I am in the process of writing up a questionnaire to staff to find out what data they take off site what medium they use. The questions i have got so far are:
If you take data off site, how do you transport it home?
What sort of data do you take off site?
Are you aware of encryption?
Can anyone think of any more questions i should be asking.
Thanks
Are they aware of how many pieces of identifiable information on a student a document has to hold before it is legally required to be encrypted before being moved off site? (the answer is 2)
Do they know the email is not a secure method of transferring files, and any sensitive document sent by email should always be encrypted? (I recently had somebody insisting I didn't need to encrypt an extremely sensitive document before emailing it to them because they work in a bank)
Probably not. This is something that needs to be better clarified. What is personal information? I, sorry some of the NM in my LA are confused about what actually needs to be encrypted. They have not given any guidance on what should be encrypted. All they say is encrypt laptops.Originally Posted by LosOjos
Thats what i am trying to identify.Do they know the email is not a secure method of transferring files, and any sensitive document sent by email should always be encrypted? (I recently had somebody insisting I didn't need to encrypt an extremely sensitive document before emailing it to them because they work in a bank
On a student, no more than one piece of information that can be used to identify a student can be sent unsecured, i.e. you could send an email saying "Jonathan Smith must see me after school today", but "Jonathan Smith (DOB: 01/01/01) must see me after school today" would have to be secured/encrypted as it contains 2 pieces of identifiable information.
Thought so. Some people say that information with only a name on it needs to be encrypted but isnt that going over the top? What about name and form of a student?
Some do say that forename and surname are separate identifiers and so both of them would be 2 identifying fields and thus need to be encrypted. Reg groups are an internal identifier, they don't tell you anything about the student, so you're OK with that.
As for names needing to be encrypted, I'm not sure what the legal stance is, however I always encrypt any document containing any student data - better to be safe than sorry!
My experience with Encryption is that it needs to be all or nothing. If you leave the user the option to not Encrypt data, then they won't.
I spent the last year evaluating Encryption software and it highlighted a lot of practices that need managing from a business level, rather than software level, if that makes sense?
Various questions were raised along the lines of:
What data is being taken off site?
Why is this data being taken off site?
Does it really need to be taken off site?
What controls are in place to stop data being taken off site?
As LosOjos mentioned, some users use email as a means of transporting data off site. It's all good and well encrypting laptops and USB sticks, and locking the system down to only allow authorised USB drives to access the network, but if a user can simply attach a file to an email, then it undermines the system.
Encryption needs to be seen as good practice and promoted from the Head/Business manager, rather than a new annoying hindrance that the I.T department has introduced.
I appreciate this isn't quite what the OP is asking for, but I believe it is useful information to share.
Thanks for the posts, any info will help at the mo. Like i said, there is hardly any guidance from our LA on what needs to be encrypted.
They are getting there I'll keep pushing them to improve it for us allInteresting to see the 2 bits of data, where did you get that information from LosOjos?
That's advice from our LA, but it makes perfect sense to me. One piece of data would usually not be enough to identify a child (unless it's something very unusual, such as a specific condition that it's unlikely anybody else in the area has, or an unusual name), but with 2 pieces of data you could quite quickly start to trace somebody, especially with the myriad of online services people sign up to these days.They are getting there I'll keep pushing them to improve it for us all
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks