The Becta Information Security advice page for schools has been updated, and they provide a more detailed document (Keeping data safe, secure and legal) which goes further than their previous advice, but not yet far enough. In fact, if you take the report at face value, you’re going to lock up your registers, and wait for the next set of reports!
First, the good news
This latest update is a step towards clarity – helping us all by being clear about what precautions are needed to ensure that data is kept safe (and that this advice applies to data in whatever format – whether it’s on a computer, or written on a piece of paper). This guidance will get to the top of your senior leadership priority list pretty quickly. The Becta document talks of the various management roles responsible for information security, and then goes on to say…
Although these roles have been explicitly identified, the handling of protected school data is everyone’s responsibility – whether you are an employee, consultant, software provider or managed service provider. Failing to apply appropriate controls to protect this data could amount to gross misconduct or even (lead to) legal action.
And now, the bad news
Implementing these Becta Information Security guidelines is going to take a while, and a level of technical understanding of what must be done. In fact, given the statement on page 7 “All education ICT systems must be classified for the highest level data processed by the system and automatically labelled at the corresponding level”, it means that you’ve got to assume that almost all of your systems, and all of your staff, are handling highly secure data (in Government-speak “IL3-Restricted”). And that this therefore involves lots of changes to the way you handle, transport and allow access to your school’s pupil data. In stark terms, it says on page 5:
Until new technology or enhancements to your existing ICT infrastructure can be put in place, you are likely to need to make operational changes. These may mean that certain types of sensitive data may no longer be accessible away from the school in the short term.
The next set of Becta guides, not yet published, will hopefully spell out what classifications of data need to be protected by which mechanisms - see below. The current advice is almost ‘lock everything down folks’, and that’s not sustainable in the long term. But certainly, if you have a member of staff taking sensitive data home on their laptop – like special needs records, or other sensitive information on a pupil – then you need to take immediate action to safely remove the data from their laptop, or fully encrypt that data and/or their laptop. And if you have remote web access to your MIS and Learning Platform, and it’s not protected by the little SSL padlock in Internet Explorer , then you’ll need to urgently review/change your systems.
The guidance covers keeping data secure whilst in school, and on your ICT systems, and also how you must ensure that the data are appropriately labelled encrypted, stored and disposed of. (Eg all documents and screens displaying protected data need to have labels showing that the data is protected, and must be securely destroyed after use). The 6 key bullet points from page 7 of the Becta document are below:
And finally, more good news
The Appendix A of the Becta Information Security report is called “Quick wins for data handling compliance”, and I’d recommend taking a look at that (and passing it on up the chain!).
And there are more documents coming, which will contain really specific, practical advice. According to the current document:
There are four accompanying good practice guides:
- Impact levels and labelling
- Data encryption
- Audit logging and incident handling
- Secure remote access.
Although they are not yet published by Becta, there’s more to come soon – and hopefully these guides will be the ones that spell out specifically what information falls into the different categories, and how it needs to be protected. For example, is a class list something that should be protected by IL-2 or IL-3 mechanisms? And what are the defining bits of data that moves it up from IL-2 to IL-3. For example, is a Special Needs statement automatically IL-3, or IL-2 until it has medical info attached?
What do you need from us?
There’s some obvious advice we’ll issue, as soon as the four further guides are published – eg encryption and remote access. But what other advice do you need from us, to help you respond to these guidelines? And at what technical level? Comment now, as what you say now will set the direction of the conversations I’m having with our Government security guys…