Information Security – more, but not yet enough, advice from Becta

 The Becta Information Security advice page for schools has been updated, and they provide a more detailed document (Keeping data safe, secure and legal) which goes further than their previous advice, but not yet far enough. In fact, if you take the report at face value, you’re going to lock up your registers, and wait for the next set of reports!

First, the good news

This latest update is a step towards clarity – helping us all by being clear about what precautions are needed to ensure that data is kept safe (and that this advice applies to data in whatever format – whether it’s on a computer, or written on a piece of paper).  This guidance will get to the top of your senior leadership priority list pretty quickly. The Becta document talks of the various management roles responsible for information security, and then goes on to say…

FirstquotesAlthough these roles have been explicitly identified, the handling of protected school data is everyone’s responsibility – whether you are an employee, consultant, software provider or managed service provider. Failing to apply appropriate controls to protect this data could amount to gross misconduct or even (lead to) legal action.Endquotes

And now, the bad news

Implementing these Becta Information Security guidelines is going to take a while, and a level of technical understanding of what must be done. In fact, given the statement on page 7 “All education ICT systems must be classified for the highest level data processed by the system and automatically labelled at the corresponding level”, it means that you’ve got to assume that almost all of your systems, and all of your staff, are handling highly secure data (in Government-speak “IL3-Restricted”). And that this therefore involves lots of changes to the way you handle, transport and allow access to your school’s pupil data. In stark terms, it says on page 5:

FirstquotesUntil new technology or enhancements to your existing ICT infrastructure can be put in place, you are likely to need to make operational changes. These may mean that certain types of sensitive data may no longer be accessible away from the school in the short term.Endquotes

The next set of Becta guides, not yet published, will hopefully spell out what classifications of data need to be protected by which mechanisms – see below. The current advice is almost ‘lock everything down folks’, and that’s not sustainable in the long term. But certainly, if you have a member of staff taking sensitive data home on their laptop – like special needs records, or other sensitive information on a pupil – then you need to take immediate action to safely remove the data from their laptop, or fully encrypt that data and/or their laptop. And if you have remote web access to your MIS and Learning Platform, and it’s not protected by the little SSL padlock in Internet Explorer image, then you’ll need to urgently review/change your systems.

The guidance covers keeping data secure whilst in school, and on your ICT systems, and also how you must ensure that the data are appropriately labelled encrypted, stored and disposed of. (Eg all documents and screens displaying protected data need to have labels showing that the data is protected, and must be securely destroyed after use). The 6 key bullet points from page 7 of the Becta document are below:


And finally, more good news

The Appendix A of the Becta Information Security report is called “Quick wins for data handling compliance”, and I’d recommend taking a look at that (and passing it on up the chain!).

And there are more documents coming, which will contain really specific, practical advice. According to the current document:

FirstquotesThere are four accompanying good practice guides:

  • Impact levels and labelling

  • Data encryption

  • Audit logging and incident handling

  • Secure remote access. Endquotes

Although they are not yet published by Becta, there’s more to come soon – and hopefully these guides will be the ones that spell out specifically what information falls into the different categories, and how it needs to be protected. For example, is a class list something that should be protected by IL-2 or IL-3 mechanisms? And what are the defining bits of data that moves it up from IL-2 to IL-3. For example, is a Special Needs statement automatically IL-3, or IL-2 until it has medical info attached?

What do you need from us?

There’s some obvious advice we’ll issue, as soon as the four further guides are published – eg encryption and remote access. But what other advice do you need from us, to help you respond to these guidelines? And at what technical level? Comment now, as what you say now will set the direction of the conversations I’m having with our Government security guys…

Comments (8)

  1. alexjones says:

    Would have been a good idea to publish all these documents at the same time…

    A big issue at present for schools ICT is real-time reporting to parents. Becta have already made detailed functional and technical specifications for learning platforms that will provide real-time reporting. My question would be – do the LP specs include the data security requirements now being outlined? If they don’t then how can schools possibly meet these and the real-time reporting targets. I’d bet heavily that the LP specs were written without any consideration of these more stringent data security requirements.

    Perhaps someone from Becta can enlighten.

  2. Ray Fleming says:

    Hi Alex,

    I agree that it would have been good to haev all the guides at once – which is why I’ve not yet jumped too far into specific solutions that you can implement to meet the standards.

    On Learning Platforms/Real-Time Reporting, and the relationship with Information Security guidelines, then I think that there will be some issues to be worked through. I don’t think that the LP specs included Information Security within them originally, so I guess there’ll be an update of the specs coming soon.

    The way that other government departments have given guidance, there may be a circumstance where the needs of citizen-service trump the needs for Information Security (for example, providing online services where a citizen is able to look at information on themself, even though it would be ‘Restricted’ normally). I guess that’s something that might be covered in the further guidance we’ll get?


  3. tomormerod says:

    We have been implementing Authority wide (~50K pupils + staff max) the LG framework for the past year.  We are just about to start implementing MIS integration and we did not plan to use 2 factor auth.  However, this document eludes that this may now be needed!  Although i hope more information will become available in the 4 new guides (BTW totally agree Alex all at once!!!) I know have serious concerns about whether i should but the whole MIS Integration project on hold!

    We do use ssl for all traffic but this may not be sufficient for IL-3 data any more (again I totally agree we need some guidance on what exactly is IL-3).  I am now even more concerned about Realtime reporting, do we need to have dual factor auth for every parent?!?!?

  4. Ray Fleming says:


    In the Becta guide, it says:

    “In certain cases, however, it will be necessary to share protected data, such as information on pupils’ special educational needs that is classified as IL3-Restricted. In this case, two-factor authentication and the use of password-protected files will be necessary to enable secure communication between the school and parents. This should be seen as an exception, rather than the rule.”

    Here’s an opinion:

    I think it is clear that you’re going to need two factor authentication if staff can remotely access IL-3 data. Although we haven’t yet got a cut-and-dried definition of IL-2/IL-3 data, I believe it will include info such as attendance and attainment data at IL-2, and SEN data at IL-3.

    Assuming that your MIS system gives access to SEN data, then you’re going to need two factor authentication for all your remote MIS users. And that the guidance even says you will need that for parents if they too can access IL-3 data, like SEN data.


  5. Ray Fleming says:

    Tom/Alex – you both make good points.

    And you’ve inspired me to try and simplify, simplify, simplify.

    So I’ve attempted a pictorial version of the Becta guides – a simple diagram of what’s "bad", "good", and what’s still in the "grey" zone.

    I’m not sure it is right yet, but a way to take the debate forward?


  6. John_Howarth says:

    Hi Ray,

    Thank you for keeping us informed.

    If your definition of IL-3 data is correct, we may choose not to allow parents web access to SEN data as two factor authentication could take our project beyond its financial tolerances.

    The problem will be when a school wishes to present performance analysis information to parents that includes IL-3 data. I agree with the comments above that we need VERY clear definitions from Becta of what constitutes IL-2/3 data.

    I must say (and this is my personal opinion and not that of Bolton Council), Becta are very keen to push deadlines but far too slow to release the necessary detailed guidance.

    Thanks again,


  7. Ray Fleming says:

    Interesting points John. The thing I’d throw into the mix is that these rules don’t just apply to electronic data – they apply equally to paper-based data. So, for example, if you were to send home a datasheet to a parent with SEN data on it, you’d probably need to print "Must be securely shredded" on it etc

    When we discussed this in a working group, it made us laugh to think of school reports coming home with "Must be securely shredded" stamped all over them. How many older students would take advantage to shred it before it got home 🙂


  8. sprince says:

    The other 4 docs are now up. I’ve only had chance to read a couple of them so far and they do get a little soporific in places.

    It’s interesting that they classify any document with a UPN in it as IL-3, meaning you would need 2-factor auth to access the document remotely. I’m not sure yet what impact that is going to have on access rights in SIMS.

    They are also advocating marking all reports as IL-3 by default and downgrading them to IL-2 or lower manually. I’m not sure the recommendations will be workable given the level of free time to get staff up to speed on this information.

    Certainly there are areas where we can make some improvements though – particularly in being more strict with suppliers about what we are willing to accept from a data protection point of view.