Your right Vikpaw but we tell staff they need to use their own devices and it is set to autolock remote computer if not used after a few minutes can't print anything out as that is locked down but could screen print and because they use Encrypted Key usually on Memory stick or own device and a username and password so dual Factor couldn't access any MIS systems without Encrypted App (App can't be copied or replicated and is disabled if incorrectly used and Username and Password. Just feel we have secured best we can with this and feel this is a bit more secured than Staff taking data off site on Laptops USB or paper etc and less complicated than trying to make sure all data is Encrypted or no documents are taken offsite to be honest we use various methods and techniques to secure, restrict and log what is going on but would be a lot to discuss on here and all is done technical side of things so it makes it seamless for the user.
So MIS user double clicks App (this authenticates using Encrypted key) and user Logs in with Username and Password no App can't access MIS systems so even if students knew a member of Staffs password they wouldn't be able to access the MIS systems.
@Steven_Cleaver - Probably not right to go into extra detail on this thread, but be very interested to hear about your two-factor setup and other steps for securing data... If you have time, we can start another thread.