+ Post New Thread
Results 1 to 8 of 8
School ICT Policies Thread, Student reports and the DPA in School Administration; Yet again, I appear to be the bloody DP Officer and I'm trying to work out the status of student ...
  1. #1


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,639
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223

    Student reports and the DPA

    Yet again, I appear to be the bloody DP Officer and I'm trying to work out the status of student reports wrt the DPA.

    For clarity, I'm refering to:

    Name of student
    Form
    Predicted exam / End-of-year grades
    Effort and attainment grades for subjects
    Comments from subject teachers and form teachers

    I get the feeling they should be covered, but I'm not sure where and I'm trying to answer a teacher query regarding their sensitivity. I've skim-read the new guidance and the older impact-level docs and my feeling is "encrypt if you're not sure".

    Any ideas?

  2. #2

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    Here is one of the deficiencies of the DPA.

    The above fields you mentioned would clearly identify the student and their approx age, as well as who they are taught by. It should be regarded as sensitive and encrypted in storage or when in transit. It should only be emailed in a secure, closed system (ie not a system outside of the school control) and access to the data should be via two factor security ie, 2 lots of username / password (eg SIMS where you log into the computer and then again to SIMS) or 1 username and password and over https!

    But the DPA needs to be applied to the paper version of it too ... so why do we hand it to the student to take home or post it?

    The secret is to take 'appropriate measures' and do what you can. If you can't encrpyt it all then make sure that you educate the staff about ensuring that it is kept secure (don't leave your machine unlocked) and it is transmitted appropriately (don't leave printed copies lying around, don't eamil to or from your home email address).

  3. Thanks to GrumbleDook from:

    pete (12th May 2009)

  4. #3
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Quote Originally Posted by GrumbleDook View Post
    The above fields you mentioned would clearly identify the student and their approx age
    But what it wouldn't do is be of much interest to anyone who doesn't know who the child actually is - to an "outsider" they are just a name on a sheet of paper. The greater confidentiality risk is surely to do with reports falling into students' hands, so education to staff about locking PCs (ours are told to only write reports in staff-only areas), not leaving print-outs lying around, etc. Are we not getting a little OTT by demanding encryption and two-level security on reports?

    Just a thought...

  5. #4

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    The issue is with data getting into the hands of *anyone* other than the data owner (the original student) or those authorised to use the data (the teacher, the parent or associated people).

    Whilst an outsider may not have a clear view of who the student is, this data can then be turned into more information for profiling targets and grooming ... that is the nasty side of things.

    The other side is if this data makes its way onto the web and in years to come is found again and can then be used against someone who has a higher profile than when at school. Protection of data is not just for whilst they are your student ... it is a permanent thing.

  6. #5
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Still not sure what grooming you could do based on a school report if you don't know whose report it is, but I take your point about the information coming back to bite someone in later life.

  7. #6

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    To be honest I don't think it would be that good to discuss grooming techniques, even to consider how you can protect against them. Let's just say that I am advised that information about a student, their approx age and subjects they are good at are enough for people to get a hook in there. The training down at CEOP opens your eyes about pet clubs, interest clubs (chess clubs, etc) and other pieces of information. If you have not had the Think U Know training at your school then I would strongly recommend that it is investigated. You can apply a number of DPA good practice items to help with it.

    It is another reason why you have to be careful with things like publishing names of team list from school footy teams in papers and so on ... it is not just pictures you have to worry about.

  8. #7

    Join Date
    Jan 2009
    Location
    England
    Posts
    1,524
    Thank Post
    301
    Thanked 304 Times in 263 Posts
    Rep Power
    83
    Quote Originally Posted by GrumbleDook View Post
    ...and access to the data should be via two factor security ie, 2 lots of username / password (eg SIMS where you log into the computer and then again to SIMS) or 1 username and password and over https!
    Technically this is still single factor authentication. To use two different factors you need 2 of: what you are (biometics etc), what you know (usernames + passwords) or what you have (usb token).

    Two passwords/PINS (or a larger number if you prefer!) to access a system doesn't constitute two factor. If someone is able to get the first password they can almost certainly obtain (or guess) the second. However they may not be able to get hold of a biometic or a keycard which is where TF-A gives you the added security

    Sorry for bringing the thread slightly off topic but TF-A and it's very common misinterpretation is something that is a pet peeve of mine

  9. #8

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,784 Times in 1,107 Posts
    Blog Entries
    19
    Rep Power
    595
    Two-factor security and two-factor authentication are slightly different beasties and whilst the original edict from ICO pointed very clearly at two-factor authentication, this is unworkable for many institutes for operational and financial reasons.

    I have described two-factor security, where there are two security factors, either through multiple and separate logins (definitely no AD link with SIMS!) or through the use of securing the protocol used to transport the data as well.

    Presently I have not seen a single two-factor authentication solution for any learning platform, MIS or Portal. I have seen it for LA systems with the use of generating tokens such as Vasco, but these are out of the price range of most schools.

    One area that is debatable about TF-A is the use of a memorable word or keyphrase along side the username / password. Looking at a response to a question about it within the NHS they were told that they could not use a question / response system where each time you login you then have to answer a pre-answered question with the correct answer, and there would be a series of 20 questions. It was felt that staff would put the same answer to all the questions. This was suggested to be used rather than biometrics due to the risk of cross-contamination with the sensors.

SHARE:
+ Post New Thread

Similar Threads

  1. DPA and Data Accuracy
    By Stuart_C in forum School ICT Policies
    Replies: 7
    Last Post: 10th March 2009, 10:25 AM
  2. Student reports
    By cookie_monster in forum General Chat
    Replies: 26
    Last Post: 27th November 2008, 04:12 PM
  3. DPA Changes
    By Geoff in forum School ICT Policies
    Replies: 0
    Last Post: 14th May 2008, 09:29 AM
  4. DPA +User Areas
    By Dos_Box in forum School ICT Policies
    Replies: 43
    Last Post: 5th December 2007, 11:54 AM
  5. DPA - Policies/Procedures
    By Gatt in forum School ICT Policies
    Replies: 1
    Last Post: 2nd December 2007, 03:24 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •