e-Safety Thread, Encryption Questionnaire - Help in School Administration; I am in the process of writing up a questionnaire to staff to find out what data they take off ...
9th February 2011, 10:13 AM #1
Encryption Questionnaire - Help
I am in the process of writing up a questionnaire to staff to find out what data they take off site what medium they use. The questions i have got so far are:
If you take data off site, how do you transport it home?
What sort of data do you take off site?
Are you aware of encryption?
Can anyone think of any more questions i should be asking.
9th February 2011, 10:24 AM #2
Are they aware of how many pieces of identifiable information on a student a document has to hold before it is legally required to be encrypted before being moved off site? (the answer is 2)
Do they know the email is not a secure method of transferring files, and any sensitive document sent by email should always be encrypted? (I recently had somebody insisting I didn't need to encrypt an extremely sensitive document before emailing it to them because they work in a bank )
9th February 2011, 10:43 AM #3
Probably not. This is something that needs to be better clarified. What is personal information? I, sorry some of the NM in my LA are confused about what actually needs to be encrypted. They have not given any guidance on what should be encrypted. All they say is encrypt laptops.
Originally Posted by LosOjos
Thats what i am trying to identify.
Originally Posted by LosOjos
9th February 2011, 10:59 AM #4
On a student, no more than one piece of information that can be used to identify a student can be sent unsecured, i.e. you could send an email saying "Jonathan Smith must see me after school today", but "Jonathan Smith (DOB: 01/01/01) must see me after school today" would have to be secured/encrypted as it contains 2 pieces of identifiable information.
9th February 2011, 11:09 AM #5
Thought so. Some people say that information with only a name on it needs to be encrypted but isnt that going over the top? What about name and form of a student?
9th February 2011, 11:46 AM #6
Some do say that forename and surname are separate identifiers and so both of them would be 2 identifying fields and thus need to be encrypted. Reg groups are an internal identifier, they don't tell you anything about the student, so you're OK with that.
As for names needing to be encrypted, I'm not sure what the legal stance is, however I always encrypt any document containing any student data - better to be safe than sorry!
9th February 2011, 12:02 PM #7
My experience with Encryption is that it needs to be all or nothing. If you leave the user the option to not Encrypt data, then they won't.
I spent the last year evaluating Encryption software and it highlighted a lot of practices that need managing from a business level, rather than software level, if that makes sense?
Various questions were raised along the lines of:
What data is being taken off site?
Why is this data being taken off site?
Does it really need to be taken off site?
What controls are in place to stop data being taken off site?
As LosOjos mentioned, some users use email as a means of transporting data off site. It's all good and well encrypting laptops and USB sticks, and locking the system down to only allow authorised USB drives to access the network, but if a user can simply attach a file to an email, then it undermines the system.
Encryption needs to be seen as good practice and promoted from the Head/Business manager, rather than a new annoying hindrance that the I.T department has introduced.
I appreciate this isn't quite what the OP is asking for, but I believe it is useful information to share.
9th February 2011, 12:49 PM #8
Thanks for the posts, any info will help at the mo. Like i said, there is hardly any guidance from our LA on what needs to be encrypted.
13th February 2011, 12:12 AM #9
They are getting there I'll keep pushing them to improve it for us all Interesting to see the 2 bits of data, where did you get that information from LosOjos?
Originally Posted by timbo343
14th February 2011, 10:50 AM #10
That's advice from our LA, but it makes perfect sense to me. One piece of data would usually not be enough to identify a child (unless it's something very unusual, such as a specific condition that it's unlikely anybody else in the area has, or an unusual name), but with 2 pieces of data you could quite quickly start to trace somebody, especially with the myriad of online services people sign up to these days.
Originally Posted by john
By knightrider in forum General Chat
Last Post: 5th October 2009, 09:09 AM
By garethedmondson in forum Coding
Last Post: 6th May 2009, 12:10 AM
By Hightower in forum Web Development
Last Post: 14th October 2008, 11:07 AM
By Sylv3r in forum Comments and Suggestions
Last Post: 30th May 2008, 12:24 AM
By Butuz in forum How do you do....it?
Last Post: 22nd April 2008, 11:13 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)