+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 27
General Chat Thread, Teacher copying data in General; Just found out that the head of one of our departments has just purchased 2 external hard drives and just ...
  1. #1
    KWestos's Avatar
    Join Date
    Jan 2008
    Posts
    520
    Thank Post
    91
    Thanked 54 Times in 45 Posts
    Rep Power
    25

    Teacher copying data

    Just found out that the head of one of our departments has just purchased 2 external hard drives and just copied all the entire year 11 data to them. One for him and his sidekick.

    A couple of points:

    A) Is this legal (re DPA)?
    B) Even though some of these year 11 would have never been in his subject area for a GCSE, can he still do this (providing point A is legal in the first place)?
    C) He claims he is just having a copy of it, even though he knows we have a full backup and we always copy year 11 data to an external drive and put it in a safe.

    There are a few more questions but I'm that annoyed I can't be bothered to write any more questions.

    I have just found out. Our network allows teachers to view pupil areas so any teacher can do this if they chose.

    Where do I stand on this?

    Any help would be hugely appreciated

  2. #2
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    I don't see a problem with this, what would be a problem is if he wanted to copy the data back and he had security permissions to do that. Teachers have the right to access the data for marking, the teachers are their legal guardians within school. I allow teachers who want to mark read only access to the year group they want.

  3. #3
    KWestos's Avatar
    Join Date
    Jan 2008
    Posts
    520
    Thank Post
    91
    Thanked 54 Times in 45 Posts
    Rep Power
    25
    But he has copied EVERYTHING! Not just work within his curriculum, but all curriculum subjects.

    He has not indicated what he will do with the data, how long he will keep it for, what he is going to do in terms of safeguarding the information - nothing!

    I find this quite irresponsible, especially when he can login remotely and see this data anyway.

  4. #4
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    I agree it's a little strange if he intends to take it home but he may have some intense marking to do. here the kids are advised or taught to create subject folders and place say science work in the scince folder but this is very rarely the case and they just save it anywhere in their my docs folder.

    I would point out to him that due to DPA it was a little unorthodox or maybe even illegal for him to take it home. And yes it appears if he can remote login there is no reason to take a copy home.

  5. #5

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,156
    Thank Post
    115
    Thanked 528 Times in 451 Posts
    Blog Entries
    2
    Rep Power
    124
    You could argue that he's done nothing different from what you do when you take backups. Provided that he keeps the data safe then there are no real issues (and depending on what the files contain there may be no issues anyway - a set of Geography essays with the name "john smith" on them probably don't constitute personally identifiable data)

    If he came to you on 1 October (say) and says "can I see the work for person X" would you still have it? Do you make clear to staff that you would still have it? Do they know how long you keep it for and will make it available?

  6. #6
    KWestos's Avatar
    Join Date
    Jan 2008
    Posts
    520
    Thank Post
    91
    Thanked 54 Times in 45 Posts
    Rep Power
    25
    Quote Originally Posted by srochford View Post
    If he came to you on 1 October (say) and says "can I see the work for person X" would you still have it? Do you make clear to staff that you would still have it? Do they know how long you keep it for and will make it available?
    This guy knows exactly how we perform backups, how long we keep them for, where we keep the tapes. He knows we keep pupil data for 5 years after they have left. Believe me, this person is clued up!

  7. #7

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,593
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181
    Do you have a policy for removing data from site? You should have! Does this use comply with that policy?

    Was permission sought to do this? Who owns the data? What does he/she intend to do with it?

    It is a little odd... you just need to ask a few questions because until you do, you won't know if there is a perfectly innocent explanation.

  8. #8

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,460
    Thank Post
    646
    Thanked 1,614 Times in 1,444 Posts
    Rep Power
    419
    It's your responsibility to keep data safe unless he can prove what steps he will be taking to do this then I wouldn't allow it.

    In essence every member of staff could do the and you have a big problem on your hands.

    Speak to the schools data protection administrator.

    Ben

  9. #9

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,933
    Thank Post
    1,339
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    A few issues with this ...

    1 - There may be information in there that this teacher actually has no need to access

    Data Protection Principle 2 - Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
    I would query what the specified purpose is as someone already performs this task, and an administrative task at that (a breach of the 24 tasks?)

    2 - Once the data is out of the system you do not know how it is going to be used ... I refer you to the following.

    Data Protection Principle 7 - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
    You have no idea what he is going to do with this information and data ... the grey areas are that you have no idea what information is in there.

    Firstly, if it is going to be kept outside of school it needs to be encrypted. The data needs to be logged as to what type it is, how it is going to be used and details of how it is going to be securely deleted after it has been finished with.

    Secondly, the data controller for the school should have been notified that this is the case and your school should have had sorted out a data protection policy about this.

    Finally ... find a user that has personal pics in there, maybe even a database they have used for a project which includes the names, DoBs and addresses of other students ... then take it to senior leadership that when this gets lost and found by someone else that person knows where the student lives, what they look like and how old they are.

    If that doesn't scare them, then pointing out that as well as the teaching being culpable, so is the data controller, the Head and the Chair of Governors ... all of which will go to jail!

  10. #10

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    I disagree that taking away the entire folder is necessarily a DPA problem since most, if not all, of the data would not be classified under the act as 'personal information'.
    Quote Originally Posted by GrumbleDook View Post
    find a user that has personal pics in there, maybe even a database they have used for a project which includes the names, DoBs and addresses of other students
    Sure, this would be 'personal information' but then the DPO should be making sure that this sort of stuff isn't available on a shared drive, and that kids (and teachers) aren't keeping databases of others' addresses/DOBs/etc in the first place. That in itself, regardless of whether the info is copied out onto CD, could be a breach of the act.

    Maybe the teacher is just too busy to copy out and rename each and every folder that he/she needs? I know that our kids have the most disorganised home folders and finding a particular piece of work can be a tedious and lengthy process.

  11. #11
    Grommit's Avatar
    Join Date
    Sep 2006
    Location
    Weston-super-Mare
    Posts
    1,335
    Thank Post
    31
    Thanked 54 Times in 31 Posts
    Rep Power
    25
    Quote Originally Posted by KWestos View Post
    But he has copied EVERYTHING! Not just work within his curriculum, but all curriculum subjects.

    He has not indicated what he will do with the data, how long he will keep it for, what he is going to do in terms of safeguarding the information - nothing!

    I find this quite irresponsible, especially when he can login remotely and see this data anyway.
    We have the same problem with teachers leaving and copying the entire shared staff folder and their entire departmental folders

  12. #12

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Quote Originally Posted by GrumbleDook View Post
    If that doesn't scare them, then pointing out that as well as the teaching being culpable, so is the data controller, the Head and the Chair of Governors ... all of which will go to jail!
    You mean fib?

    Not a strong interest of mine so someone probably knows better, but I thought DPA stuff usually ended up with errant organisation writing a couple of hundred lines on how good they'll be in future. I'd be suprised if there's been any serious criminal proceedings unless unless it was something like someone caught selling police records etc. Anyone?

  13. #13

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,933
    Thank Post
    1,339
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    No fib ...

    The last round of press releases from the ICO are not words of gentle badgering ...

    25 June 2008

    HMRC and MOD data security breaches

    Richard Thomas, Information Commissioner, said:

    ‘I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred.
    Someone is in serious smelly stuff and that can mean heavy fines, loss of job, further investigations or doing time. We can talk about scapegoats or being made an example of, but central Govt workers now know that if they make a mistake they will be punished under the letter of the law, and that letter will be big and heavy. That same message is now being pushed out to all Govt agencies and they are working damned hard to make sure there are things such as audit trails for data access, encryption facilities, and documented policies and procedures.

    I suppose we should all be happy to wait for the wake up call of someone being banged away (worst case scenario), heavily fined (the individuals are liable, not the employer for this), sacked or investigated further due to the nature of the data that was taken off-site / lost ("Now why did you have the names and addresses of all those children you do not teach, along with the details of their favourite sports and so many pictures of them in PE kit?")

    Personally ... I'm opting for the idea of protecting myself from a screw up by someone else.

  14. #14

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,933
    Thank Post
    1,339
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    Quote Originally Posted by timzim View Post
    I disagree that taking away the entire folder is necessarily a DPA problem since most, if not all, of the data would not be classified under the act as 'personal information'.
    Yes, it is a very grey area ... the problem is that the person copying the data off doesn't know what is on there and is not following some very basic principles.

    Sure, this would be 'personal information' but then the DPO should be making sure that this sort of stuff isn't available on a shared drive, and that kids (and teachers) aren't keeping databases of others' addresses/DOBs/etc in the first place. That in itself, regardless of whether the info is copied out onto CD, could be a breach of the act.
    In a recent discussion I had about this I was told that we should examine what data we hold, consider how it is classified (this is a job being done by a number of Govt agencies in more detail at the moment), and consider who has access to it. A medium risk piece of information on its own might be fine, but when you put together a number of pieces of information it may then become high risk ... it is not a single piece of data we should worry about but how the streams or blocks of data can then build into something more. This is why thigns like Shibboleth are being used within RBCs now to connect to other VLEs and services ... anonymise as much as possible and control the rest yourself!

    Maybe the teacher is just too busy to copy out and rename each and every folder that he/she needs? I know that our kids have the most disorganised home folders and finding a particular piece of work can be a tedious and lengthy process.
    The problem is that the teacher is 'backing up' the work ... and someone is already employed and authorised to do this under the retention and use of data. It is not within their remit to do it and is also an administrative task, so they are already failing to follow union guidance. How many more things do they need to break before someone raps them on the knuckles and says *Oi!!!! No!!!!*

  15. #15
    Galway's Avatar
    Join Date
    Jun 2007
    Location
    West Yorkshire
    Posts
    1,338
    Thank Post
    9
    Thanked 304 Times in 213 Posts
    Rep Power
    100
    I have come across this before.

    I wouldn't mind betting he is using the results for students to get the highest graded coursework work for use with existing students. If its just to show them what to be aiming for then then its a legitimate use.

    I would still inform SMT, and let them decide. If the department gets caught bumping up results using graded coursework then it can land it in allot of trouble.

    Either way you wont get into trouble for reporting it, and if it becomes true you have done your job in highlighting it and they are the ones who didn't act upon it.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. CMIS Teacher and Student Class Data
    By danIT in forum MIS Systems
    Replies: 0
    Last Post: 18th June 2008, 05:17 PM
  2. Replies: 7
    Last Post: 13th March 2008, 03:52 PM
  3. Pulling copying fails - push copying works
    By SimpleSi in forum Windows
    Replies: 1
    Last Post: 3rd March 2008, 02:29 PM
  4. Copying Profile data
    By SpuffMonkey in forum Windows
    Replies: 2
    Last Post: 28th November 2005, 12:14 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •