Information Security – information so secret, nobody’s heard of it…

Datasecurity Last week I wrote that the Becta advice on “Information Security Guidance for Schools”  had been updated, effectively banning schools from taking student data out of the school. A few readers commented on the news –‘impossible’ and ‘worried’ came up – and so I’ve been looking for a little more information. Nobody seems to have heard much more about what’s going on, and what the eventual final advice for schools is going to be, so I’ve been stalking the web for info…and that’s drawing blanks too!

The Becta advice urges schools to “review their existing data security policies and update them to include the specific requirements of the Cabinet Office’s Hannigan letters”, and they also refer to meeting “the July 2008 Hannigan timeline”,  so I’ve been looking at what that means.

Well, they’ve really got me now – there appears to be no such thing as the Hannigan letters – the only reference on Live Search and Google is back to the same Becta page. It’s pretty rare to find a web search that only turns up two pages!

However, the Becta reference to the “July 2008 Hannigan timeline” also produces the same trick!

There is an interim Hannigan report of December 2007, from the Cabinet Office, which barely mentions education: “The Department for Children, Schools and Families has reminded all staff about their data and information security responsibilities” (page 7), and err, that’s it. The interim report promises a further Hannigan Report in “Spring 2008”, so I guess it is just around the corner.

So, if anybody from Becta is reading, help! Let us all into the secret info we need to be able to manage information security in schools!

I’ll keep you updated – sometime in the next 14 days it looks like there’s a stringent set of data protection rules coming. Ever since I wrote the blog item last week, there's been a daily story in the news of government data and information being lost, so I guess it'll be on quite a few priority lists now!

Update One: Alan Richards has been asking Becta too, and he's had a partial answer - which he shares on his blog. In a nutshell, the Hannigan letters that you're asked to comply with haven't yet been published, but Becta will provide a link when they are.

Comments (2)

  1. arichards says:

    Interesting you can’t find anything on the Hannigan reports.

    I emailed BECTA directly once your first blog appeared to ask them for clarification. I received a very nice response saying my email had been passed to the relevant department.

    However I think that department was the ‘Bermuda Triangle’ because I haven’t heard anything since.

    It’s OK publishing guidelines that reference other material, but shouldn’t they then gives us at the coal face access to those referenced documents.

  2. sprince says:

    It’s wonderful how BECTA pump out this advice so readily. Unfortunately we tax payers are paying some ridiculous amount of money for these people to produce it.

    For example, this statement:

    "When data is required by an authorised user from outside of the school premises – for example by a teacher working from their home –they must have secure remote access to the management information system (MIS) or learning platform."

    Is that guidance? Subtracting their favourite buzzwords, it doesn’t add up to much. For example, the majority of learning platforms they have endorsed in THEIR OWN accreditation programme do not mandate an https login and some don’t even have it as an option! Are we saying that "secure remote access" now means "needs a password"? I’m getting that feeling.

    They then put the nail in the coffin with:

    "The Information Commissioner’s Office recommends that data controllers ensure that any solution meets the current standard of FIPS 140-2 approved encryption products"

    which was also in the original document released straight after the missing discs incident. Not terribly helpful really.

    First off, BitLocker – possibly the most applicable and well-known technology in this area – has only had FIPS 140-2 validation for 3 weeks (since 2008-05-22 according to BECTA don’t feel the need to specify a level either (BitLocker reached level 1 of 4). Are the staff of schools and LAs expected to trawl through this drivel and search through the vast NIST archives to find out if their copy of Winzip can encrypt to a high enough standard? I’d say that’s unrealistic and will be ignored by at least 99.9% of schools. Remember, the people most likely to put school data at risk are not those that run the network and know what the word encryption means!

    It all smacks of someone fresh off a degree course putting a document together in a hurry on a topic they have no prior experience of. I get that feeling regularly from BECTA tbh – heavy on (mostly incorrect/irrelevant) detail; light on common sense.

Skip to main content