Information Security – it’s not black and white

I’m continuing to read the new Becta guidance documents on Information Security, and think about the consequences. After a few discussions with people, and comments from others here and elsewhere, I thought I’d try a to create a visual way of understanding where we are. This is by no means definitive, and it might be wrong. But it’s an attempt to simplify all of the guidance down to a simple picture of what is and isn’t allowed with the current guidance, and to highlight some of the things in the grey areas. Hopefully the further guidance we’re expecting to come will narrow down some of the grey areas.

Updated 19th September, with input from John from Bolton (see comments). The “reds” are growing!


My picture has three areas - “green” for good things; “red” for definitely bad things; and “grey” for those areas where it just isn’t yet clear. (Some of which are bound to turn “red”!)

Let’s make this a community thing – what else do you think is missing? What do you think is in the wrong place (according to your reading of the guidelines)?

Read my previous post “Information Security – more, but not yet enough, advice from Becta

For more about Information Security, take a look at all the related earlier articles

Comments (5)

  1. John_Howarth says:

    Hi Ray,

    Perhaps you could add the following to the red section?

    Sending unencrypted MIS data to Learning Platform solutions hosted outside of the school’s network.

    Sending MIS data to Learning Platform solutions hosted outside of the school’s network without using SSL security.

    Emailing unencrypted Special Needs (or other sensitive) information.



  2. Ray Fleming says:

    Will do John – all good stuff to add.

    And that’s reminded me of another one – hosting school data on a service outside of the EU! (eg Google Apps, Hotmail etc)

    Both will probably have to wait until the weekend, when I can get to the original file.

    Any other thoughts from anybody?


  3. Ray Fleming says:

    Have updated the diagram with John’s input

  4. sprince says:

    I would say that according to the labelling guidance, a printed report without its Impact Level and shredding instructions in the header and footer would be in the red zone.

    I’m not sure where one stands on taking a printed document such as an IEP out of school. It suggests that when they are in school they need to be locked away.

    I also wonder how we are fixed for posting confidential documents, e.g. to the parents.

  5. Ray Fleming says:

    sprince – you’re spot on. That would mean anything coming out of SIMS/CMIS/Integris needs stamping (get out your rubber stamps folks!)

    It seems unlikely that an IEP can be taken out of school, unless it is "securely transported" – probably not slung in a backpack with a pile of other stuff.

    I think I’m going to need a bigger diagram!

    Keep the thoughts coming


Skip to main content