The learning through Technology team are not in any way legally qualified to offer specific advice on the EU Court of Justice ruling. Please contact our Information Security Officer for up to date advice
However, we all have a legal responsibility to ensure we adhere to the principles of the Data Protection Act.
The section Safe Harbor related to was Principle 8
Sending personal data outside the European Economic Area
The Data protection act (DPA) says that :
“Personal data shall not be transferred to a country or territory outside the European Economic Area ( EEA ) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
What happens now the Safe Harbor arrangements are no longer in place
The only way of complying with the Data Protection Act would be to gain the specific and informed consent of the data subject (in our case the data subject would be students and teachers)
But, to be properly informed, the data subject would need to be told that their data was going to a country where the authorities’ wide ranging powers of interference and surveillance and the absence of any administrative or judicial means of redress, compromise individuals’ fundamental rights to respect for private life and to effective judicial protection.
And considering the Court of European Justice ruling has questioned the data protection and security regime of the United States, then no contractual agreement will satisfy the EU data protection requirements.
At time of writing Safe Harbor 2.0 (If this is what it is to be called) currently being drawn up by the EU and US authorities, is already being questioned.
Google Apps for Education and other Software providers have offered Model Contract Clauses (MCCs) as an alternative compliance option to Safe Harbor for a number of years. These clauses are not directly affected by the European Court’s decision and can be used by customers as an alternative means to legitimise the transfer of data.
The Department of Education (Scottish Government recognised) document provides further advice on Cloud services ( Cloud Service Guide 2015 )
In the specific case of Edmodo, Safe Harbor allowed its use , but with qualifying conditions.
The current terms of service for Edmodo can be found here https://www.edmodo.com/corporate/terms-of-service
To agree to using Edmodo, ALL of your learners would have had to have parental agreement as detailed below , and you will have kept a signed agreement , renewed annually for every pupil using the service.
“IMPORTANT! If you are not of legal age to form a binding contract (in many places, this is 18 years old), then you must get your parent or guardian to read these terms and agree to them for you, before you use Edmodo or provide any information to us. Please review this agreement with your parent or guardian so that you both understand how Edmodo works and what restrictions apply to your use of our websites and services. Remember, always get an adult’s permission before going online.”
With the demise of the Safe Harbor agreement, I would take a serious look at the terms and conditions, knowing that personal data is being stored outside the EEA, and look to other services such as GLOW to share data with learners and other professionals.
If you are in any doubt , please contact the Information Security Officer at Aberdeenshire Council who will offer more detailed advice.
