Legal Issues in IT | September 2013 Digital Edition
The Major Cloud Computing Problems You're Not Paying Attention To
Keeping pace with the minutiae of cloud computing law is a big--usually forgotten--challenge for school districts. It's also a necessary one.
When it came to helping districts navigate the morass that is modern data storage, the federal government likely had the best of intentions. In its 2010 National Education Technology Plan, the US Department of Education seemed to be betting its chips on cloud computing, remarking that a cloud storage model, where data is kept on internet servers scattered around the country or the globe, can "support both the academic and administrative services required for learning and education." But at the same time, it hedged its bets a bit, remarking that the cloud "is still in a nascent stage with obstacles to overcome to fully realize its potential."
Of those obstacles, legal issues remain one of the biggest factors limiting schools from fully embracing the power of the cloud. And, despite the National Education Technology Plan's apparent soft spot for cloud computing, the government has given little legal guidance as to how to meet those challenges. Among the issues facing schools are concerns about contracting, ownership, privacy, data security, and access. Here's what to keep in mind as you explore any cloud service as a home for your data.
At the core of the legal concern over cloud computing is data. In the digital world, data is constantly being created, archived, shared--and even occasionally destroyed. The default position of the internet is open, meaning all the data that interacts with the internet can be shared. This, of course, presents a challenge for school personnel who are under legal obligation to keep the information secure. These legal obligations stem from the Family Educational Rights and Privacy Act (FERPA) and Children's Internet Protection Act (CIPA), but also from related privacy statutes such as the Health Insurance Portability and Accountability Act (HIPAA). Other laws, such as the Children's Online Privacy Protection Act (COPPA), apply to technology providers but also impact the school and require the school's attention.
Compounding all of this federal regulation is a host of privacy and data security laws that vary by state, some of which might be surprising. Take, for instance, state open records or "sunshine" laws, which permit the public and press to inspect records of government organizations, including schools. When public data is stored in the cloud, it may be subject to the open records requirements already applicable to schools, which can include Freedom of Information Act requests for non-student-specific data.
The majority of specific legal concerns about cloud-based data stem from the fact that some public data is privately held. While some public schools have created multi-district, resource-sharing cloud solutions, such as the IlliniCloud in Illinois, most school districts contract to use proprietary cloud solutions from third-party vendors for various elements of the school organization. (Relationships between schools and districts and cloud vendors are explicitly permitted under the FERPA regulations. Schools can pass data to "a contractor, consultant, volunteer, or other party" if the cloud-based outsourcing meets some general privacy and nondisclosure requirements.)
The vast amount of data that schools are storing in the cloud might include student attendance, student grades, student work products, course information, employee e-mails, employment files, the school budget, and many other core information functions. It might even include student-related work through familiar services like Edmodo, Dropbox, or Facebook.
A Look at Cloud Contracts
The private contracts between schools or districts and cloud vendors that govern all of this data--and how it's stored--are essential for providing legal clarity and protection for administrators, employees, and students. Many of these contracts, especially those involving companies that are household names, are one-size-fits-all agreements. However, smaller companies, and ones that rely on partnerships with schools, may be more open to negotiation.
For schools considering the legal elements of these contracts, it is important that these documents specify that the private cloud company has no ownership interest in the intellectual property contained in the uploaded information. Agreements specifically designed for public educational use, such as the one for Google Apps for Education, make this clear in their contract (see number 8). However, cloud services that are not specifically designed for education may look to retain some ownership interest in the work. Most cloud computing contracts will also contain a secondary license granting the rights to use the intellectual property in specified ways, including, potentially, commercially profitable sharing. The extent of this secondary license should be of great concern to educators.
Facebook is the classic case of exploiting user information--data that many would consider private--for their secondary purposes. Facebook states that the company will "use the information we receive about you in connection with the services and features we provide to you and other users like your friends, our partners, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites you use."
Keeping Data Handy
Transfer rights are related to another important issue in cloud computing: privacy and security. In the world of education, the privacy and the security of data are mandated by federal and state statutes designed to protect student and employee records. Specific certification for data security should be included in the contract, and the vendor should be able to show some form of industry-accepted certification for their data center or the data center with which they contract (making for even more complex contracts). These types of certifications include one issued by the American Institute of Certified Public Accountants and the International Organization for Standardization (ISO 27001), as shown by the industry standards met by the Amazon cloud storage solution.
Next, to help insure privacy, the contract should articulate ongoing access to data rights for the school organization. Not only is an "access to data" clause important for maintaining access to an institution's own data for various daily uses, but access to data is important in the event of litigation.
As data increasingly becomes digital, the need to gather evidence for litigation has led to the field of e-discovery, which refers to the electronic documents or other records requested during the investigational period of litigation by either party to the suit. (My University of Kentucky colleague Scott Bauries wrote a series of four blog posts that provides a great background to the issue of e-discovery in education.) Because these electronic records are increasingly stored in the cloud, a contractual provision with a cloud provider specifically articulating data access rights and limitations is essential to ensuring that your organization maintains control and assures the privacy of all electronic data, even during litigation when the cloud provider is likely to be involved in the discovery process.
A Complex Situation
As you can see, there are a variety of complex legal issues involved in cloud hosting of educational and employee data. Unfortunately, there is little legal guidance available for schools, and most local school board attorneys may struggle with the legal and technical complexities of this area. This situation is made even more complex, of course, by the uncertainty and lack of flexibility in industry-standard clickwrap agreements. Clickwrap agreements are the checkboxes we all tick off (but rarely ever read) when installing new software. These clickwrap agreements have been found to be applicable even to students in the education setting.
This complexity, lack of flexibility, and lack of legal guidance has led to some, such as industry watchdog SafeGov, to call for statutory or regulatory reform to meet the challenges of off-site data storage in education. Luckily, this issue has been examined more fully at the higher-education level. This series of reports by Educause (1) (2) (3), for instance, provides some useful background for K-12 professionals considering cloud transitions.
Cloud computing represents a fundamental change to the underlying concept of data in education, and thus presents many substantial risks and legal concerns. Obtaining the vast scope of benefits offered by cloud computing, though, requires us to make these difficult transitions. In the near term, contracts with cloud providers are the only substantial mechanism by which educators can resolve these legal concerns. By working together over the next few years, the educational community can build a more robust legal infrastructure for cloud computing in schools.