Friday, 6 May 2011

ICT Mark changes - a summary

Firstly - it's definitely still here which is great news. For those who don't know ICT Mark has become the benchmark for schools to review their ICT management against looking at the 6 key elements of:

  1. Leadership and management

  2. Planning

  3. Learning

  4. Assessment

  5. Professional development

  6. Resources

The self-review framework website, and the assessment process, were both part of Becta's work - with the management of this contracted to Naace. Since Becta has left the stage it has been confirmed that the ICT Mark will now be endorsed by the Department for Education. A recent email to schools from Naace includes the phrase "Naace is delighted to announce that it has received a concession from the Department for Education to continue to administer and quality assure the ICT Mark for Schools". This means that the transfer process is incredibly seemless.

There are a few changes, however, which are worth highlighting.

  • The cost of initial assessment has changed to three bands £400, £550 and £650 depending on the size of the school.

  • From 1st June 2011 a method will be put in place for some schools to renew the ICT Mark by conducting a remote assessment. This should reduce the cost for renewing schools and can be used up to 6 months after the expiry date. It looks like to be eligible for this remote assessment the school will need to evidence that they have continued the self-review process and have documented progress on the identified areas of improvement.

  • Schools who have prepared for ICT Mark renewal with support from a Licensed ICT Mark consultant will result in a reduction in fees depending on the report the consultant passes on to NAACE.

  • The ICT Mark has long been the benchmark of good practice. Naace are developing a further accreditation stage for schools who demonstrate excellent practice.
Details concerning all these changes are available on the ICT Mark pages on the Naace website.
Redbridge has an Intermediary Model arrangement enabling assessments to be done at significantly lower prices. If you are in a Redbridge maintained school please get in touch to find out how you could benefit from this.

Alex Rees

Thursday, 5 May 2011

Redbridge Technicians Forum - Thursday 19th May 2011

The Technician's Forum is open for all technical staff within Redbridge Schools to network and gain from some thought provoking presentations, opportunities to share good practice and find out what is going on in other schools across the borough.

Your place will cost £35 (to cover administration, venue and refreshments) but if your school subscribes to School Improvement services there is no extra cost. This is very useful CPD at a very low price! Book your place now on the website.

This will be the 6th RTF meeting and on the agenda we will look at Microsoft's new licencing process, managing large projects and different ways to manage printing across the school. We will, of course, also ensure you are up to date with what is going on across the borough.

Feedback from the last meeting shows over 90% of attendees said it was 'worthwhile' or 'very worthwhile' attending. Delegates listed a variety of particularly good points, including statements like "all sessions had information relevant for my role", "[I valued the] professional input from suppliers" and "updating with local authority information [was] very useful". Book now on!

Alex Rees

(If you are not a Redbridge maintained school and would like to attend please contact us.)

Tuesday, 3 May 2011

School breaches Data Protection Act

A school in Oldham had a laptop stolen from a teacher's car. Following this press release from the information commissioner’s office several issues have returned to the forefront of senior managers' minds within schools:

• Which data is included in the Data Protection Act?
• What should we be advising staff on the use of laptops?
• What should we be advising staff generally?
• What encryption systems are considered acceptable?
• Should we have a policy on this?

This blog post will respond to these common questions and give you a starting point if you are considering these issues yourself.

What data is included in the DPA?

Fundamental to the Data Protection Act is the need to protect data “which relates to a living individual who can be identified”. It includes “expression of opinion” (e.g. school reports) and “indication of the intentions of the data controller” (e.g. the school’s plan to involve an external adviser to review a child’s behaviour). Summary data is not included. For example a graph summarising last year’s exam data would not be a problem, but a list of which students got what grades would be.

For more detail on what personal data is see this quick reference guide from the ICO.

What should we be advising staff on the use of laptops?

If laptops simply contain teaching materials there is no problem. If the laptop may contain pupil or staff data as well then you must have taken reasonable steps to protect it. ‘Reasonable’ is redefined as technology changes. It has included in the past password protecting the computer, password protecting the file and now it is considered standard to use encryption as it is now a mature technology. (See below for further details.)

The Redbridge advice to council staff in the workplace is:
• If you leave your laptop switched on but unattended you must activate the password protected screensaver.

When out and about:
• Only use encrypted removable media approved by ICT Services
• Never leave your laptop unattended and never allow anyone else to use your laptop
• Beware of your surroundings when working out of the office. Consider the location you choose with care. Ensure you are not easily overlooked and never open documents or communications that are of a commercial or personally sensitive nature.
• Ensure you are not exposing your laptop to opportunistic theft.
• Only connect to approved or known wireless networks.

This advice is quoted from "Laptop User, Mobile Working and Removable Media Security Guidelines".
Redbridge Schools may obtain the full document on request.

What should we be advising staff generally?

The data security advice available on the LGFL website includes the following list of Do's and Don'ts - courtesy of Brent Council:

• Strictly limit access to personal data to those who need it to do their jobs.
• Tailor the subset of data users can see to that required to do their job.
• Enforce the use of strong passwords that contain both numbers & capital letters.
• Enforce regular password changes that do not allow users to reuse old passwords.
• Regularly review users & rights to ensure that these reflect job needs, they are current & correct.
• Do ensure that remote access to the school network is limited & that connections are encrypted.
• Limit & control the personal data that is taken from the school on portable devices (Memory sticks, PDAs, Laptops etc.)
• Ensure that all personal data that is taken out of the school is in encrypted form.
• Ensure that personal & other data is regularly backed up & that a copy is securely stored off-site wherever possible.
• Ensure that all file servers that contain personal data are in a secure, normally locked location.
• Ensure that PCs that have regular access to personal data through the logged in user are provided with a password protected screensaver.

• Allow any personal data to be taken from the school in unencrypted form on removable media (memory sticks, portable hard disks etc.) or on laptops, netbooks or PDAs.
• Allow remote access to fileservers using products such as PCAnywhere or Microsoft’s Remote Desktop Connection software.
• Post unencrypted spreadsheets or databases containing personal data on public facing web sites.
• Post children’s photos on school websites without ensuring that no personal details are present in the file name or metadata.
• Do not allow children’s photos to be downloadable from school web sites by right-clicking the image.
• Allow remote access to file servers from “Any IP Address” without strictly limiting the range ports that are opened.

Your school will need to ensure that this is communicated on to staff. Many schools achieve this by having an Acceptable Use Policy which is signed by staff on an annual basis.

What encryption systems are considered acceptable?

Current advice from the Information Commissioners Office states:
"Encryption software uses a complex series of embedded mathematical algorithms to protect and encrypt information. This process hides the data and prevents any inadvertent access or unauthorised disclosure of information. Since encryption standards are always evolving, it is recommended that data controllers ensure that any solution which is implemented, meets the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS – 197."

USB keys are on the market using FIPS 140-2 level of encryption costing upwards of £40 (examples here) and laptop encryption software costing about £90 per device (example here) . The cost of these might prevent a school from encrypting all laptops, however, choosing to encrypt key laptops (e.g. those used by the senior management team) may well be appropriate.

N.B. By listing these example products, LBR is not recommending them, simply demonstrating that such products exist.

Make sure you have discussed within your school which devices need to be encrypted and take steps to ensure that this is done.

Should we have a policy on this?

The simple answer is ‘Yes’. Should you wish to review your current policy then you may like to look at the following template policy listed on the LGfL website.

What should we do now?

The Information Commissioners Office have asked the school (the ‘data controller’) to undertake a set of actions as follow up from this security breach. You could use this list as a checklist for your own school, making sure the following takes place:

(1) Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;

(2) Staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy;

(3) Compliance with the data controller’s policies on data protection and IT security issues is appropriately and regularly monitored;

(4) The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful process, accidental loss, destruction, and/or damage.

Further reading on this topic from the Becta archive available here. Should you have any further questions please get in touch with myself, the Redbridge ICT Unit, or your ICT support provider.

Alex Rees