Page:  1  2  3

9.  The Internet, Online Services & Web 2.0 Services

9.5 Cloud Computing Services

The UK Information Commissioner (ICO) has published guidance on cloud computing services which includes this definition: ‘cloud computing services offer organisations access to a range of technologies and service models typically delivered over the internet’. In the accompanying overview, the ICO states:

‘Organisations that maintain and manage their own computer infrastructure may be considering a move to cloud computing to take advantage of a range of benefits that may be achieved such as increased security, reliability and resilience for a potentially lower cost.

By processing data in the cloud an organisation may encounter risks to data protection that they were previously unaware of. It is important that data controllers take time to understand the data protection risks that cloud computing presents’.

The University’s Information Services offer internally hosted cloud services which staff and students must consider first before then investigating the transfer of personal data (or confidential/ commercially sensitive University information) to an externally hosted service. If it is agreed that the University is unable to provide what is required, any staff member intending to use an external service must:

• Refer to the ICO’s guidance and in particular the checklist at s.98 which covers these headings: ‘Risks, Confidentiality, Integrity, Availability & Legal’
• Consider and where necessary seek legal advice on the terms of the agreement with the cloud provider
• Ensure they can demonstrate that they can satisfy the legal requirements of signing up to the service
• Seek the written approval of their line manager
• Consult the Information Governance Manager

9.6 e-Learning systems, Virtual Learning Environments and ePortfolios

All e-learning systems will collect and process personal information about students at some point in the process.

When a student starts using a virtual learning environment (VLE), they will be generating personal data, examples of which include their personal details, their submitted work and academic results.

In most cases, in respect of a VLE, the data controller for the personal data will be the University. Where the technical provision and administration of the VLE is outsourced to a third party provider, it is still likely that the University will be the data controller, with the third party provider being considered a data processor acting on the University's behalf. In those circumstances Data Protection legislation requires that a contract must be executed in writing between the University and its data processors. In addition to ensuring the security of its own processing, the University must also take steps to ensure that any data processors processing the data on its behalf, are placed under a security obligation.

The data protection issues that are likely to arise from an institutional e-learning system will vary depending on a range of variables and include:

• the developmental process that produced the system
• the nature of the data it is envisaged will be stored in that system
• the range of people who it is envisaged will have access to the data
• in the case of ePortfolios in particular, the means by which learners, rather than the University may make the data available to others.

Further information is available on the Moodle Help pages.

9.6.1 Data security

It is vital that data in e-learning systems is maintained securely. These systems, their hardware, software, databases and the communications systems on which they are based must be technically robust and secure. Measures which the University must also address include:

• who has access to the system
• what controls are in place over how these people can access the system; and
• how the entire system is governed.

9.6.2 Ongoing compliance

Once an e-learning system becomes operational, the University staff responsible for it must take the necessary steps to ensure that continued compliance with the University's obligations under Data Protection legislation can be demonstrated. In particular:

• data subjects, University employees and 3rd parties permitted to access the personal data should all be regularly reminded of their rights and obligations
• all proposed future changes to the system, both technical and administrative, should be reviewed for their data protection implications prior to their implementation, and where necessary, advice on their impact should be sought from the University's Information Governance Manager, including on whether a Privacy Impact Assessment is required

9.6.3 Turnitin and GradeMark

The University has subscribed to Turnitin®UK, a text-matching software service that may be used to assess the originality of student work or alternatively, may be used by students to submit their own written work. GradeMark is an essay marking tool provided by Turnitin. Information about these services, their use at the University and their data protection implications is available for staff or students.  

9.6.4 Developing an e-learning system

When developing an e-learning system, ensuring best practice compliance with data protection law should always be built into the planning and design process. Staff involved in any such development should seek advice from the University's Information Governance Manager and consider whether a Privacy Impact Assessment is required.  Factors which must be considered are:

• proposed uses of personal data
• the potential 3rd parties from whom transfers of personal data may be received into the system, or to whom data may be transferred from the system
• the respective data protection risks and the University's responses to these

Further discussion and advice on ePortfolios, VLEs and data protection can be found in the JISC guide to Technology and Tools for Online Learning.

Page:  1  2  3

Page last updated 04 September 2018