The Becta guidelines were requested by the Cabinet Office which is driving the issue. The very least expected of schools will be to ensure that personal data is only ever physically taken off the premises on machines or devices that are properly encrypted and kept in secure locations, and that personal information on school servers will have to be accessed securely by staff outside schools.
While these two issues seem relatively straightforward and may have already been adopted by some schools, they are likely to involve the majority with considerable challenges and additional expense. More investment will be needed and the lowest-tech device all schools will have to get is a shredder.
The first thing schools will have to do is audit their current procedures and practices with their support staff and suppliers. One industry insider warned that tough sanctions are also likely to be introduced by the Government, and that these will cover schools too. “While staff breaching guidelines are not likely to end up in court, a serious breach could easily lead to dismissal,” he said.
Schools have to audit their systems and control the movement of data
Becta consultants worked with the Department for Children Schools and Families (DCSF) and the Information Commissioner to clarify and update guidance on information security in light of the latest Cabinet Office report (link below). The new report expects schools to immediately audit their systems and needs, and warns that many schools should no longer allow data to be taken off the premises unless its security can be assured.
The purpose of the advice is to enable schools to identify:
- data and information assets (information, stored in any manner, which is recognised as important or 'valuable' – not just in financial terms – or important to the organisation), with named owners responsible for them;
- a framework for ensuring sensitive data is correctly labelled, managed and protected;
- methods for the systematic assessment of risks and recording of data loss so that appropriate mitigating measures can be established.
The agency has identified two key classes of staff responsible for bringing about the changes - Senior Information Risk Owners (SIROs, typically headteachers or senior management team members) and Information Asset Owners (IAOs, usually several within a school, those responsible for e-safety, ICT or information management systems). "The handling of protected school data is everyone’s responsibility," says the guidance, "whether you are an employee, consultant, software provider or managed service provider."
It is clear that most staff are responsible because the legislation affects all those who handle data:"Data protection legislation states that all those who hold personal data, whether on paper or electronically, must keep that data secure. Clearly, this also applies to schools. Personal data is defined as any combination of data items that identifies an individual and provides specific information about them, their families or circumstances. This includes names, contact details, gender, dates of birth, unique pupil number (UPN) and so on, as well as other sensitive information such as academic achievements, other skills and abilities, and progress in school. It may also include behaviour and attendance records."
Schools will have to change their operations and their technology
Becta says schools will have to institute changes to both their operations and their technology, some of which can be done quickly and without additional expense. "Others will require investment and the participation of suppliers of school ICT systems and managed services," adds the report. "...Until new technology or enhancements to your existing ICT infrastructure can be put in place, you are likely to need to make operational changes. These may mean that certain types of sensitive data may no longer be accessible away from the school in the short term.
"...Other changes that may be required include data-handling awareness training, labelling, encryption, ICT event logging, incident response planning, provision of secure remote access using two-factor authentication, a review of contract clauses for data protection and processing (including cross-border data flows if data is processed abroad) and formal reviews of all user access requirements for remote access to, and storage of, protected sensitive data."
Schools are advised to label all documents according to their sensitivity (impact levels). The report advises "Due to the complexity of classifying reports generated from protectively marked data, it is recommended that where possible educational ICT systems should be set up to label the output of any protected data as IL3-Restricted by default (implicit labelling). Where new systems are being procured it is recommended that implicit labelling is included as part of the functional specification and ICT requirements."
Material classified as "IL2-Protect" and "IL3-Restricted" will have to be encrypted if it is moved out of school or other premises. In unencrypted form (eg paper) it has to be kept in a locked cabinet. All paper documents deemed to be sensitive should only be destroyed by shredding. And their digital counterparts have to be securely deleted. The simple, everyday deletion that most computer users are familiar with will no longer suffice.
Encryption technology will become commonplace in schools
Data encryption will now become increasingly important for schools, but there is no clear guidance yet as to suitable products and practices - eg whether just sensitive files or entire hard discs should be encrypted. The report also warns that encrypted material should not be unwittingly taken abroad: "Some countries ban the use, or severely regulate the import, export or use of, encryption technology. Taking a laptop with encryption software to certain countries could risk imprisonment or cause your laptop to be confiscated.
"You may not be able to meet certain import or export requirements, and must, before travelling to countries with restrictions, remove encryption software from your laptop or mobile device, avoid taking encrypted files to these locations, and remove protected data from your devices."
Clearly, the implications for schools in Becta's first report alone are far reaching. And there is more to come. Schools are expected to adopt digital security at corporate and government levels. As the digitisation of education continues, new duties and obligations are emerging that have serious implications for school management and administration overheads and costs. Along with the obvious, immediate effects of this report there are also implications for the government's desire to give parents online access to pupil data (see Ian Usher's blog on Parental Usernames, link below). It will require focus, support and appropriate resources,to make this daunting challenge an opportunity.
"Good practice in information handling in schools Keeping data secure, safe and legal"
Cabinet Office's "Data Handling Procedures in Government: Final Report"
Information Commissioner website
Changing the Game (Ian Usher on parent usernames)