Review of Information security guidance for schools
After a number of serious breaches of Data Protection by officials at Central Govt., Govt. agencies, Local Govt. and associated organizations, a review was issued to examine how these breaches can be limited in future and dealt with accordingly.
The review, Data Handling Procedures in Government: Final report, has identified a systemic failure by multiple sectors to control and acknowledge the importance of data. All sectors of Central Govt. have been instructed to review policies and procedures and to issue subsequent instructions and guidance to their respective sectors.
Becta, the education technology agency, have been commissioned by the DCSF to provide guidance to schools on how to comply with the mandatory minimum measures from this review . They will be working with LGA on guidance within Local Authorities.
This guidance will be released by the end of August, but in the meantime,the following actions would be helpful for most schools to follow until guidance is issued.
1 – Schools need to identify Information Asset Owners. These are staff who control who has access to data within the school. This will be (and not exclusively) the Headteacher, the nominated Data Controller, the Child Protection Officer, the SEN Coordinator, the nominated financial officer and a technical manager or partner with responsibility for implementing the technology holding or managing this data.
2 – Schools need to assess which members of staff are allowed due access to data controlled by the above and ensure that they have sufficient training and instruction on the access and use of this data. Schools also need to ensure that when staff roles change that this access is reviewed.
3 – Schools need to issue staff with instructions about which data may be safely viewed outside of the school premises. Further guidance will be issued about these data classes but anything regarded ‘Secret’ or ‘Highly Confidential’ should not be accessible outside of the school at this time without sufficient security technology being in place.
4 – With immediate effect the practice of sending unsecured, non-anonymous student data via email across the internet should stop.
5 – With immediate effect the practice of using portable devices, such as external hard drives and USB memory, to hold student data in transport should stop until sufficient security technology is put in place.
6 – The above guidance, which is based on electronic access to sensitive or personal data should be considered good practice for the majority of hard copy access to the same data.