I think we have to be careful about what we regard as 'personal data' and what the DPA classifies it as. The Act is very clear that (to quote):
"“personal data” means data which relate to a living individual who can be identified—
(a)from those data, or
(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller"
In a school this is talking mainly, but not exclusively, about data in the MIS or which has been extracted from the MIS. The DPA does not apply to students' coursework. If you disagree have a read through your own school's entry on the DP Register - not a single word about coursework or plagiarism or any of that sort of thing. The DPA is about protecting personal information about pupils (and staff) - exam results, disciplinary data, personal details, financial information, health, etc - and preventing it from being seen by all & sundry.
Some might argue that coursework should be protected from plagiarism/altering/etc - I agree, but this has nothing whatsoever to do with the DPA. If a teacher was running loads of reports from SIMS and taking these home then I'd be concerned, but I think we need to get things into perspective - taking kids' work home to mark is what teachers have been doing since education started.
To make things clear, data held within students' home areas may contain a number of identifying items that are deemed personal.
These range from their name, their date of birth, their registration group and classes they are in, their address, details about their family, photographs of themselves. They may also have the above information about other students too.
Some of this may be in personal documents, some of it may be contained with classwork, coursework or homework.
Whilst there are no specified data classes for types of work, when a mechanic asks what type of car you have you don't just say 'one with wheels' ... you talk about the engine, the parts of the engine, perhaps the CD player, the electrics (and the components of the electrics) ... it is similar with student home areas ... we cannot just say 'coursework' ... we have to consider what that coursework contains.
As I have previously mentioned, it is often not the individual items of data that are the issue, but the collective data.
Now ... the OP is pretty clear that the person taking this data is doing so to
without specifying what he is going to do with it, how he is going to store it, where it will be stored and when it will be destroyed / deleted. They are doing something outside of what the unions would say is their normal remit.
just have a copy of it
If it is just the DPA side of the arguement you don't agree with, then fine .. we can agree to disagree ... and we can wait until the new guidance comes out. If it is the coursework side of things ... I still struggle to understand why any teacher has access to *all* the work a student does, not just for their particular subject anyway!
Like grumbledook, I cannot understand why a teacher in a secondary school has access to pupil home drives.
If a teacher has access, they can copy files. These files could be modified and submitted instead of course-work actually done by the pupil. I think exam boards would take a very dim view of this. "It wouldn't happen here" is not an excuse. With external exams "it COULDN'T happen here" is the only way.
In primary schools, things are different. SATs don't require course work... however, personal data could still be on the Home drives and teachers, while having access, should still be bound by an AUP not to make copies of the data.
I can't understand why a teacher shouldn't have access to pupils' work. Are you saying they can't take written work home either? They could change that. Are you saying that all teachers are cheats until proved otherwise? Do network managers have a monopoly on righteousness?
I agree with Timzim, and I guess he is a teacher and I'm a NM. At the end of the day the teachers are the legal guardian of a pupil when they are in school. If a teacher is altering work well thats a problem for the teacher and the school. We as NM's/Techies are there to advise and can point out problems with taking data home, but at the end of the day the head and SMT decide school policy.
Why do an ICT teacher need access to the student's Geography coursework?
Why does a Biology teacher need to see what the student did in History?
Why does a RS teacher need to see what they did in Graphics?
If you give teacher access to student areas it should be relevant to their subject.
If you are going to allow direct access for a teachers to their subject work then each student has a folders specific to each subject. These are folders are viewable by all but only contents only accessible by that department.
This is how many VLEs / Learning Platforms work ... you have access to *your* students for *your* subject.
Some schools may also wish to have a 'personal' folder where students can stick no-work stuff that is not accessible by teaching staff ... but may be by their form tutor.
All folders are accessible by tech support staff ... but it is their job to look after it all.
The problem is Timzim doesn't think there *is* a problem with taking the data home.
Originally Posted by jsnetman
The school is In Loco Parentis and each member of staff (not just teachers) have a duty under this. One of those duties is to ensure that the students rights are upheld. That includes who has access to information about them. Part of the problem is that some people are happy to turn a blind eye to the fact that student home areas contain an array of personal information. This worries me more than a teacher taking stuff home actually. It makes me believe that people don't really know what data is held and where?
Out of interest ... who here is the DCO for their school and has their name in the annals of the ICO's paperwork?
FYI I'm the NM and not a teacher (although I was once but then I got a real job :p ). I can't see that there is a problem with teachers taking data home in principle although I agree that taking the entire student folder tree home is not only unnecessary but probably also a little bit suspicious, and I also think that the reason given (i.e. no reason) was pretty poor. I'd certainly be doing a bit of investigation myself in the same situation. However, I don't see anything wrong with staff having access to pupil folders. How else are they going to mark the work? And why do they need to have access to every sub-folder of each pupil's home folder? Erm, they don't but it would take me about a month to set individual permissions for each sub-folder and I've better things to do with my time. Anyway, what exactly are they going to find if they have access to all pupil sub-folders?
Teachers are professionals (like it or not) and have a fairly rigid professional structure and registration to ensure they comply with certain standards. What do we NMs have? Do we have a professional body to which we all must belong & which can strike us off if we transgress? Apart from a CRB what guarantees can we give that we will access & protect data in a professional & discrete manner?
Erm... this seems to stumbling into a more detailed issue that veers towards data privacy within school rather than the more worrying issue of data being taken off-site.
I would have though that within school the teaching staff are responsible for and in charge of the children. Irrespective of their role or subject, as a teacher I'd have questioned why they shouldn't be able to access the data. Perhaps not be able to modify the data but certainly access it.
Otherwise what you're suggesting is that:
a) children be totally organised and putting their Geography work in a folder marked Geography.
b) setting up ACL's so that the geography department can access the geography folders
c) deal with the fact that children will use their file system to hide stuff from teachers once they work out they can.
d) make network managers some kind of demi-god that can access anything. which begs the question why we should have access to their work either.
Point D. is probably most poinient in all of this... By what right do we say teachers can't be trusted or shouldn't have access when they are argueably more legally responsible for the children than we are.
Just playing devils advocate and to clarify, some numpty hauling all the data off site and not clearing the proper hurdles just beggars belief for all the reasons stated above.
I dont think the point being made that NMs are demi gods. But rather that it is in your interests as someone who looks after the network(and data contained) that procedures are in place and people follow them. VLEs can be setup for pupils to submit work for teachers of their chosen subject, which can by pass the need for teaching staff to access pupils folders. I think the point being made is that the teacher is *probably* not the best person to decide how they should access and store this data. As GD points out, if they copy personal information which then gets out, who is respsonsibile for this breach in security? If the NM can put into place a procedure which allows the teaching member of staff access to the work they need, and keeps security of data for the school, surely thats what they should be aiming for?
If a teacher wants a copy of relevent work then surely the school could come up with some policy and procedure which would allow the teacher to only access the work they need. Not a global access to everything?
@Contink - teachers shouldn't have to be trusted with data, they should have an account which only allows them access to things they need. If you are employing a Technical person to perform backups, why does the teacher need to do it also? Teachers are responsible for the pupils, but in my experience here, they are not interested in the legal responsibility of what you should and shouldn't do with the school network. Hence many many complaints when I removed software we didn't have licences for when I arrived:rolleyes:
To some extent it is indeed to do with job roles.
We may decide that NMs don't need access either but have an uber-account that they can use when they need to go and and do stuff (check for the presence of games, restore work, etc) ... most of us might view that as the Administrator account, but that should not be an account we think of as a regular account.
Unfortunately, whether like it or not, there is a clear instruction under the DPA that data should only be used by those who have the need to use it as part of their job.
I stand by my point that many people don't know the range of personal information a student holds on their home area and this raises a number of concerns under the DPA. Under the ICO *I* am personally responsible for ensuring that staff (not just teachers ... and not specifically aimed just at teachers either) only have access to the things they need access to.
I am also responsible for ensuring staff are given guidance about data protection and the implications of it, knowing that should they breach the DPA then they are personally culpable ... unless I have not kept them informed ... in which case it falls back to me.
I cannot, hand on heart, say that all staff are aware. Staff do not always read the paperwork you give them before they sign it. They do not always read the updated policies we me readily available (and point them at) and so a number of steps need to be taken in conjunction with this.
1 - You need to review what access staff have to the MIS. All staff should be logging into it with a separate account that is unique for them. As well as ensuring that they only have access to the areas they are entitled to, you have an audit log of what they have been doing on there.
2 - You need to review the access that has been assigned on the MIS. Staff that change roles in a school often just have the extra bits dumped on top instead of stripping out the areas they no longer need (and believe me ... they don't need access to everything. Go speak to your SENCO or child protection officer if you don't believe me)
3 - You have to accept that the MIS is not the sole repository of personal information. An exported report can be transported to too many places to think about and the person generating that report has a responsibility to ensure it is only used by those authorised to do so *as part of their job*!
4 - You have to accept that data is often collected by staff and students for innocuous reasons, but when combined with other freely available information it becomes personal and identifiable. Access to this information needs to be treated in the same manner that you would for centrally stored information on an MIS. Only give access to those who need it, for the period they need it for and then remove access or destroy it afterwards.
5 - The removal of any such data from the school needs to be authorised and for a specific reason. The teacher in question is not authorised to do so (backups being the job of someone else) and has not been done under the DP principles. This is a perfect example of how not to do things. We can extrapolate it further to ensure that backup tapes that are taken offsite are encrpyted (either at backup or as a backup of an encrypted file / folder), that all USB keys used by teachers use something like TrueCrpyt (commercial solutions are available) and that all access remotely into a school needs to be done on a secure connection, over HTTPS / SSL and not HTTP or basic RDP.
This is being reviewed by Becta and other Govt Agencies ... the definition of data classes and their relevant levels of impact is being done and there will be some clear exemplar cases over the coming months.
The OP has a valid arguement and once informing the SLT (get it minuted that you did so) then turning a blind eye may still not be good enough in the coming months.