Information Security – a week on

DatasecurityIt wasn't a slow news week last week - which must have delighted those people who weren't looking forward to the reaction from publication of the reports on Wednesday into data losses at HMRC, MOD etc. It being a fast news week (is that what a non-slow news week is?) the reports didn't make it onto the front pages of the newspapers. You can more about it all on the BBC website, but broadly the conclusion is that the losses were entirely avoidable.

What is more significant from a schools perspective is the publication of the Cabinet Office final “Data Handing Procedures in Government” report. This is the report that had been eagerly awaited by Becta in their updating of Information Security Guidance for education (aka “the Hannigan letters”). As well as the press rushing to judge, Becta rushed to update their advice for you. We’re still in the early days – there’s plenty of guidance still to come, but here’s the line that heralds the change that you’re facing:

FirstquotesSchool leaders should ask their support providers or technical staff to ensure that their institutions are fully adopting and using the Information Commissioner's Office (ICO), Data Handling Procedures in Government procedures and minimum measures, and international best practice standards. Endquotes

To find out how the ‘Government is improving its arrangements around information and data security, by putting in place core protective measures, getting the working culture right, improving accountability and scrutiny of performance’, then you’ll need to read the full Cabinet Office report, but here’s my quick summary of the headlines in it:

  • The report calls for technical measures to protect personal data, as well as a change in the culture that properly values, protects and uses data; and finally more accountability for data and it’s protection and use.
  • Core measures to protect information will include better specification of what personal data needs higher levels of protection, controls over data transfer, and minimising the use of data on media or laptops, as well as appropriate encryption; and finally logging and monitoring of data use.
  • There’s a new category of “protected personal information”, which is either a single record which, if released, could put an individual at risk or distress, or alternatively 1,000 records or more containing information that is not in the public domain.
    For a school, that could mean a class list, where one child is identified as “In Care”. Or where medical information is associated with a pupil. Or a secondary school’s register.
    For this “protected personal information”, the guidance is that data should be kept within secure premises and systems, and that efforts are made to minimise storage of this data on laptops, disks and memory sticks. Where the use of removable media (including laptops) is unavoidable, encryption must be used (or “physical protection using similar risk assessments processes as for large amounts of public money”)
  • The culture of data security is important, and the report mandates “Privacy Impact Assessments”, and mandatory training for all data users & managers.
  • Stronger accountability and scrutiny sets out that “information assets” (data to you and me?) are allocated a responsible owner, and there is an annual assessment process

Although we’re going to need to wait a bit longer to hear the guidance on what “protected personal information” really means to a school, there are probably some things you can start doing now to get ready:

  • Start looking around school, to see who’s using what data where. Do teachers have lists of pupils that might contain protected data? Are you able to provide secure remote access to that instead? Remember too that this isn’t just about data on a computer – it would also affect information on paper!
  • If you’re purchasing laptops or desktop computers that are for staff use, then opt for Windows Vista Enterprise licences, because that has full-drive encryption built-in through BitLocker.

    If you have a School Agreement covering your school, then you’re already automatically licensed for this. If you are using Select licensing, then buy a standard version of Vista with your new computers, and buy the upgrade to “Windows Vista Enterprise with Software Assurance” from your Microsoft partner.
    It is likely that you’re going to need encryption on all of your staff computers, because most teachers have some data on their laptops that should be protected.

  • If you’ve got existing computers with Windows on them, then you’ll either need to plan to upgrade them to Windows Vista Enterprise (or Ultimate), or buy an alternative encryption package (there’s some listed on this page, referenced by Becta)

For more background on this story, read my previous blog posts

Comments (1)

  1. GrumbleDook says:

    I see the main barriers to securing data in schools as follows.

    1 – Understanding what data needs to be secured. The interim category of Protected Personal Data needs to be defined within education and a better understanding of the roles of people working with this data.

    2 – Systemic changes of contracts within schools to include reference to the correct use of personal information. This then needs to be backed up with training and guidance for staff, tailored for their specific roles within the school.

    3 – Systemic analysis of access to information within the MIS. Too many schools have blanket access to Management Information Systems within schools rather than having the access defined by the role of the member of staff. Even with those that do have some granularity in place, when staff move roles within schools they are likely just to have the extra access plonked on top rather than their whole access revised.

    4 – Too many companies working with schools do not follow good practices to protect the data schools send them. I hesitate to think of the number of companies that have asked for information to set up services for students to use and just ask for information to be emailed over. Schools should refuse to use these companies until they change their practices. They should also make sure that have signed agreements to abide by the school’s Data Protection policy.

    5 – Staff taking responsibility for security of data. I am not expecting all staff to be geeks or hackers, but the simple attitude of making sure that information is only ever left in the proper place for it. This attitude is not just for electronically stored data but all information about students (and other staff). Technology can only do so much, but password security and not losing planners full of personal / confidential information are simple ideals.

    I tend to take the view that common sense will prevail with a lot of this, but I am not holding my breath. I already know that in my school we will be making a number of changes and the LA guidance will be updated very quickly as well.

    As the year end approaches (Monday 25th August is an important date for secondaries as we can now start basing things on the timetable for next year!) it is important for schools to make sure that information and data is going to be used correctly and legally.

    It is going to be an interesting year, that’s for sure.

Skip to main content