Data Security in schools – rules tightened


I’ve written about data security a few times recently, prompted by the various incidents of data loss in other government departments. One of the web pages I’ve been watching is the Becta advice page on “Information Security Guidance for Schools”. And I’ve noticed that it was updated last week, and the guidance has been tightened up. I’ve highlighted in bold the changes from the original version (which you can see here). Things like changing recommend to must, and removing phrases such as ‘where this is available’. They are reviewing information security guidance, and have said:



FirstquotesIn the meantime, school management teams should take urgent steps to ensure information asset owners in their institutions follow this guidance:



  • All data should be kept safe and made available only to those who are authorised to access it.

  • Do not remove sensitive or personal data from the school premises unless the media is encrypted and is transported securely for storage in a secure location.

  • When data is required by an authorised user from outside of the school premises – for example by a teacher working from their home – they must have secure remote access to the management information system (MIS) or learning platform.

  • Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software.

  • Securely delete (over-write media and shred paper) sensitive or personal data when it is no longer required.

  • Ensure that your institution’s security policy covers how personal information is stored, transmitted or processed and that it is managed and protected accordingly. Use Binding Corporate Rules and best practice methodologies such as the International Standard ISO 27001.

  • School leaders should ask their support providers or technical staff to ensure that Endquotestheir institutions are fully adopting and using the ICO, Hannigan and international best practice standards.



Sadly, there’s no link to the Hannigan recommendations (this was the inquiry set up after the 27 million HMRC records were lost on CD), so you may have to wait until there’s more info published on that (the web doesn’t really turn up much that’s substantive on this, and the interim report doesn’t say much for education).


What does this mean?


Well, depending on what is included within the definition of ‘sensitive or personal data’, it could mean that teachers and senior managers are no longer permitted to remove pupil data from school on their laptops, unless it’s encrypted and is “transported securely for storage in a secure location”. Looks like the timetablers are going to be tied to their desks this year, or move house to Fort Knox!


And it also seems to put the onus onto the technical staff (you!) to ensure that your school is fully adopting the ICO, Hannigan and international best practice standards. Whoa!


There’s some advice about encryption on this blog post, and my colleague, Jerry Fishenden, who is Microsoft’s National Technology Officer, has a handy hint for encrypting data on a USB memory stick using Vista’s BitLocker feature.


I’ll keep an eye out for further developments – especially if there’s more advice on what constitutes ‘sensitive or personal data’ and ‘secure remote access’ from Becta or DCSF.


But it could be worse…


We could yet end up in the situation of the HMRC, with helpful web pages like this, with advice on “What to do if you suspect or discover fraud”


HMRCWebpage


 


Comments (9)

  1. arichards says:

    So BECTA make changes to the security guidelines and it seems without any thought for how this will impact on Schools, teachers and technical staff.

    My initial reaction is that it seems that Schools will no longer be allowed to let data off site. For my School this is not a big issue. We don’t let data offsite. We provide secure encrypted access to our MIS over the internet.

    What about teachers who keep their own personal records about students on their School laptop; how will this affect them. Is the fact the laptop is secured with a login sufficient or are we going to have to digitally encrypt every single teacher laptop (Vista BitLocker springs to mind)

    What about parent access to MIS systems, is this still viable given that we have no control over their use of this information.

    Also are BECTA or the government going to provide some sort of training for technical staff on the Hannigan standards (take note that even BECTA don’t provide a link to a site to view these standards)

    If technical staff are going to be responsible then we need to know and more importantly understand what these standards are.

    The fact that BECTA have changed these guidelines then it makes me suspicous that these ‘guidelines’ will eventually become mandatory.

  2. davecoleman146 says:

    to get all schools to stop a teacher taking a spreadsheet home with pupil data is nearly impossible. We in many ways are lucky in that to access data remotely we store this on SharePoint or they access files through remote desktop either way they are challenged for username and password but I feel that we are in the minority in this respect.

  3. Rayfl says:

    Your comments are good points – I guess it will all depend on what is interpreted as "sensitive and personal data". The Becta guidance doesn’t give any insight into this, so we may be back to the views of individual schools and local authorities. Would a pupil’s name be "sensitive and personal data", or perhaps it would only be if attached to other data, like the Unique Pupil Number (UPN) or some other bits of data like SEN or Free School Meals (FSM) status?

    I’m pretty sure that the UPN is already categorised as restricted data – from my days in MIS systems, I can recall that schools were not permitted to reveal it to parents or others outside of the education system.

    (As an aside, have just read about a bunch of "Top Secret" papers being left on a train by a civil servant. I guess that everything you can do about data security can be easily overriden by a poor "user"

    http://news.bbc.co.uk/1/hi/uk/7449255.stm)

  4. apearce says:

    Security of data has always been important and it’s good to see BECTA putting in some standards like this but I too am worried about how far this goes.

    Looking at previous experience I can see this being very different on staff to take grip on.  The information they need to work can be accessed through a learning gateway but not all have access to the internet at home.  They transfer data to memory sticks, laptops or use programs such as Groove to download an offline copy but how can we monitor where this data goes as soon it has left the school grounds?

    Memory sticks can be past to family memories to add other files, friends for pictures and allows them access to this data.  With viruses and spyware they can access the memory stick so how can this be monitored on a home computer.  How many people have used your memory stick – how many pupils have used your memory?

    A lot of staff take laptops home and let their family use it.  With the current credit crunch they won’t buy new computers for home and use school laptops instead – how can we stop family members from accessing it, their kids playing with the laptop and deleting the sensitive information?

    You also have parents accessing information on the learning gateway and the MIS system which includes a photo of the pupil, their full name and address – is SSL encryption enough for this.

    I think your finally comment Ray is the moment important – it doesn’t matter how much you invest in security, the encryption you put in and the restrictions in place – it’s still down to the user.

  5. GrumbleDook says:

    A remote access system available over and encrypted connection is a sensible solution for some of this … meaning that you can instruct staff *not* to work with data off-line.

    This issues start when you have to factor in cost to setup, run and refresh the system, staff training to use it correctly and the fact that staff can then turn round and ask who the flip will pay for their broadband if this is the only way they can work on stuff when away from the school site.

    To some extent the guidance it too late. A number of LAs have already stripped out the idea of two physical networks (part of ISO27001) and even stripping out the use of two logical networks (via IP addressing / routing) but will include the use of logical networks via VLANs. To move back to two physical networks would restrict the growth in the use of technology as a tool for T&L and concentration on it as a tool for administration and analysis.

    One of the important things to concentrate on is staff training on data protection. This is key. Don’t just concentrate on technical solutions to the problem … deal with the user.