Information Security – it’s all go now…

DatasecurityYesterday I pointed out that the updated Becta advice appeared to ban schools from removing student data from the school, but that the advice wasn’t very clear. Since yesterday, they have updated their advice to schools, and now give much clearer, and much stronger, guidance.

Firstly, they have been clearer on what “personal data” is (ie that which cannot leave school), it “is defined as any combination of data items that identifies an individual and provides specific information about them, their families or circumstances. This includes names, contact details, gender, dates of birth, unique pupil number (UPN) and so on, as well as other sensitive information such as academic achievements, other skills and abilities, and progress in school. It may also include behaviour and attendance records.”

Secondly, they have said that they will publish full guidance in August 2008, including best practice on encryption, audit logging and acceptable use.

Thirdly, they have said, about protection and encryption “The Information Commissioner’s Office recommends that data controllers ensure that any solution meets the current standard of FIPS 140-2 approved encryption products”. Wikipedia is useful on FIPS 140-2, although it raises a few more questions, and BitLocker built into Windows Vista is FIPS 140-2 certified (according to Michael Howard, a self-described “simple software security guy at Microsoft”).

They’ve also said that the requirements of the Cabinet Office’s Hannigan letters haven’t yet been published, but they’ll publish the link when they know.

And finally, they say “There are many changes forthcoming on information security and data protection as both the DCSF and Becta guidance is currently being updated.”

All of this might be good advice, and technically accurate, but I’m not sure it’s going to mean much to a primary school data controller (ie the bursar/secretary). The directive is clear – if teachers take home their laptops containing pupil data, then there’s a problem. But I guess we’re all going to have to wait for further information until we can give you advice about how to meet the guidelines, and keep your data safe and secure.

If you want to find out a little more, then take a look at the replay of the Live Meeting hosted by Bill Orme in January – it was for central and local government IT people, but has become relevant to us all now! It’s the first link on this page. There is sound, but it doesn’t arrive until 2 minutes in!

This is looking like a very thorny, and potentially complex issue. I’ll keep watching the Becta advice, and see if I can bring you more down-to-earth interpretations


Comments (7)

  1. prharvey says:


    Where does this leave Learning Platforms and Sharepoint sites?  Can MIS infromation be shared through these sites if only a password is required?  Are there standards that these web-based sites must meet if they provide access to "names, contact details, gender, dates of birth, unique pupil number (UPN) and so on, as well as other sensitive information such as academic achievements, other skills and abilities, and progress in school."?

    Sorry there are so many questions, but the information so far does not highlight the implications for Learning Platforms.  Do we need to turn them off?

  2. arichards says:

    Its nice to see a certain amount of clarification from BECTA, although it stills leaves most of us ‘hanging’ while the guidance is finalised.

    As for the question from prharvey (above) it does have impications for MIS systems and Learning Platforms. On another comment on the UK Schools blog sprince makes a good point that to be truly secure the Learning Platform must use ‘secure communication’. He also makes a very good point that some of the accredited BECTA providers don’t even have https as an option never mind mandatory.

    This whole subject goes much further than ‘teacher with laptop’ and is bound to cause problems in Schools.

    BECTA really need to sit down with a group of School and industry professionals and thrash out this issue rather than sit in their ivory tower and dictate policy.

    Its rather ironic really that both Vista and Sharepoint meet these standards, but BECTA have been telling Schools not to use them !!!!!

  3. Moohorse says:

    If all our new hardware that we purchase for schools comes with Vista Business licenses, and we can only deploy Vista Business with our Microsoft Schools Agreement, how can we get BitLocker if it only appears in Vista Ultimate or Vista Enterprise?

    Many thanks, Steve.

    (Not really getting why there needs to be five million different SKUs for Vista)

  4. Ray Fleming says:

    Hi Steve,

    Assuming that your Schools Agreement includes the Windows Upgrade, then you can deploy any version of Windows Vista, including Enterprise (the one with BitLocker).

    If you are buying under Select, then your best option is to buy hardware with just Windows Vista Home, and then a ‘Windows Enterprise Upgrade with Software Assurance’ on the Select licence – not only will that get you a licence for Windows Vista Enterprise, but may also save money.

    (This is getting dangerously close to real, tricky licensing questions, so you may be best to drop a call to your licensing reseller for pricing etc)


    ps I can understand your point about multiple versions of Vista, and unfortunately it’s a bit more complicated in education than for consumers or businesses. Sorry 🙁

  5. sprince says:

    "Sorry there are so many questions, but the information so far does not highlight the implications for Learning Platforms.  Do we need to turn them off?"

    That is a good point, especially as many of the externally-hosted VLEs require some form of synchronization with the school’s MIS (e.g. SIMS) and/or with AD to keep logins and course information up-to-date. The data being transferred each night is exactly the sensitive data they highlight.

    For that to be secure I would say it should at least be done over SSL (say), but I strongly suspect it won’t be when our VLE provider (not naming names) gets its link into SIMS sorted.

    Ray: as for licensing I find the resellers struggle as much as we (and many Microsofties) do when it gets to the tricky bits.

    As an aside, it might be worth pointing at that BECTA page.

  6. Ray Fleming says:

    Hi ‘sprince’,

    I think it’s maybe a little early to make decisions on the externally-hosted VLEs, but I think that when the full guidance is published, there will be some rapid changes to be made.

    At the same time that Becta have been updating the school advice pages, they have also been updating the industry advice (those people who are providing hosted services to schools).

    This advice is stronger than the current school advice, and calls for FIPS 140-2 Level 3.

    For data on a device, this means very secure encryption, and always transferred securely with encryption.

    And, yes, you’re right, that there’s a need for us to be a little clearer on licensing – especially of the Windows Vista BitLocker feature. I’m going to write a blog post tomorrow to help clarify. Let me know if it makes it easier!


  7. Ray Fleming says:

    Oh, and thanks for the recommendation…it’ll save my eyesight!