Are you using a cloud service like Office 365, Google Apps, or iCloud in your school? We show you how to make sure that you’re meeting your data protection requirements and not breaking the law.

When we first started using Google Apps in school three years ago we spent a lot of time making sure we could meet our legal requirements for handling data. It wasn’t an easy process, at the time few schools were using cloud services, and even our local authority didn’t have the information we needed to push forward with the project.

Luckily we had a solid team of technicians to sift through the information and put together a cloud services policy, but most schools aren’t in such a position. Individual schools simply don’t have the resources to ask the sort of questions that need to be answered when signing up to a cloud service like Google Apps, Office 365, or iCloud.

To remedy this the UK government has put together a checklist and self-certification scheme that schools, local authorities, and school leaders can use to determine if a cloud service provide meets UK law and if they’re suitable to use your school.

The new guidance, entitled Cloud (Educational Apps) Software Services and the Data Protection Act, gives a formal framework for companies like Google, Microsoft, and Apple to complete in order to answer common questions that schools should be asking of cloud companies.

The outcome is a comprehensive checklist of answers to questions like:

  • Does your cloud service fully comply with the Data Protection Act?
  • Do your services ensure the school can delete data to meet data protection requirements?
  • Do you prohibit personal data or metadata being shared with third parties?
  • Are appropriate controls in place to ensure only authorised staff have access to client/customer data?

The document, which is updated annually, covers many areas of cloud services that have caused concern in schools recently. It looks at:

Data protection and legal requirements

Does the cloud service allow the school to ensure that their personal data is processed in compliance with the DPA.

Data confidentiality

Schools should ensure that the cloud service provider can meet sufficient guarantees about the technical and organisational security measures.

Service availability

Can your cloud service provide provide timely and reliable access to your school’s data? Has your service provider and school assessed the level of risk and whether the school is prepared to accept that risk?

Data transfers outside of the EU

Where is your data being stored and does it meet your Data Protection requirements?

Use of advertising

Does your cloud service provider target advertising at your users? How does it target the ads? Can they be disabled?


The scheme is designed to provide information to schools when deciding which cloud provider to use, but it doesn’t remove school’s legal requirements to properly investigate cloud providers first.

The particular focus of this document is to help schools by reducing the burden and complexity associated with understanding whether a particular supplier’s cloud service claims to meet the relevant UK legal requirements in respect of data protection. This guidance is not intended to relieve schools of any legal responsibility under the Data Protection Act and any associated legislation.

At the current time there are only responses from Google, Microsoft, and Schoolcomms — Apple has yet to make an appearance — but it’s a great start and provides schools with a good starting point to make sure they are keeping within the law when stepping into the world of cloud services.

Some resources that you may find useful

Full Cloud (Educational Apps) Software Services and the Data Protection Act document

Google’s self-certified statement

Microsoft’s self-certified statement

Schoolcomm’s self-certified statement


About Author

Profile photo of Karl Rivers

Karl is an award winning Director of IT for the Royal Grammar School Guildford, based near London, England. He has been working in education for more than ten years and founded ClassThink in 2013 to share technology best practice with other schools. In 2014 he won the NAACE Impact Award for support services in schools, and writes edtech articles for Education Executive Magazine.


    • Profile photo of Karl Rivers

      Hi Morgan,

      I’m Glad you found it useful! Apple hasn’t completed a self-certification document yet, but that doesn’t mean you shouldn’t use their cloud services. I’m sure we’ll see a lot more companies signing up to this shortly, it’s still very early days. It’s also worth noting that this is a self-certification process, so although Google and Microsoft are signed on, schools should still verify the information they’ve provided for themselves. These documents won’t give you any legal cover if something goes wrong.

      Apple still meets the US-EU Safe Harbour agreement, and many schools across the UK have successfully negotiated the DPA minefield — you only have to look at the number of iPads being used. Government advice is to draw up a formal contract between the school and the company, but this simply isn’t realistic for many schools. I wouldn’t be surprised to see Apple on board with in the next few months.

      Hope this helps.


    • Profile photo of Karl Rivers

      This is a difficult one. An individual school is unlikely to be able to visit Google and as to check their security procedures. What you can do is contact Google Education directly and check that they meet government guidelines for data protection. You might find this document useful.

      If you’re really unsure I know that at least one local authority in the UK has developed an additional contract with Google.

Tell us what you think!