School ICT Policies Thread, Student reports and the DPA in School Administration; Yet again, I appear to be the bloody DP Officer and I'm trying to work out the status of student ...
11th May 2009, 12:50 PM #1
Student reports and the DPA
Yet again, I appear to be the bloody DP Officer and I'm trying to work out the status of student reports wrt the DPA.
For clarity, I'm refering to:
Name of student
Predicted exam / End-of-year grades
Effort and attainment grades for subjects
Comments from subject teachers and form teachers
I get the feeling they should be covered, but I'm not sure where and I'm trying to answer a teacher query regarding their sensitivity. I've skim-read the new guidance and the older impact-level docs and my feeling is "encrypt if you're not sure".
11th May 2009, 03:03 PM #2
Here is one of the deficiencies of the DPA.
The above fields you mentioned would clearly identify the student and their approx age, as well as who they are taught by. It should be regarded as sensitive and encrypted in storage or when in transit. It should only be emailed in a secure, closed system (ie not a system outside of the school control) and access to the data should be via two factor security ie, 2 lots of username / password (eg SIMS where you log into the computer and then again to SIMS) or 1 username and password and over https!
But the DPA needs to be applied to the paper version of it too ... so why do we hand it to the student to take home or post it?
The secret is to take 'appropriate measures' and do what you can. If you can't encrpyt it all then make sure that you educate the staff about ensuring that it is kept secure (don't leave your machine unlocked) and it is transmitted appropriately (don't leave printed copies lying around, don't eamil to or from your home email address).
Thanks to GrumbleDook from:
11th May 2009, 03:19 PM #3
But what it wouldn't do is be of much interest to anyone who doesn't know who the child actually is - to an "outsider" they are just a name on a sheet of paper. The greater confidentiality risk is surely to do with reports falling into students' hands, so education to staff about locking PCs (ours are told to only write reports in staff-only areas), not leaving print-outs lying around, etc. Are we not getting a little OTT by demanding encryption and two-level security on reports?
Originally Posted by GrumbleDook
Just a thought...
11th May 2009, 04:10 PM #4
The issue is with data getting into the hands of *anyone* other than the data owner (the original student) or those authorised to use the data (the teacher, the parent or associated people).
Whilst an outsider may not have a clear view of who the student is, this data can then be turned into more information for profiling targets and grooming ... that is the nasty side of things.
The other side is if this data makes its way onto the web and in years to come is found again and can then be used against someone who has a higher profile than when at school. Protection of data is not just for whilst they are your student ... it is a permanent thing.
11th May 2009, 04:15 PM #5
Still not sure what grooming you could do based on a school report if you don't know whose report it is, but I take your point about the information coming back to bite someone in later life.
11th May 2009, 09:15 PM #6
To be honest I don't think it would be that good to discuss grooming techniques, even to consider how you can protect against them. Let's just say that I am advised that information about a student, their approx age and subjects they are good at are enough for people to get a hook in there. The training down at CEOP opens your eyes about pet clubs, interest clubs (chess clubs, etc) and other pieces of information. If you have not had the Think U Know training at your school then I would strongly recommend that it is investigated. You can apply a number of DPA good practice items to help with it.
It is another reason why you have to be careful with things like publishing names of team list from school footy teams in papers and so on ... it is not just pictures you have to worry about.
11th May 2009, 11:19 PM #7
11th May 2009, 11:47 PM #8
Two-factor security and two-factor authentication are slightly different beasties and whilst the original edict from ICO pointed very clearly at two-factor authentication, this is unworkable for many institutes for operational and financial reasons.
I have described two-factor security, where there are two security factors, either through multiple and separate logins (definitely no AD link with SIMS!) or through the use of securing the protocol used to transport the data as well.
Presently I have not seen a single two-factor authentication solution for any learning platform, MIS or Portal. I have seen it for LA systems with the use of generating tokens such as Vasco, but these are out of the price range of most schools.
One area that is debatable about TF-A is the use of a memorable word or keyphrase along side the username / password. Looking at a response to a question about it within the NHS they were told that they could not use a question / response system where each time you login you then have to answer a pre-answered question with the correct answer, and there would be a series of 20 questions. It was felt that staff would put the same answer to all the questions. This was suggested to be used rather than biometrics due to the risk of cross-contamination with the sensors.
By Stuart_C in forum School ICT Policies
Last Post: 10th March 2009, 10:25 AM
By cookie_monster in forum General Chat
Last Post: 27th November 2008, 04:12 PM
By Geoff in forum School ICT Policies
Last Post: 14th May 2008, 09:29 AM
By Dos_Box in forum School ICT Policies
Last Post: 5th December 2007, 11:54 AM
By Gatt in forum School ICT Policies
Last Post: 2nd December 2007, 03:24 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)