Yesterday I pointed out that the updated Becta advice appeared to ban schools from removing student data from the school, but that the advice wasn’t very clear. Since yesterday, they have updated their advice to schools, and now give much clearer, and much stronger, guidance.
Firstly, they have been clearer on what “personal data” is (ie that which cannot leave school), it “is defined as any combination of data items that identifies an individual and provides specific information about them, their families or circumstances. This includes names, contact details, gender, dates of birth, unique pupil number (UPN) and so on, as well as other sensitive information such as academic achievements, other skills and abilities, and progress in school. It may also include behaviour and attendance records.”
Secondly, they have said that they will publish full guidance in August 2008, including best practice on encryption, audit logging and acceptable use.
Thirdly, they have said, about protection and encryption “The Information Commissioner’s Office recommends that data controllers ensure that any solution meets the current standard of FIPS 140-2 approved encryption products”. Wikipedia is useful on FIPS 140-2, although it raises a few more questions, and BitLocker built into Windows Vista is FIPS 140-2 certified (according to Michael Howard, a self-described “simple software security guy at Microsoft”).
They’ve also said that the requirements of the Cabinet Office’s Hannigan letters haven’t yet been published, but they’ll publish the link when they know.
And finally, they say “There are many changes forthcoming on information security and data protection as both the DCSF and Becta guidance is currently being updated.”
All of this might be good advice, and technically accurate, but I’m not sure it’s going to mean much to a primary school data controller (ie the bursar/secretary). The directive is clear – if teachers take home their laptops containing pupil data, then there’s a problem. But I guess we’re all going to have to wait for further information until we can give you advice about how to meet the guidelines, and keep your data safe and secure.
If you want to find out a little more, then take a look at the replay of the Live Meeting hosted by Bill Orme in January – it was for central and local government IT people, but has become relevant to us all now! It’s the first link on this page. There is sound, but it doesn’t arrive until 2 minutes in!
This is looking like a very thorny, and potentially complex issue. I’ll keep watching the Becta advice, and see if I can bring you more down-to-earth interpretations