It wasn't a slow news week last week - which must have delighted those people who weren't looking forward to the reaction from publication of the reports on Wednesday into data losses at HMRC, MOD etc. It being a fast news week (is that what a non-slow news week is?) the reports didn't make it onto the front pages of the newspapers. You can more about it all on the BBC website, but broadly the conclusion is that the losses were entirely avoidable.
What is more significant from a schools perspective is the publication of the Cabinet Office final “Data Handing Procedures in Government” report. This is the report that had been eagerly awaited by Becta in their updating of Information Security Guidance for education (aka “the Hannigan letters”). As well as the press rushing to judge, Becta rushed to update their advice for you. We’re still in the early days – there’s plenty of guidance still to come, but here’s the line that heralds the change that you’re facing:
School leaders should ask their support providers or technical staff to ensure that their institutions are fully adopting and using the Information Commissioner's Office (ICO), Data Handling Procedures in Government procedures and minimum measures, and international best practice standards.
To find out how the ‘Government is improving its arrangements around information and data security, by putting in place core protective measures, getting the working culture right, improving accountability and scrutiny of performance’, then you’ll need to read the full Cabinet Office report, but here’s my quick summary of the headlines in it:
- The report calls for technical measures to protect personal data, as well as a change in the culture that properly values, protects and uses data; and finally more accountability for data and it’s protection and use.
- Core measures to protect information will include better specification of what personal data needs higher levels of protection, controls over data transfer, and minimising the use of data on media or laptops, as well as appropriate encryption; and finally logging and monitoring of data use.
- There’s a new category of “protected personal information”, which is either a single record which, if released, could put an individual at risk or distress, or alternatively 1,000 records or more containing information that is not in the public domain.
For a school, that could mean a class list, where one child is identified as “In Care”. Or where medical information is associated with a pupil. Or a secondary school’s register.
For this “protected personal information”, the guidance is that data should be kept within secure premises and systems, and that efforts are made to minimise storage of this data on laptops, disks and memory sticks. Where the use of removable media (including laptops) is unavoidable, encryption must be used (or “physical protection using similar risk assessments processes as for large amounts of public money”)
- The culture of data security is important, and the report mandates “Privacy Impact Assessments”, and mandatory training for all data users & managers.
- Stronger accountability and scrutiny sets out that “information assets” (data to you and me?) are allocated a responsible owner, and there is an annual assessment process
Although we’re going to need to wait a bit longer to hear the guidance on what “protected personal information” really means to a school, there are probably some things you can start doing now to get ready:
- Start looking around school, to see who’s using what data where. Do teachers have lists of pupils that might contain protected data? Are you able to provide secure remote access to that instead? Remember too that this isn’t just about data on a computer – it would also affect information on paper!
- If you’re purchasing laptops or desktop computers that are for staff use, then opt for Windows Vista Enterprise licences, because that has full-drive encryption built-in through BitLocker.
If you have a School Agreement covering your school, then you’re already automatically licensed for this. If you are using Select licensing, then buy a standard version of Vista with your new computers, and buy the upgrade to “Windows Vista Enterprise with Software Assurance” from your Microsoft partner.
It is likely that you’re going to need encryption on all of your staff computers, because most teachers have some data on their laptops that should be protected.
- If you’ve got existing computers with Windows on them, then you’ll either need to plan to upgrade them to Windows Vista Enterprise (or Ultimate), or buy an alternative encryption package (there’s some listed on this page, referenced by Becta)