teaching and learning processes.

However, this new scenario also implies substantial risks to privacy, which should be addressed to ease the transition to a digital environment. For this reason, the Spanish Data Protection Agency (AEPD) has introduced Europe's first inspection of cloud computing services in education.

According to the Spanish National Institute of Statistics, more than eight million primary and secondary school students are using these new technologies in Spain. Most of their personal data is rarely stored in private clouds, with storage in hybrid clouds from infrastructure as a service (IaaS) providers more common.

The AEPD report distinguishes between school management platforms and learning platforms, both of them under a software as a service (SaaS) model.

School management platforms not only store economic and administrative data, but also the identities of everyone involved in the school as well as other personal information, including medical histories.  

“All the school management platforms reviewed collect and store data specially protected, such as health information (data on allergies, supplied medicines, medical examinations and diseases reported by parents), along with data from the Guidance Department (psychological data),” said an AEPD spokesperson.

As regards learning platforms, the report points out that they are aimed at creating an environment for collaborative work between teachers and students to facilitate the management of online courses. These platforms, which are managed by teachers and students, enable the monitoring of pupils' progress across the virtual learning environments (VLEs).

A VLE allows the creation of a bespoke system, saving thousands of euros in licensing costs and creating flexibility benefits. VLEs are usually based on the open-source learning management system Moodle and contain real-time academic information, such as test scores and the number of attempts at tests.  

Access to this information should be limited to authorised staff of the education centre and students, who have access only to their own information.

Shared responsibility

The AEPD report warns that one of the most common problems is the division of responsibilities between the different actors in the protection of personal data. “While IaaS providers argue that they do not have the 360 insight and ignore the nature of the stored data, schools say they are not security experts and that is not their business,” said the AEPD spokesperson.

However, the responsibility is clearly shared. While the physical security aspects are the responsibility of the infrastructure providers, all the aspects related to the users’ management depends on the SaaS providers and the schools. In this regard, the SaaS providers are used to deliver to schools a user with administrator privileges for managing users, delegating that responsibility to the school.

The AEPD spokesperson added: “The contracts should clearly specify the responsibilities of all those involved in the delivery of cloud services, both customers and entities.” These include responsibilities for the security measures to be implemented.

Read more about cloud computing services

The report also warned about the legal issues related to data location. Where in the world that a cloud service provider keeps students’ data is very important, and the AEPD recommends that schools gather information on the location of data. 

If data is located in the EU, Iceland, Liechtenstein or Norway, there is no problem because there will be no international transfer of data. But if the datacentre is located in another country, the national data protection agency must be notified.

Responsibility for backup and recovery of data should be included in contracts with cloud service providers to ensure backups are carried out with appropriate frequency and that backed-up data is stored in a different location from the original databases.


The report also recommends that user consent policies signed by parents on behalf of their children should comply with requests from EU data protection authorities.

The research highlighted that schools have largely adopted the use of learning apps from third parties. The AEPD spokesperson said that because the apps that assist the teacher to develop lessons contain students’ personal data, schools should establish rules of procedure for using these tools, which could include in-service training for teachers.

The use of personal devices, such as tablets and smartphones, must comply with the privacy policy defined by the school and the guarantees established in EU data protection legislation, the AEPD spokesperson said. This means that no identification or authentication information should be stored on the mobile devices. 

As an additional security measure, it would be a good practice to link the access to a single device, so that if a user logs into the platform through another device, additional authentication will be required.

Another sticking point for data privacy could come from publishing houses. While many schools are adopting e-books instead of traditional paper books, they are also giving students access to publishing houses’ platforms, which implies a transfer of personal data.

The AEPD says: “The publishing houses are not entitled to treat any personal data that can be obtained from these learning platforms without consent from the user, such as the results of the exercises done by students or the profiles that could be obtained from them.”

The AEPD recommends that schools should not surrender control of student information when using cloud services and should specify the purpose for disclosure of student information in any agreement, restricting the sale or marketing of student information by third-party suppliers.

Read more on Privacy and data protection