Tuesday, 3 May 2011

School breaches Data Protection Act

A school in Oldham had a laptop stolen from a teacher's car. Following this press release from the information commissioner’s office several issues have returned to the forefront of senior managers' minds within schools:

• Which data is included in the Data Protection Act?
• What should we be advising staff on the use of laptops?
• What should we be advising staff generally?
• What encryption systems are considered acceptable?
• Should we have a policy on this?

This blog post will respond to these common questions and give you a starting point if you are considering these issues yourself.

What data is included in the DPA?

Fundamental to the Data Protection Act is the need to protect data “which relates to a living individual who can be identified”. It includes “expression of opinion” (e.g. school reports) and “indication of the intentions of the data controller” (e.g. the school’s plan to involve an external adviser to review a child’s behaviour). Summary data is not included. For example a graph summarising last year’s exam data would not be a problem, but a list of which students got what grades would be.

For more detail on what personal data is see this quick reference guide from the ICO.

What should we be advising staff on the use of laptops?

If laptops simply contain teaching materials there is no problem. If the laptop may contain pupil or staff data as well then you must have taken reasonable steps to protect it. ‘Reasonable’ is redefined as technology changes. It has included in the past password protecting the computer, password protecting the file and now it is considered standard to use encryption as it is now a mature technology. (See below for further details.)

The Redbridge advice to council staff in the workplace is:
• If you leave your laptop switched on but unattended you must activate the password protected screensaver.

When out and about:
• Only use encrypted removable media approved by ICT Services
• Never leave your laptop unattended and never allow anyone else to use your laptop
• Beware of your surroundings when working out of the office. Consider the location you choose with care. Ensure you are not easily overlooked and never open documents or communications that are of a commercial or personally sensitive nature.
• Ensure you are not exposing your laptop to opportunistic theft.
• Only connect to approved or known wireless networks.

This advice is quoted from "Laptop User, Mobile Working and Removable Media Security Guidelines".
Redbridge Schools may obtain the full document on request.

What should we be advising staff generally?

The data security advice available on the LGFL website includes the following list of Do's and Don'ts - courtesy of Brent Council:

• Strictly limit access to personal data to those who need it to do their jobs.
• Tailor the subset of data users can see to that required to do their job.
• Enforce the use of strong passwords that contain both numbers & capital letters.
• Enforce regular password changes that do not allow users to reuse old passwords.
• Regularly review users & rights to ensure that these reflect job needs, they are current & correct.
• Do ensure that remote access to the school network is limited & that connections are encrypted.
• Limit & control the personal data that is taken from the school on portable devices (Memory sticks, PDAs, Laptops etc.)
• Ensure that all personal data that is taken out of the school is in encrypted form.
• Ensure that personal & other data is regularly backed up & that a copy is securely stored off-site wherever possible.
• Ensure that all file servers that contain personal data are in a secure, normally locked location.
• Ensure that PCs that have regular access to personal data through the logged in user are provided with a password protected screensaver.

• Allow any personal data to be taken from the school in unencrypted form on removable media (memory sticks, portable hard disks etc.) or on laptops, netbooks or PDAs.
• Allow remote access to fileservers using products such as PCAnywhere or Microsoft’s Remote Desktop Connection software.
• Post unencrypted spreadsheets or databases containing personal data on public facing web sites.
• Post children’s photos on school websites without ensuring that no personal details are present in the file name or metadata.
• Do not allow children’s photos to be downloadable from school web sites by right-clicking the image.
• Allow remote access to file servers from “Any IP Address” without strictly limiting the range ports that are opened.

Your school will need to ensure that this is communicated on to staff. Many schools achieve this by having an Acceptable Use Policy which is signed by staff on an annual basis.

What encryption systems are considered acceptable?

Current advice from the Information Commissioners Office states:
"Encryption software uses a complex series of embedded mathematical algorithms to protect and encrypt information. This process hides the data and prevents any inadvertent access or unauthorised disclosure of information. Since encryption standards are always evolving, it is recommended that data controllers ensure that any solution which is implemented, meets the current standard such as the recommended FIPS 140-2 (cryptographic modules, software and hardware) and FIPS – 197."

USB keys are on the market using FIPS 140-2 level of encryption costing upwards of £40 (examples here) and laptop encryption software costing about £90 per device (example here) . The cost of these might prevent a school from encrypting all laptops, however, choosing to encrypt key laptops (e.g. those used by the senior management team) may well be appropriate.

N.B. By listing these example products, LBR is not recommending them, simply demonstrating that such products exist.

Make sure you have discussed within your school which devices need to be encrypted and take steps to ensure that this is done.

Should we have a policy on this?

The simple answer is ‘Yes’. Should you wish to review your current policy then you may like to look at the following template policy listed on the LGfL website.

What should we do now?

The Information Commissioners Office have asked the school (the ‘data controller’) to undertake a set of actions as follow up from this security breach. You could use this list as a checklist for your own school, making sure the following takes place:

(1) Portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent;

(2) Staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy;

(3) Compliance with the data controller’s policies on data protection and IT security issues is appropriately and regularly monitored;

(4) The data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful process, accidental loss, destruction, and/or damage.

Further reading on this topic from the Becta archive available here. Should you have any further questions please get in touch with myself, the Redbridge ICT Unit, or your ICT support provider.

Alex Rees

1 comment:

  1. Can i just ask a question.....

    Whats the difference between infomation about children on laptops and memory sticks....and folders of paperwork and teachers planning folders?....

    some teachers have their class reports on laptops and memory sticks...they then print them out...they then take them home to read through them?...whats the difference between digital info and paper info?...does that mean teachers cant take home any folders with personal informations in them?...as a lot of teachers planning folders have group lists...reports...assessment info etc?....