Safe Harbor

Clarity on Safe Harbor

As part of my involvement with the Scottish Government’s ICT Excellence in Education group I have been learning a lot about ‘Safe Harbor’ [sic] agreements and their impact on what we can and can’t do with data in schools. In addition, it has become very apparent that many people don’t know very much about the topic and that as a result, the default position is to block things rather than find out the reality. I don’t think it’s any secret that one of the services I really like for using with classes is Edmodo, but there have been questions raised about Edmodo and its safe harbor status so, in the interests of explanation and clarity, here’s a wee guide to what safe harbour is, how you can check whether a service is a signatory, and why Edmodo is safe to use.

We have a great responsibility in schools to keep pupil data safe and secure. However, in the ‘cloud’ computing age, it is becoming more and more common for our online data to be hosted ‘somewhere’, and it’s not always easy to know where. The relevant legislation and laws governing how this data is used lies within the Data Protection Act 1998 (DPA98). From a Scottish point of view, Data Protection is what is known as a ‘reserved matter’ — which means Westminster makes the law rather than the Scottish Government, so address any complaints to London!

Schedule 1 of the DPA98 lists its key principles as follows:

 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The UK Data Protection was a direct response to EU Directive 95/46/EC which was introduced in 1995 and had to be enacted by the end of 1998 (hence the date of the UK DPA). It is fair to say that the EU and by extension, the UK, have some of the most rigorous data protection rules in the world. This has had the knock on effect of meaning that it is expressly forbidden for pupil data to be held outwith the European Economic Area (EEA — ie: the EU for all practical purposes) unless the company has agreed to observe the same level of protection for the data as that provided within the EEA. Note the important point, an individual company can be approved to host data, there is no requirement for there to be an agreement with a whole country. That said, because of the importance for American businesses in particular to be able to work seamlessly with residents of the European Union, it was decided to create a US-EU agreement in 2000 whereby American businesses and service providers could adopt the principles of EU Directive 95/46/EC. In effect, they would agree to maintain the same levels of security and protection of personal data as that offered within the EU. This is the ‘safe harbor’ agreement.

In order to transfer data outwith the EU, Principle 8 of the DPA98 comes into play. This states that:

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Sending personal data outside the European Economic Area (Principle 8)

The ‘safe harbor’ agreement is overseen by the EU and the US Department of Commerce. As long as a company is signed up, we do not have to worry about the fact that data will be held in the US. There is, however, one very important condition to this which I will mention when talking about Edmodo in a minute or two.

In short… as long as a US company has agreed to observe ‘safe harbor’ environments — which they need to re-accredit themselves with every year — there should be no legal reasons why you should not use them. So… how do you check whether a company is a ‘safe harbor’ signatory?

How do you know?

The obvious place, and the first port of call, is the US Government’s Department of Commerce Safe Harbor site which you can find at http://export.gov/safeharbor/. However, you need to be aware that this site is not fully up to date… in fact, it really does need to get a serious overhaul! You can search, but you will struggle to find some really obvious companies thsat are signed up to the safe harbor agreement… which brings me to Edmodo and TRUSTe.

Is Edmodo a ‘Safe Harbor’ company?

One of the most popular sites that teachers have been adopting for using in class is Edmodo. It looks like a very well known social media site, but is designed from the ground up to be a virtual classroom with lots of whistles and bells. It also has the advantage of being popular with classes as they ‘get it’ from the word go. Chuck in the mobile Apps for iPhones, iPods and iPads, as well as the new Android app, and you begin to appreciate that Edmodo are really on to something (Disclosure: I am a fan!). There is, however, one particular fly in the ointment that needs to be addressed. I have seen a very snippy response from someone that Edmodo is not a ‘safe harbor’ company and so should not be used. The basis for this assertion was that Edmodo does not (yet) appear on the US Gov’s ‘Safe Harbor’ listings, but, as I mentioned above, the ‘official’ site is notoriously slow at updating, and does not have all safe harbor companies listed. Fortunately, there is TRUSTe. This is the online privacy company used by Microsoft, Apple, Disney and many, many others to ensure data and privacy legislation compliance. In short, they are in the business of keeping companies secure, and also in the business of ensuring that all their data is entirely up-to-date and relevant.

If you go to the TRUSTe search page (http://www.truste.com/consumer-privacy/trusted-directory/) you can enter any company or service name and will be given a list of all the relevant certificates or seals that the company holds. A quick search for Edmodo returns this:

TRUSTe Edmodo Search

Edmodo are indeed an EU Safe Harbor company… but I decided to bite the bullet and ask them why they didn’t appear on the US Gov Safe Harbor list. I dropped them a line and got a wonderful reply from Lucia who, amongst other things, let me know that their lawyers are working on speeding up the US Gov list. What she also reminded me of, was the condition I hinted at earlier. It is essential that in order to comply with the legislation, every learner who signs up for Edmodo completes a consent form. There are some samples available through Edmodo itself, but you will need to customise them for your school and to include a space for parents/carers to sign their agreement. Once you have received these, you should be good to go… unless, of course, your LA decides that Connected Learning is not a desirable thing.

Summing Up

In conclusion, here are the sound bites that I should have just tweeted!

• You can use a service/solution that hosts personal data outwith the EU as long as the company/service are signed up to the Safe Harbor agreement.
• You should use TRUSTe as well as the US Government to check the safety credentials of a site.
• Edmodo is a (rather awesome) ‘safe harbor’ company.

I hope this helps clear up some of the confusions I’ve been hearing about. Feel free to post a comment if you have any questions or wish further clarification. 😉

[UPDATE — Meant to mention this in the main body of the post, but Google are also a safe harbor company which is great news if you wish to use Google Apps with your learners! 😉 ]