It is not unusually for schools to use a ‘cloud’ service. Services such as backup, VLEs and the hosting of email have for along time on someone’s else’s server somewhere in the world.
As far as the DPA is concerned all of the principles need to be thought about but two are of major concern.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The school still retains the duty to take care of the data. How can you do this if the servers belong to someone else? What access do you have?
Two excellent blog about the issues can be found at:
As part of moving a service into the cloud I would always consider completing a Privacy Impact Statement (or a simplified version of it)- see the guide from the ICO here