Teacher copying data

[KWestos]

Just found out that the head of one of our departments has just purchased 2 external hard drives and just copied all the entire year 11 data to them. One for him and his sidekick.

A couple of points:

A) Is this legal (re DPA)?
B) Even though some of these year 11 would have never been in his subject area for a GCSE, can he still do this (providing point A is legal in the first place)?
C) He claims he is just having a copy of it, even though he knows we have a full backup and we always copy year 11 data to an external drive and put it in a safe.

There are a few more questions but I'm that annoyed I can't be bothered to write any more questions.

I have just found out. Our network allows teachers to view pupil areas so any teacher can do this if they chose.

Where do I stand on this?

Any help would be hugely appreciated

[jsnetman]

I don't see a problem with this, what would be a problem is if he wanted to copy the data back and he had security permissions to do that. Teachers have the right to access the data for marking, the teachers are their legal guardians within school. I allow teachers who want to mark read only access to the year group they want.

[KWestos]

But he has copied EVERYTHING! Not just work within his curriculum, but all curriculum subjects.

He has not indicated what he will do with the data, how long he will keep it for, what he is going to do in terms of safeguarding the information - nothing!

I find this quite irresponsible, especially when he can login remotely and see this data anyway.

[jsnetman]

I agree it's a little strange if he intends to take it home but he may have some intense marking to do. here the kids are advised or taught to create subject folders and place say science work in the scince folder but this is very rarely the case and they just save it anywhere in their my docs folder.

I would point out to him that due to DPA it was a little unorthodox or maybe even illegal for him to take it home. And yes it appears if he can remote login there is no reason to take a copy home.

[srochford]

You could argue that he's done nothing different from what you do when you take backups. Provided that he keeps the data safe then there are no real issues (and depending on what the files contain there may be no issues anyway - a set of Geography essays with the name "john smith" on them probably don't constitute personally identifiable data)

If he came to you on 1 October (say) and says "can I see the work for person X" would you still have it? Do you make clear to staff that you would still have it? Do they know how long you keep it for and will make it available?

[KWestos]

If he came to you on 1 October (say) and says "can I see the work for person X" would you still have it? Do you make clear to staff that you would still have it? Do they know how long you keep it for and will make it available?

This guy knows exactly how we perform backups, how long we keep them for, where we keep the tapes. He knows we keep pupil data for 5 years after they have left. Believe me, this person is clued up!

[Ric_]

Do you have a policy for removing data from site? You should have! Does this use comply with that policy?

Was permission sought to do this? Who owns the data? What does he/she intend to do with it?

It is a little odd... you just need to ask a few questions because until you do, you won't know if there is a perfectly innocent explanation.

[plexer]

It's your responsibility to keep data safe unless he can prove what steps he will be taking to do this then I wouldn't allow it.

In essence every member of staff could do the and you have a big problem on your hands.

Speak to the schools data protection administrator.

Ben

[GrumbleDook]

A few issues with this ...

1 - There may be information in there that this teacher actually has no need to access

Data Protection Principle 2 - Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

I would query what the specified purpose is as someone already performs this task, and an administrative task at that (a breach of the 24 tasks?)

2 - Once the data is out of the system you do not know how it is going to be used ... I refer you to the following.

Data Protection Principle 7 - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

You have no idea what he is going to do with this information and data ... the grey areas are that you have no idea what information is in there.

Firstly, if it is going to be kept outside of school it needs to be encrypted. The data needs to be logged as to what type it is, how it is going to be used and details of how it is going to be securely deleted after it has been finished with.

Secondly, the data controller for the school should have been notified that this is the case and your school should have had sorted out a data protection policy about this.

Finally ... find a user that has personal pics in there, maybe even a database they have used for a project which includes the names, DoBs and addresses of other students ... then take it to senior leadership that when this gets lost and found by someone else that person knows where the student lives, what they look like and how old they are.

If that doesn't scare them, then pointing out that as well as the teaching being culpable, so is the data controller, the Head and the Chair of Governors ... all of which will go to jail!

[timzim]

I disagree that taking away the entire folder is necessarily a DPA problem since most, if not all, of the data would not be classified under the act as 'personal information'.

find a user that has personal pics in there, maybe even a database they have used for a project which includes the names, DoBs and addresses of other students

Sure, this would be 'personal information' but then the DPO should be making sure that this sort of stuff isn't available on a shared drive, and that kids (and teachers) aren't keeping databases of others' addresses/DOBs/etc in the first place. That in itself, regardless of whether the info is copied out onto CD, could be a breach of the act.

Maybe the teacher is just too busy to copy out and rename each and every folder that he/she needs? I know that our kids have the most disorganised home folders and finding a particular piece of work can be a tedious and lengthy process.

[Grommit]

But he has copied EVERYTHING! Not just work within his curriculum, but all curriculum subjects.

He has not indicated what he will do with the data, how long he will keep it for, what he is going to do in terms of safeguarding the information - nothing!

I find this quite irresponsible, especially when he can login remotely and see this data anyway.

We have the same problem with teachers leaving and copying the entire shared staff folder and their entire departmental folders

[PiqueABoo]

If that doesn't scare them, then pointing out that as well as the teaching being culpable, so is the data controller, the Head and the Chair of Governors ... all of which will go to jail!

You mean fib?

Not a strong interest of mine so someone probably knows better, but I thought DPA stuff usually ended up with errant organisation writing a couple of hundred lines on how good they'll be in future. I'd be suprised if there's been any serious criminal proceedings unless unless it was something like someone caught selling police records etc. Anyone?

[GrumbleDook]

No fib ...

The last round of press releases from the ICO are not words of gentle badgering ...

25 June 2008

HMRC and MOD data security breaches

Richard Thomas, Information Commissioner, said:

‘I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred.

Someone is in serious smelly stuff and that can mean heavy fines, loss of job, further investigations or doing time. We can talk about scapegoats or being made an example of, but central Govt workers now know that if they make a mistake they will be punished under the letter of the law, and that letter will be big and heavy. That same message is now being pushed out to all Govt agencies and they are working damned hard to make sure there are things such as audit trails for data access, encryption facilities, and documented policies and procedures.

I suppose we should all be happy to wait for the wake up call of someone being banged away (worst case scenario), heavily fined (the individuals are liable, not the employer for this), sacked or investigated further due to the nature of the data that was taken off-site / lost ("Now why did you have the names and addresses of all those children you do not teach, along with the details of their favourite sports and so many pictures of them in PE kit?")

Personally ... I'm opting for the idea of protecting myself from a screw up by someone else.

[GrumbleDook]

I disagree that taking away the entire folder is necessarily a DPA problem since most, if not all, of the data would not be classified under the act as 'personal information'.

Yes, it is a very grey area ... the problem is that the person copying the data off doesn't know what is on there and is not following some very basic principles.

Sure, this would be 'personal information' but then the DPO should be making sure that this sort of stuff isn't available on a shared drive, and that kids (and teachers) aren't keeping databases of others' addresses/DOBs/etc in the first place. That in itself, regardless of whether the info is copied out onto CD, could be a breach of the act.

In a recent discussion I had about this I was told that we should examine what data we hold, consider how it is classified (this is a job being done by a number of Govt agencies in more detail at the moment), and consider who has access to it. A medium risk piece of information on its own might be fine, but when you put together a number of pieces of information it may then become high risk ... it is not a single piece of data we should worry about but how the streams or blocks of data can then build into something more. This is why thigns like Shibboleth are being used within RBCs now to connect to other VLEs and services ... anonymise as much as possible and control the rest yourself!

Maybe the teacher is just too busy to copy out and rename each and every folder that he/she needs? I know that our kids have the most disorganised home folders and finding a particular piece of work can be a tedious and lengthy process.

The problem is that the teacher is 'backing up' the work ... and someone is already employed and authorised to do this under the retention and use of data. It is not within their remit to do it and is also an administrative task, so they are already failing to follow union guidance. How many more things do they need to break before someone raps them on the knuckles and says *Oi!!!! No!!!!*

[Galway]

I have come across this before.

I wouldn't mind betting he is using the results for students to get the highest graded coursework work for use with existing students. If its just to show them what to be aiming for then then its a legitimate use.

I would still inform SMT, and let them decide. If the department gets caught bumping up results using graded coursework then it can land it in allot of trouble.

Either way you wont get into trouble for reporting it, and if it becomes true you have done your job in highlighting it and they are the ones who didn't act upon it.