Data Protection Act - re: Remote Access

[mark]

At our local Secondary Heads meeting it was stated that no-one should access pupil data remotely as this contravenes the Data Protection Act.

Yes - that would apply to staff that legally shouldn't access data not required of thier job function - maybe Heads too - how does it affect them?

Can anyone help me here?

[russdev]

dont think it would and is part of betca draft docs that they can access it..

data protection so that people who should not have access to it can not access it and that only relevant people can access it i.e teacher should not be able to access pay info for staf but should be able to access pupil test scores.

russ

[Dos_Box]

How do you mean remotely? Over a LAN or WAN? If you look at the Becta presentation recently posted on the forum Becta want staff to have remote access to this information, should they have a need to and the relevent authorization. The problem with the DPA is that everyone knee jerked and forbid everything when most of it was about restricting who go to see the informantion.
Try here for more info.

http://www.informationcommissioner.gov.uk/

[mark]

I mean form outside the WAN. Like me remotely accessing the site from home. Once in, with my credentials It is possible to access everything of course.

http://demserv.in.powys.gov.uk/dataprot/dpp.pdf

Section 6 actaully states that we hold Pupil data and may transfer it over the Internet...

[Dos_Box]

Bad link.

[mark]

sorry - internal link

here it is again:

[mark]

relevant clause:

Transfers: Worldwide
Via Internet ( E,G, Examination Results)

[SpuffMonkey]

dont think it would and is part of betca draft docs that they can access it..

data protection so that people who should not have access to it can not access it and that only relevant people can access it i.e teacher should not be able to access pay info for staf but should be able to access pupil test scores.

russ

In a previous life - I was at a presentation by the Data Reg people - and (at that time anyway) their view was that it was a tool for thinking about who should have access and why, and then declaring that publicly and sticking to your declaration. Pretty much not about restricting access at all. They clearly stated that data that wasn't personal in content (ie that was anonomous or was related to a position or organisation rather than an actual person was not covered at all.

[GrumbleDook]

The sticking point for me on the DPA is that people (ie staff and parents) tend to think that it means that you are obliged not to let anyone see anything.

Once you set out what information you have, what you use it for, who is allowed to access and update which portions then the security of the data is guided by this.

One obvious issue is allowing staff access to data at home. Staff want to update stuff from home ... we know this ... but we have to make every reasonable effort to keep it secure. The same priveleges that allow staff to access home addresses and disciplinary records of students whilst in school mean, for most MIS, that they have the same access at home.

The question is does that breach the declaration you have made? If you run access through a VPN with encryption then yes ... if it is through a web browser on good old-fashioned http then no ...

But what is to stop staff running a report of home addresses and taking it home anyway? The same with other information ... or even email it to themselves ... or stick it on a USB key which they also pass round the class to collect homework (this was done just before the holidays ....)

The key phrase I suppose is that you have taken every reasonable action to ensure the correct use and security of data within the school.

[Ric_]

Don't forget that under the new Freedom of Information Act, etc. you should really have a policy that states what information you will be holding about anyone and what process is in place for the retrieval of that information if the person to whom that information ascertains to requests it.

[GrumbleDook]

Most schools should have received guidance on this from their LEA. It should have gone to whoever is registered with the Information Commissioner (formerly the Data Protection Registrar).

Trying to find out who that is in a school is sometimes difficult but a word of advice ... if someone asks you to do it, then politely ask a member of the Senior Leadership Team to do it instead (or whatever you call the upper echelons of Manglement in your school).

Help write the policies, make sure you neck is covered ... but get someone else to have to wory about it or to take the flak if something goes wrong. If you have to do it then get it written into your job description as it may help to justify a higher position on the pay scales ... after all ... it does involve more work and responsibility.

[kingswood]

Great information there Tony- I haven't looked into the ramifications of the DPA as yet, but I've kept a copy of this thread so that I can look over them again when I get the time.

I know this is perhaps a separate question (and goes out to all), but do you demand an SLA from those you outsource any work to? I am thinking of doing so from CSE who have recently broken our network and have offered very little in the way of support afterwards. If I had an SLA from them, it would be easier to pull them up when they do go wrong.

Any thoughts?

Paul

[mark]

Great pieces of advice Ric and Tony - i've copied parts of those comments to our DPA contact.

Thanks!

PS I have asked my initial question of our central advisor - i'll let you know the outcome.

[Mango_RW]

Great information there Tony- I haven't looked into the ramifications of the DPA as yet, but I've kept a copy of this thread so that I can look over them again when I get the time.

I know this is perhaps a separate question (and goes out to all), but do you demand an SLA from those you outsource any work to? I am thinking of doing so from CSE who have recently broken our network and have offered very little in the way of support afterwards. If I had an SLA from them, it would be easier to pull them up when they do go wrong.

Any thoughts?

Paul

Not sure what we do here Paul, the IT Manager deals with that stuff for us, being CSE reliant ourselevs - grrrr! - I know it is most frustrating that you can't just get on and fix it(does that invalidate any contract you have with them?), it might be best to speed up the dropping of CSE!

What are you problems? Lets see if we can help!

[GrumbleDook]

Great information there Tony- I haven't looked into the ramifications of the DPA as yet, but I've kept a copy of this thread so that I can look over them again when I get the time.

I know this is perhaps a separate question (and goes out to all), but do you demand an SLA from those you outsource any work to? I am thinking of doing so from CSE who have recently broken our network and have offered very little in the way of support afterwards. If I had an SLA from them, it would be easier to pull them up when they do go wrong.

Any thoughts?

Paul

You *must* get an SLA, or statement of work for those one-off jobs like projector installs, from whoever is in doing stuff for you. It is your big lump of wood ... with rusty nails in.

As well as information on service the SLA or statement of work should contain information about the companies Health & Safety practices, Data Protection (where appropriate), complaints procedures and possibles penalties.

Becta's Tech Support Advisory Service has a section on this (and linking it in with other things).

CSE do actually have on their website info about their SLAs ... ask them to send you a copy of the one for you. Most solutions providers such as CSE, RM, etc have a standard SLA for schools and it is usually up to you to negotiate for a better one suited to your institution.