I’ve written about data security a few times recently, prompted by the various incidents of data loss in other government departments. One of the web pages I’ve been watching is the Becta advice page on “Information Security Guidance for Schools”. And I’ve noticed that it was updated last week, and the guidance has been tightened up. I’ve highlighted in bold the changes from the original version (which you can see here). Things like changing recommend to must, and removing phrases such as ‘where this is available’. They are reviewing information security guidance, and have said:
In the meantime, school management teams should take urgent steps to ensure information asset owners in their institutions follow this guidance:
- All data should be kept safe and made available only to those who are authorised to access it.
- Do not remove sensitive or personal data from the school premises unless the media is encrypted and is transported securely for storage in a secure location.
- When data is required by an authorised user from outside of the school premises – for example by a teacher working from their home – they must have secure remote access to the management information system (MIS) or learning platform.
- Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software.
- Securely delete (over-write media and shred paper) sensitive or personal data when it is no longer required.
- Ensure that your institution’s security policy covers how personal information is stored, transmitted or processed and that it is managed and protected accordingly. Use Binding Corporate Rules and best practice methodologies such as the International Standard ISO 27001.
- School leaders should ask their support providers or technical staff to ensure that their institutions are fully adopting and using the ICO, Hannigan and international best practice standards.
Sadly, there’s no link to the Hannigan recommendations (this was the inquiry set up after the 27 million HMRC records were lost on CD), so you may have to wait until there’s more info published on that (the web doesn’t really turn up much that’s substantive on this, and the interim report doesn’t say much for education).
What does this mean?
Well, depending on what is included within the definition of ‘sensitive or personal data’, it could mean that teachers and senior managers are no longer permitted to remove pupil data from school on their laptops, unless it’s encrypted and is “transported securely for storage in a secure location”. Looks like the timetablers are going to be tied to their desks this year, or move house to Fort Knox!
And it also seems to put the onus onto the technical staff (you!) to ensure that your school is fully adopting the ICO, Hannigan and international best practice standards. Whoa!
There’s some advice about encryption on this blog post, and my colleague, Jerry Fishenden, who is Microsoft’s National Technology Officer, has a handy hint for encrypting data on a USB memory stick using Vista’s BitLocker feature.
I’ll keep an eye out for further developments – especially if there’s more advice on what constitutes ‘sensitive or personal data’ and ‘secure remote access’ from Becta or DCSF.
But it could be worse…
We could yet end up in the situation of the HMRC, with helpful web pages like this, with advice on “What to do if you suspect or discover fraud”