Data Protection Discussion

[GrumbleDook]

Hi folks

A brief pop back in to bring you the next installment on Data Protection changes.

Becta have updated their page on Data Protection guidance and I hope to be running an online discussion on this next tuesday from 4-6pm.

We hope to have a representative from IX Associates (the company that worked on this for BECTA and who have performed a significant amount of data protection work within Europe) to help discuss the impact on schools.

Places will be limited so I may have to be selective about participants depending on demand.

Please PM me if you wish to take part in the discussion. It will be worth your while to be ahead of the game. Any good examples of the use of technology at end-point (client) or enteprise level appreciated.

[localzuk]

I've passed this on to my boss, who now looks very unhappy. She usually glances over things that I give her, but this one she is going to read intently.

Does the whole labelling of different levels of data mean that schools have to label all the hard copy documents in personal files? What about SIMS - there isn't IL labelling in there?

What about teachers who collect their data in excel sheets, and print them off for other teachers? Should that also be labelled?

This entire thing seems like a massive undertaking.

[GrumbleDook]

One of the key things to remember is that the law hasn't changed ... but examples of practice have shown to be at fault, meaining everyone has to be more aware of the letter of the law and tighten things up.

I am meeting (shortly) with IX Associates and will have a look at some of the examples in more depth and feedback. I should be able to get these full guidance over to those that are taking part so they get it early, but the summary sums up most of the key points ...

Yes, it will mean operational and technical changes, more so for some schools than others but I doubt if there will be a single school that is not affected.

The guidance will cover examples of technology and operational changes rather than just leaving you to your own devices. Where possible I will build this in to a number of tutorials for change if they don't already exist within the guidance. The important bit about this discussion next week is that it will be a chance to ask questions and say what you have already done before these documents have come out.

[Andie]

"Becta recognises that conflicts exist in existing policy, practice, technology and budgets." From Becta: "Good practice in information handling in schools: Keeping data secure, safe and legal", September 2008

Too right they do! We are short of man hours and money to be able to implement this properly, and when we try there are staff who simply don't get the fact that they must keep the information on "their" laptops and USB pen drives secure.

Another headache for the start of term! But thanks anyway for bringing all this to our attention and for trying to help us make sense of it all.

[GrumbleDook]

Yes ... we are short on staff to do this, time to train staff and money to get the software we really could do with. SNAFU.

If you want some even quicker 'quick wins' then I wrote the following at the start of the summer but was waiting for a bit more info before sticking them up here ...

Review of Information security guidance for schools

After a number of serious breaches of Data Protection by officials at Central Govt., Govt. agencies, Local Govt. and associated organizations, a review was issued to examine how these breaches can be limited in future and dealt with accordingly.

The review, Data Handling Procedures in Government: Final report, has identified a systemic failure by multiple sectors to control and acknowledge the importance of data. All sectors of Central Govt. have been instructed to review policies and procedures and to issue subsequent instructions and guidance to their respective sectors.

Becta, the education technology agency, have been commissioned by the DCSF to provide guidance to schools on how to comply with the mandatory minimum measures from this review . They will be working with LGA on guidance within Local Authorities.

This guidance will be released by the end of August, but in the meantime,the following actions would be helpful for most schools to follow until guidance is issued.

1 – Schools need to identify Information Asset Owners. These are staff who control who has access to data within the school. This will be (and not exclusively) the Headteacher, the nominated Data Controller, the Child Protection Officer, the SEN Coordinator, the nominated financial officer and a technical manager or partner with responsibility for implementing the technology holding or managing this data.

2 – Schools need to assess which members of staff are allowed due access to data controlled by the above and ensure that they have sufficient training and instruction on the access and use of this data. Schools also need to ensure that when staff roles change that this access is reviewed.

3 – Schools need to issue staff with instructions about which data may be safely viewed outside of the school premises. Further guidance will be issued about these data classes but anything regarded ‘Secret’ or ‘Highly Confidential’ should not be accessible outside of the school at this time without sufficient security technology being in place.

4 – With immediate effect the practice of sending unsecured, non-anonymous student data via email across the internet should stop.

5 – With immediate effect the practice of using portable devices, such as external hard drives and USB memory, to hold student data in transport should stop until sufficient security technology is put in place.

6 – The above guidance, which is based on electronic access to sensitive or personal data should be considered good practice for the majority of hard copy access to the same data.

None of the above contradicts the summary and could be used as a more friendly start (if you *really* need somethign more friendly than Appendix A - Quick wins for data handling compliance.)

[pete]

Funding this, especially wrt to long-term log-keeping (currently 3-6 months here, depending on log in question) is going to be interesting. Even more interesting is checking that what teachers say they have == what they actually have.

What happens to Network Managers / IT Technicians in schools where the SMT continues to ignore the data protection requirements (no, not here)? I assume the IT staff would be expected to report such activity to the LEA/Local Gov? Many will be left in untenable positions. Resign and work somewhere responsible, risk being associated with the local government data protection blunder or unable to get a reference from a school because you got them into trouble.

*buys shares in IronKey*

[GrumbleDook]

As with all these things the responsibility is with the Head teacher and the nominated Data Protection Officer. There are whistleblower schemes for pretty much everything in the public sector nowadays and this will be no different, but the important thing is to do as you would normally do. Raise the issue, give advice on how it can be addressed and then document the response. Whether you take it further is up to you to some extent and I would not like to presume to tell you what to do in the circumstances you outlined above. (I know ... cop out ... but it is for *my* protection)

[Sylv3r]

Good discussion here.

I would also advise all schools to have this sort of documentation put together if possible also, as I would imagine it won't be long before the likes of OFSTED are asking for evidence that data protection is been adhered to in schools.

Before I am going to give access to my staff from home to student details, staff details from our VLE using the SIMS webparts I will be insisting the staff sign a proforma..... that reminds me something else I have to add to the job list to do!

[elsiegee40]

Thanks for this... I shalll print it off tomorrow to try and hope it makes the SMT take my concerns more seriously.

[GrumbleDook]

A bit of a bump on this. I want to finalise numbers by the end of the day. We will have IX Associates there (who have prepared the guidance for Becta) and we hope to have Becta present too.

Alex has been a star and given us access to have a few more present now so I will be opening this up via a few other areas, so get in quick. Thanks for those that have responded so far.

[GrumbleDook]

Another quick bump.

I am looking for someone who has implemented, or is presently planning to implement :

a) enterprise wireless security
b) remote access to the school systems (either via VPN or https front end to terminal / citrix services)

[Geoff]

Yes to both...

[pete]

have done a), am considering b)

[russdev]

We are planning both here..

Russ