+ Post New Thread
Results 1 to 9 of 9
School ICT Policies Thread, Update on Data Protection in School Administration; Ray has put in another good blog post on the MS UK Schools blog. Microsoft UK Schools News Blog : ...
  1. #1

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,950
    Thank Post
    1,345
    Thanked 1,799 Times in 1,117 Posts
    Blog Entries
    19
    Rep Power
    597

    Update on Data Protection

    Ray has put in another good blog post on the MS UK Schools blog.

    Microsoft UK Schools News Blog : Information Security ? a week on

  2. Thanks to GrumbleDook from:

    speckytecky (6th July 2008)

  3. #2

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,600
    Thank Post
    109
    Thanked 769 Times in 598 Posts
    Rep Power
    181
    From reading the links, the two points that strike me as the most technically difficult to ensure are:
    • Do not remove sensitive or personal data from the school premises unless the media is encrypted and is transported securely for storage in a secure location.
    • Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software.


    It is of course possible to find software that will encrypt files/devices but how do you ensure that the data is intercepted and encrypted in the first place?

    For some time I have been looking for a solution that will prevent SIMS for producing ad-hoc reports that can be printed and taken out of school with no accountability.

  4. Thanks to Ric_ from:

    speckytecky (6th July 2008)

  5. #3

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    It's always been possible to take paper copies of personal data out of school (or anywhere else) and all you can reasonably do is make sure people know that they shouldn't do it (or should take reasonable care of the documents if they do do it)

    What you might be able to do is add a header saying something like "Do not remove this document from the school" - this just serves as a reminder.

  6. Thanks to srochford from:

    speckytecky (6th July 2008)

  7. #4

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,930
    Thank Post
    709
    Thanked 552 Times in 367 Posts
    Blog Entries
    3
    Rep Power
    204
    Quote Originally Posted by Ric_ View Post
    From reading the links, the two points that strike me as the most technically difficult to ensure are:
    • Do not remove sensitive or personal data from the school premises unless the media is encrypted and is transported securely for storage in a secure location.
    • Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software.


    It is of course possible to find software that will encrypt files/devices but how do you ensure that the data is intercepted and encrypted in the first place?

    For some time I have been looking for a solution that will prevent SIMS for producing ad-hoc reports that can be printed and taken out of school with no accountability.
    Well my thinking and how i am going to recommend it at my place. We provide software, manual/training on how to use it. Then we have a data security policy etc that states you must encrypt all data on removable media and if you are found not doing so then it will be deemed a disciplinary offence.

    Then at that point need process in place to be audit it etc to make sure people are being secure with data.

    That way school has done best effort to make sure data is secure, staff understand importance of the issues involved.

    Russ

  8. 2 Thanks to russdev:

    kingswood (6th July 2008), speckytecky (6th July 2008)

  9. #5

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,600
    Thank Post
    109
    Thanked 769 Times in 598 Posts
    Rep Power
    181
    What I would actually like is a document management system to store all this personal information so that there is an audit trail of who does what with it (view, edit, print, copy).

    I would then like some kind of hook into SIMS so that any data that comes out is sent to the document management system instead of straight to MS Office or the printer. The information could of course then automatically open/print after passing through the system so that it is transparent to the end user. It is this hook that is vital IMHO but nobody produces a system with this capability.

  10. Thanks to Ric_ from:

    speckytecky (6th July 2008)

  11. #6

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,950
    Thank Post
    1,345
    Thanked 1,799 Times in 1,117 Posts
    Blog Entries
    19
    Rep Power
    597
    I've summarised what I believe are the systemic issues with data protection in schools, admittedly from a secondary viewpoint. There are some issues that are better or worse in primary or special ... and I dare not even touch on HE/FE ...


    I see the main barriers to securing data in schools as follows.

    1 - Understanding what data needs to be secured. The interim category of Protected Personal Data needs to be defined within education and a better understanding of the roles of people working with this data.

    2 - Systemic changes of contracts within schools to include reference to the correct use of personal information. This then needs to be backed up with training and guidance for staff, tailored for their specific roles within the school.

    3 - Systemic analysis of access to information within the MIS. Too many schools have blanket access to Management Information Systems within schools rather than having the access defined by the role of the member of staff. Even with those that do have some granularity in place, when staff move roles within schools they are likely just to have the extra access plonked on top rather than their whole access revised.

    4 - Too many companies working with schools do not follow good practices to protect the data schools send them. I hesitate to think of the number of companies that have asked for information to set up services for students to use and just ask for information to be emailed over. Schools should refuse to use these companies until they change their practices. They should also make sure that have signed agreements to abide by the school's Data Protection policy.

    5 - Staff taking responsibility for security of data. I am not expecting all staff to be geeks or hackers, but the simple attitude of making sure that information is only ever left in the proper place for it. This attitude is not just for electronically stored data but all information about students (and other staff). Technology can only do so much, but password security and not losing planners full of personal / confidential information are simple ideals.

    I tend to take the view that common sense will prevail with a lot of this, but I am not holding my breath. I already know that in my school we will be making a number of changes and the LA guidance will be updated very quickly as well.

    As the year end approaches (Monday 25th August is an important date for secondaries as we can now start basing things on the timetable for next year!) it is important for schools to make sure that information and data is going to be used correctly and legally.

    It is going to be an interesting year, that's for sure.

  12. 2 Thanks to GrumbleDook:

    kingswood (6th July 2008), speckytecky (6th July 2008)

  13. #7

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24
    It is going to be an interesting year. The government shake up its own data protection systems and schools suffer

    I like this part of the MS Schools' Blog:

    "If you’re purchasing laptops or desktop computers that are for staff use, then opt for Windows Vista Enterprise licences, because that has full-drive encryption built-in through BitLocker."

    Buy Vista.

    And then:

    "If you’ve got existing computers with Windows on them, then you’ll either need to plan to upgrade them to Windows Vista Enterprise (or Ultimate), or buy an alternative encryption package (there’s some listed on this page, referenced by Becta) "

    Buy Vista.

    I can understand that Bitlocker allows for full drive encryption- (of course you only get *full* drive encryption with SP1) because it uses AES to encrypt (128 bit) and decryption requires the FVEK (Full Volume Encryption Key) which in turn requires the Full Volume Master Key (256 bit). TPM and USB flash drive can be used to store this. But for Bitlocker to *work* you need:

    1. TPM

    or

    2. TPM plus USB Flash Drive

    or

    3. TPM plus PIN

    You can also use flash drive startup key only (your laptops may not have a TPM module- ours don't). This options isn't as secure as the others but still lets you have a certain level of security. Without TPM though, anyone can take your HDD and as long as they have the flash based key, access the drive's information. Oh- and you can also use the "clear key" method. A bit like leaving the keys in your front door

    You need Vista Enterprise or Ultimate; TPM Version 1.2 (and enabled); BIOS support for USB class 2; at least two volumes.

    There are alternative encryption software applications (including open source versions) equally as good if not better than Bitlocker. And of course Mac OS X comes with its own security methodology (keychain and Filevault to name two) which are pretty robust in their own right. Linux has SELinux to support those who need a broader set of security tools.

    Whilst I agree with the premise of the blog, and understand that it is a *Microsoft* schools' blog, it is of course biased. What is good is that BECTA are translating all this into technician's language for us and the advice (I think) needs to be heeded as much as possible.

    The advice here is common sense-based and something I will assess as soon as possible:

    Becta Schools - Leadership and Management - Security - Information security guidance for schools

    Thanks for the link Tony- good information to have!

    Paul
    Last edited by kingswood; 6th July 2008 at 07:40 PM. Reason: Spelling was waaay off!

  14. Thanks to kingswood from:

    speckytecky (6th July 2008)

  15. #8
    PEO
    PEO is offline
    PEO's Avatar
    Join Date
    Oct 2007
    Posts
    2,095
    Thank Post
    457
    Thanked 152 Times in 96 Posts
    Rep Power
    72
    true crypt anyone?

  16. #9
    rayfleming's Avatar
    Join Date
    Jul 2008
    Location
    Reading - at Microsoft HQ UK
    Posts
    92
    Thank Post
    13
    Thanked 66 Times in 32 Posts
    Rep Power
    32
    Hi,

    As I seem to have started this hare running on the blog, I thought I'd jump in with thoughts too...

    Firstly, Kingswood is absolutely right - my advice on the UKSchools blog is biased towards Microsoft (but then, like Kingswood points out, it is the Microsoft schools blog

    My view is that we're heading towards a big crunch-time. It's likely that there will be a group of people, especially in secondary schools, who'll look at the generic advice, and will have the time/inclination/interest/skills to develop their own methodology to deal with the updated advice. BUT there's a huge number who won't - think about 28,000 primary schools who should be implementing better information security (or 5,000 nurseries, and probably 2,000+ secondary schools), who probably won't know where to start, and will be reliant on somebody else to offer advice. And that advice is likely to be in a format that's indigestible for them! (If any of the conversations I've had with 'security-types' have been representative..).

    The kind of regime schools are going to be facing has been the precint of official-sounding Govt types (as soon as you start talking about FIPS 140-2 Level 2, it doesn't take long before somebody mentions CESG or GCHQ - and lots of the info they publish wouldn't win a plain English mark

    Grumbledook's summary of the issue is excellent - and we need to strive for the same kind of simplicity in advice for "what do I do about it", that a non-ICT-centric Head Teacher of a primary school can follow. Something that leaves them feeling that they've done the right thing. We can't afford too many grey areas, because we'll stay in today's situation - today it's too confusing to understand what's right and wrong, and how to fix it.

    The current work of the Cabinet Office, and Becta, is going to make it easier for schools to understand Right and Wrong in data handling. But in all the conferences I've been to this year, on ICT, I haven't heard a single person (including me ) giving advice about how to improve Information Security. I guess this next year's going to be different!

    Ray

SHARE:
+ Post New Thread

Similar Threads

  1. Data Protection Policies
    By EduTech in forum Wiki Announcements
    Replies: 1
    Last Post: 16th March 2012, 10:42 AM
  2. Changes to data protection act
    By sjplot in forum Network and Classroom Management
    Replies: 18
    Last Post: 5th October 2007, 11:19 AM
  3. Folder access - Data Protection Act - How do you do it?
    By Paid_Peanuts in forum How do you do....it?
    Replies: 7
    Last Post: 29th August 2007, 11:39 AM
  4. Backups - Data Protection Manager
    By fooby in forum How do you do....it?
    Replies: 4
    Last Post: 14th December 2006, 10:45 AM
  5. Data Protection Act - re: Remote Access
    By mark in forum School ICT Policies
    Replies: 18
    Last Post: 26th September 2005, 07:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •