Category Archives: eSafety

The changing face of Data

Change never stops. There is always something else. Kyu Shin Do. Kaizen.

The latest thing I have a chance to work on, is to support schools as they get to grips with the changes that GDPR brings. But isn’t this another piece of red tape that will be a burden to schools? Well, yes, there are additional things schools will be obliged to do, but many things they should be doing already, if they are taking data protection and information handling seriously in the first place.

About 10 years ago I was sat on a working group for Becta, looking at Information Handling and Data Protection, and a lot of the advice was pretty full of common sense and those schools that picked it up, updated practices as further advice from the ICO was released and generally kept abreast of changes … well, for them the changes brought in by GDPR are an evolution, not a revolution … and this is important to remember.

Some improvements in processes; ensuring that you discuss with data processors about what they are doing with the data the school, as data controller, lets them process; having someone to have that oversight as Data Protection Officer; and so on … but these are all manageable with the right tools.

However, some schools are not up to speed. Some schools have only seen the scare headlines in some of the more sensationalist press (I won’t even link to them, they are that annoying and wrong). Some schools are being promised silver bullet solutions or are being told it will cost extortionate amounts of money to get the right experts in. In short, for some it is the Wild West.

It doesn’t need to be. There is good advice out there. There are people working to right the wrongs caused by these myths. The ICO has even started a series of blog posts around debunking these myths.

GDPR in Schools have already started to help schools understand their position and what they need to consider. They have developed a tool to help schools manage and record what data they handle, who and how it is processed and, possibly most importantly, why they are processing it. And this approach, to help schools fulfil a legal obligation in as simple a manner as possible, is one of the reasons why I am happy to announce I have joined GDPR in Schools as their Operations Manager.

Over the coming weeks we will discuss more around obligations, some of the legalities, some of the myths and how we need to make sure the dog is wagging the tail and not the other way around. We will continue discussions on EduGeek.net’s Data Protection & Information Handling sub-forum, join in discussions on LinkedIn and Twitter (#GDPRubbish can be an amusing yet illuminating hashtag to follow), and continue to publish advice through our blogs.

If you have any questions, please don’t hesitate to ask. Some questions can’t even be answered by DfE or ICO yet, but we will be there, on your behalf, asking the questions and pressing for answers.

DIGITAL PARENTING – TEACHING CHILDREN ABOUT TECHNOLOGY AND THE RISKS

(originally posted for Mobile Guardian)

We always welcome working with schools on eSafety, especially when it comes with supporting agencies and schools in their delivery of Get Safe Online. That is one reason why Tony Sheppard, our new Technology Manager, took a trip to Chesterfield last week as Chesterfield Safer Neighbourhood Team were invited into one of the local Junior Schools.

Supporting the Get Safe Online programme is an important part in our role of providing tools to support technology in schools and ensure the same ethos of classroom management can be applied with or without mobile devices and stop technology being a barrier to learning by giving ownership and control to teachers where appropriate.”

It is not just about turning technology off or blocking inappropriate content, but also about helping schools, parents and children make appropriate decisions in the all-encompassing digital environment.

Whilst the Safer Neighbourhood Team covered the stats and facts, the laws and the wherefores, Tony talked about the difficult task parents face with connecting with their children about technology and the risks.

“When we talk about Digital Parenting, we are really just talking about Parenting. We have to remember that magic triangle for Parental Engagement.”

Parental Engagement Triangle

(Becta: Exploiting ICT for Parental Engagement, May 2008).

“For most parents the important area is dialogue between them and their children. When we think about where we get advice about parenting, in general, we have a large number of options for us. School, family, friends, local services (such as the library or community services), online … and from our children themselves. Remembering that Monday was World Mental Health Day, it is important to remember that listening is an important part of parenting.”

Childnet has produced a number of suggestions for conversation starters with children

  • Ask your children to tell you about the sites they like to visit and what they enjoy doing online.
  • Ask them about how they stay safe online. What tips do they have for you, and where did they learn them? What is OK and not OK to share?
  • Ask them if they know where to go for help, where to find the safety advice, privacy settings and how to report or block on the services they use.
  • Encourage them to help. Perhaps they can show you how to do something better online or they might have a friend who would benefit from their help and support.
  • Think about how you use the internet as a family. What could you do to get more out of the internet together and further enjoy your lives online?

Childnet also provides an example of a Family Agreement that can be used to support the appropriate use of technology.

There are many scenarios around family use of technology, and we can look at these over the coming weeks, partly because there is often direct correlation between the struggles parents and their children have and the struggles with classroom management.

  • The Nag Factor
  • The Unexpected Gift
  • Always Switched On
  • Don’t Ever Switch It Off
  • Compromising Photo
  • But Just How Much Are You Costing Me?
  • The Packet Of Crisps

Once you have thought about what you want to do with technology, and how it is going to be used, only then do you think about what technical controls you need to put in place and who provides them.

The latest edition of Vodafone’s Digital Parenting magazine also provides a wide range of advice and information and the magazine is freely available to all schools.

With parents, they need to think about their Internet Service Provider, Mobile Provider, home networks (controls on the router for WiFi passwords, timed access, etc.), built-in tools (advice from Microsoft, Apple, etc.) and Commercial tools (covering timed access and location controls, web filtering, control which applications can be used, control installation / deletion / in-app purchases).

The same questions can be asked within schools and it is always best to be proactive about making sure the tools you choose match how you manage your classrooms and manage the learning.

At Mobile Guardian we provide a home MDM and parental dashboard, as standard, to all parents at school utilising our technology. That way parents can manage school and home owned devices – for free!

To find out more, ask your school about Mobile Guardian and follow us on Twitter to keep up to date with all our safeguarding tips.

Why Information Security Standards make sense to School Leaders

Having worked with Learning Possibilities as a client, a consultant and as a Project Manager, I still find myself relating almost all my activities to the following phrase, “What Would School Leaders Think?”

For most people in schools, awareness of Information Security standards is limited, and usually only heard about when talking about data protection or when they have been told that they can’t or shouldn’t do something, by their IT Manager, the Local Authority or a Governor.

In fact, most schools should be able to easily understand not just the importance of Information Security but how it is assessed at companies like Learning Possibilities, and that understanding is all down to thinking like OFSTED.

As with OFSTED visits to schools, companies certified to ISO27001 (the principal Information Security standard) will have regular audits and inspections from an external body.

As with OFSTED, Leadership is key. It is not about recording security incidents or how quickly they are dealt with, it is not about recording how well your backups run and it is not about recording the results of penetration testing. It is about looking at how Leadership set objectives, evaluate them and justify subsequent decisions.

Yes, there is record keeping. Yes, there are processes and procedures that have to be followed. Yes, there is regular training on Information Management, Information Security and Data Protection. Yes, there are issues and risks to be dealt with. However, these are there to provide evidence to Leadership and the quality of work is more important than ticking boxes on the 114 controls across 14 groups.

Internal audits are the book scrutiny sessions and staff observations. External audits are the OFSTED visits. The Information Security Management System contains your Statement of Applicability (let’s call it your SEF), your policies and procedures, your record of decisions, your Objectives and Measures (5 year plan?).

It goes on. There are so many similarities and helps show School Leaders that Learning Possibilities understands the impact of OFSTED, not just because of the educational impact, but because we have our own version to go through. We also know all too well about it being about key decisions, not just weighing the pig!

External audits are done each year, and you recertify after 3 years. Out of the 3 possible outcomes only the top outcome, which is effectively a 100% adherence to the standard, gets you the certificate.

What does this mean for our customers? Well, the standard is a way of showing both the importance of Information Security to us as a company across all our work, and also that we put in the time and effort on it, ensuring that it is part of our core ways of working.

So, after a 13 month programme of work we are more than pleased to say that we passed our External Audits for this year and have now been issued with our certificate, after coming through with flying colours, the equivalent of Outstanding.

I say a 13 month programme of work … we have already started on the work for the next 3 years, including the work on the international update of ISO 9001:2008 to ISO 9001:2015, the standard for Quality Management. Another opportunity for us to hold ourselves open to inspection against the highest possible standards.

Cloud Storage – update

This is still an ongoing discussion in several places and occasionally I get a prod to look at something and respond. In this case it was a thread on EduGeek (again) and so I responded.

Below is a version of what I posted (with typos / language corrections)

When considering the use of cloud storage there are a number of areas to consider. 

  1. Under the Data Protection Act the most relevant of the 8 principles is principle 7.

    Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

    In previous years the ICO has talked about reasonable steps, but they now make it clearer that it is ‘appropriate’ measures, and consideration of this has to be based on the type of data being stored / processes and the likely impact / damage should it be compromised.

    Translation? Before you decide where you can store things you have to consider what you are storing.

  2. When looking at cloud based storage you need to complete a risk assessment of what is being stored, where it is being stored (location of actually servers, company history, T&Cs, etc), what measures are being taken (technical and organisational) to protect it and what are the alternatives?In the past there has been lengthy discussion about the suitability of certain services. Google Apps, Microsoft’s Office365, Dropbox and so on. The principles above stay the same. The ICO talks about data being processed outside of the EEA, companies that have signed up the Safe Harbor agreement between US and EU, advice on cloud computing in general and so on. The important differences between private cloud, community cloud and public cloud (and the resulting hybrid model that is possible with some use of all 3) should be considered here.Translation? Putting things in the cloud is fine, but you have to plan what you are doing and take care to make sure about the partner / service you are working with.

Previous conversations about the use of dropbox can be summarised in the following points

  • Do we know where the data is? Yes, we now know they use Amazon storage based in the US.
  • If the Data is outside of EEA can we still use them? DropBox have now signed Safe Harbor so there is nothing there stopping you anymore.
  • Is it safe? Yes, for a given value of ‘safe’ … the data when stored it is not so much how the data is transferred, or how it is stored when it gets there … more a case of how is access controlled. This takes us back to the ‘appropriate technical and organisational measures’ part of theDPA.

Now let’s look at what considerations should be taken for *any* cloud based service. This is not a definitive check list, but it is a darned good place to start from chatting with most folk.

  • Check where and how the data is stored.
  • Consider if it is within EEA or in US and with Safe Harbor signed. If it is with a US company who has signed Safe Harbor but there is no guarantee the data is held in EEA or US then you have to consider the locations where it is stored and the impact any local laws there may have (e.g is it stored in Australia, Brazil, Thailand, etc and do any local laws mean data could be seized differently to if UK / EU / US laws were applied?) and how this affects you.
  • What are the guarantees around the company? Anyone can set up a service but do you trust the company? Have they passed any security audits? If they are a specific education company do you need to consider DRS checks?
  • Now the data is stored outside of the school what are the restrictions on access / processing? Technical? Organisational? What are your audit trails for this?

Bringing it back to DropBox again … the main concern here is how the data is accessed and cached on local drives. Is the account a ‘personal’ account that is being used? What guarantee that you can control the data should that personal account no longer have the right to access the data?

  • Scenario 1 – HoD needs data to be shared with teachers in her department. She has a DropBox account, as do others. She uploads a coursework logging spreadsheet into a shared folder and others access / complete it. A member of staff leaves so that access needs to be removed. Who removes it? As the service used is personal then it has to be the HoD? Is she aware of this?
  • Scenario 2 – HoD needs data to be shared with HoDs for other departments to target intervention children. The spreadsheet will contain reasons for intervention, including details of personal circumstances (which can include Sensitive, Personal Data). A member of staff is suspended due to allegations … how is that data then secured? The school has no oversight of the methods used to share the data and is reliant on all staff taking ownership of controlling data. The audit trail for this is horrendous!
  • Scenario 3 – The same data is being shared between HoDs. One HoD installs the client on their home computer which is used by all family members. At this point the school has not control over how the data is controlled. Guidance is needed to be provided (using organisational measures rather than technical measures) but again, the audit trail on this is horrendous.
  • Scenarion 4 – The same data is being shared between HoDs. One HoD installs the client on a personal mobile device. The device is then stolen. Is this a data breach? How was the device encrypted? Can it be remotely wiped?

The above scenarios would make most people shy away from using *any* cloud service … but actually, the ways of dealing and mitigating the risk is pretty much the same as if you are using school hosted services.

  1. Make sure that your AUP for staff covers the use of cloud services and the personal responsibility that each member of staff has to ensure that they only share data by controllable means. The school needs to assess whether their staff have a good understanding of Data Protection and Information Management, and then they can chose appropriate training as well.
  2. Make sure staff understand what levels of data are being processed. DPA talks about two levels, Personal Data and Sensitive Personal Data. Becta also worked on the use of Business Impact Levels and the UK Govt still gives advice around this too. CESG has the specific information if needed.
  3. When using email make staff understand what sort of data can be shared on that service. Good practice is to store the data in a controlled location and email the link to it, rather than emailing the file around. This is also good practice for managing mailbox size too. win-win!
  4. Where cloud storage and email are accessed on a device then make sure it is encrypted, secure and wipeable. If desktops the physical security is taken into account, for laptops the device encryption, but for mobile devices (phone / tablets) there is a strong level of importance on device encryption, strong passphrase for access and the ability to remotely wipe. It might be that tablet devices need to have 3G access purely to allow them to be remotely wiped. The company position on how this is dealt with on personal devices (and the audit trail for verification too).

So, back to the question. Can you use DropBox?
Yes … but make sure you consider the above 4 points, factor in the cost (both technical and organisational) for implementing it (and yes, that includes training, checking staff personal devices, etc), the politics involved (not usually dealt with by NMs but by SLT …) and the timescales involved.

Make sure that SLT know and understand that this is to do with the application of a Law within the school … and that you are not being negative or trying to stop people doing things …

Look at alternatives. Remote access to school systems so that the data never leaves your walled garden are very good but can get very expensive.

Instead of using personal tool have a look at verified cloud based services. Some have not licence costs (O365) but you then get limitations on it being a free service, shared with others … and you have to factor in school staff time on it, and other have a cost but you then know that the service is backed up by SLAs, etc (declaration of interest … I do work for such a cloud-based service!).

I hope this covers off most of the areas you needed to look at, answered some of the questions that might arise within the school too.

New Kit? Stay safe!

“Oh the weather outside is frightful

But the fire is so delightful

And since we’ve no place to go,

Let It Snow! Let It Snow! Let It Snow”

(Cahn and Styne, 1945)

And whilst we enjoy our yuletide celebrations, marvel at the wonderous new gadgetry which has appear from underneath that tree and giggle at all the silly photos we take of people with fake moustaches from crackers, children in costumes and cousins who are a little worse for wear … we pause for breath and think about the mountain of old gadgets that have been building up in the cupboard under the stairs, in the loft, etc … and thoughts go to flogging them off, passing them on to family and friends or donating them to worthy causes.

Today I am asking you to spare a thought about your personal life and personal tech … not about where you are posting the above mentioned pictures (you should be thinking about that already) but more about what you do with the old equipment.

When new computers, tablets, phones, etc arrive in your life it is often because the old ones have kicked the bucket or because of the demand for the latest gadgetry. When you are in school and equipment is disposed of there are WEEE, security and data protection considerations which need to be thought about. In the same way you don’t just throw out old bank statements at home, you should also consider what is happening with your old equipment.

Phones can be wiped and rest back to factory settings, old SIM cards get cut up the same your old credit card does, hard drives from computers should be wiped before passing on for sale or donation (it is you responsibility … if you pay someone else then you are taking a risk … manage it the risk, don’t just deal with it by passing it on without consideration) and those USB sticks and SD cards from cameras need securely wiping and/or destroying.

I’ve found a few interesting things this year by running very simple undelete software on devices and have had to have some difficult conversations with friends.

There are plenty of guides on the various manufacturers’ websites about how to wipe devices, or you can search EduGeek.net for ideas … but make sure you protect you personal devices.

Just think about what sort of pictures are on your phones (which will often location tag them too so people know exactly where you have been with your children) and then think of people you know who work with vulnerable families … are they aware of this risk too?

Think of the emails and notes you have with your bank details or other personal information … identity fraud it a real and terrible issue.

Think of the work you may have done on your home device, saving sensitive data about children on it but you know that the device is safe in your home … except now it is sat at the household waste recycling centre about to be picked up by someone for a tenner!

I’m part way through my annual check of old kit, securely wiping hard drives, crushing USB sticks beyond repair and working out where to drop off my old kit (some of it *very* old now) so I’d be interested to hear the lengths that some of you go to when making sure you are disposing of old tech properly. Please note, the video below is not my suggestion, but I know that there are some fans around of “Will it blend?”

http://youtu.be/5MMmLQlrBws

Internet Safety Talking Point 2

This is my latest blog post based on Scott McLeod’s 26 Internet Safety Talking Points.

Over the next few weeks I am looking at each point to tease apart the ideals behind them, to try to see both sides of the discussion and to share examples about who others have work on the issues. A lot of this will be from a UK-centric position but hopefully it will provide some insight into the similarities and differences with our friends in other countries.

Today’s point is about Decision Making

The technology function of your school organization exists to serve the educational function, not the other way around. Corollary: your technology coordinator works for you, not vice versa.

To use technology you should have a reason, understand what you want it to do and also understand how you can measure whether it is achieving it or not.

Oh dear … this sound like we are going to talk about planning again.

In the past a number of choices about technology have been a little chicken and egg with what has been used. There have been pilot projects or innovative schools who have gone out and done something interesting with new or emerging technology. The technology has inspired them to try something new and when it has worked you then find research to look into it on a wider scale. This is where folk like Becta came in … as well as groups such as the Association of Learning Technology, NAACE, Besa and so on. They took the research to the next level, either as partnerships with schools, those doing the research, with suppliers or as the controller of funds (or any combination) … resulting in ring-fenced funds to allow schools and LAs to implement a given technology.

So the idea that the technology should be based on your choice has not always been the way it should have been, but it was usually instigated based on good practice and research. How will it was implemented is then debatable and how much that removed control and decision making from individual schools is another point some will raise.

But where does the technology coordinator (NM, ICT Coordinator, LA Technology Manager) sit in this? To some extent they might have chosen the specific technology based on available funds, with a certain set of features, but the pedagogy behind it all should be pretty agnostic and be able to use whatever is provided. An IWB is an IWB … and whilst specific software might have benefits over other solutions the idea of it being used by learners is common … it is just the method which might change. The arguing point against this is around wireless tablets connected to projectors (removing the requirement for the learner to come to the front of the class … an important feature in some schools with learners who do not engage when in front of their peers) or the ‘add-on’ tools such as voting systems (actually a separate technology in their own right but can work well with IWBs).

The other arguing point around this is about policies and strategies. I hate to say it but there is a little thing called the law. In fact it is the Law. It deserves the capitalisation. And this varies across the world. There are many things which educationally would seem to be perfect decisions but are then put on hold or stopped because the NM / Tech coord / etc says no. This is not done lightly, nor is it done without consideration for what benefits will be lost and it is usually done with some attempt at compromise. Areas where there will be clashes ranging from safeguarding, copyright and intellectual property, data protection and information management, funding and classroom management. A good NM will educate you about these (if you are not up to speed) and will work with you to get the most out of tech … but they are frequently the gatekeeper as to what tech you can use because they have the knowledge about the bits which will cause problems. In the same way you have people to tell you not to try blowing up the science lab (in spite of how much fun it was when we were at school to see people do experiments that blackened the ceiling), or have people who tell you not to use certain classrooms due to them falling down … you have people who will say not to use certain technologies in certain ways. I’ll discuss the legal side of this in a later post … but just try to believe that a good NM is talking these into account and advising Senior Leaders, classroom teachers, office staff, parents, learners, local community and the random people who ring up the school because of things you post on the internet.

Yes, the Technology Coordinator works for you, but part of that job is choosing or helping to choose appropriate technology and keeping you safe. Don’t give them a job and then tell them they can’t do it!

On the other side, your NM should not keep things as a dark art and be the only person making choices. Any choices made should be clearly explained and, as per the last blog post, show where they are held accountable. Likewise the choice of technology should not force you down a particular educational route, but it can be an inspiration for doing something different. Be aware of the differences and look at the early adopters to see what they did and what worked / failed.

Internet Safety Talking Point 1

In my last blog post I republished Scott McLeod’s 26 Internet Safety Talking Points.

Over the next few weeks I am looking at each point to tease apart the ideals behind them, to try to see both sides of the discussion and to share examples about who others have work on the issues. A lot of this will be from a UK-centric position but hopefully it will provide some insight into the similarities and differences with our friends in other countries.

Today’s point is about responsibility and accountability.

Even though they may use fancy terms and know more than you do about their domain, you never would allow your business manager or special education coordinator to operate without oversight. So stop doing so with your technology coordinator.

This raises an important point. With great power comes great responsibility, and there is a group in schools who have a lot of power. Whatever you might think of your Network Manager or Technician, of your LA Support Manager or even the Academy Technical Director (I will generically use the term NM to cover these and similar positions), how they have gained power / ownership / responsibility / control will be so varied it would take several posts to pinpoint which applies to your case. We would also end up talking about stereotypes and pigeon-holing people.

In reality it is rarely for it to be one reason as to why a single person might be making major decisions which affect a wide range of people, and it would be wrong to always assume malice, arrogance, superiority complexes on their part. It would also be wrong to assume the ignorance of senior managers in schools, apathy of staff, poor funding and poor communication. However, I am sure all of the above would sound familiar to many.

Instead, let us look at the idea of responsibility and accountability.

Yes, the NM is likely to be the expert in the field as to what technology can work, how it can work, how to support it and so on, but the requirements which set out what technology is needed should not be set out by a single person, but by a group of stakeholders working out what is best for the school (or schools if part of a larger group). This involves planning, communication, compromises, compliance (with laws, local and school policies, etc) and it will require targets / outcomes. This is where the oversight and accountability comes in … and it doesn’t just apply to the NM. It is needed … and should be in place.

And this is where we hit a number of problems.

Firstly you might be in a school where there is no communication, planning, team-working, etc and so someone has to effectively be a visionary, trying to guess what is needed or to lead on the choice of technology, almost in a single-minded way as nothing would happen without this. This can effectively place all the power and control with a single person with no oversight. This is not specifically their fault, and Scott’s point, in my eyes, appear to be a shout out to Senior Leaders in schools to wake up, stop relying on a single person and to make it more of a team effort … not a call to snatch back power from someone else.

Within the UK there is a standard for IT Support (based on industry standards) called FITS. This clearly sets out how the NM, Senior Leaders and other stakeholders can establish the targets, hold people accountable for delivering on projects / work and set out the standards by which systems will work, how changes will be decided and managed, how choices of technology can be made and how this can be measured against the desired impact.

To Block or Not to Block, that isn’t the question!

With kind permission I am reposting Scott McLeod‘s ‘Dangerously Irrelevant’ Blog Post about 26 Internet Safety Talking Points.

I hope to then follow this up by looking at each point (one a day perhaps) to strip it down and look at both sides of the point.

—————–

For Leadership Day 2012, I thought I would gather in one place many of the talking points that I use with principals and superintendents about Internet safety…

 

  1. Even though they may use fancy terms and know more than you do about their domain, you never would allow your business manager or special education coordinator to operate without oversight. So stop doing so with your technology coordinator.
  2. The technology function of your school organization exists to serve the educational function, not the other way around. Corollary: your technology coordinator works for you, not vice versa.
  3. Mobile phones, Facebook, Wikipedia, YouTube, blogs, Wikispaces, Google, and whatever other technologies you’re blocking are not inherently evil. Stop demonizing them and focus on people’s behavior, not the tools, particularly when it comes to making policy.
  4. You don’t need special policies for specific tools. Just check that the policies you have are inclusive of electronic communication channels and then enforce the policies you already have on bullying, cheating, sexual harassment, inappropriate communication, illicit behavior, etc.
  5. Why are you penalizing the 95% for the 5%? You don’t do this in other areas of discipline at school. Even though you know some students will use their voices or bodies inappropriately in school, you don’t ban everyone from speaking or moving. You know some students may show up drunk to the prom, yet you don’t cancel the prom because of a few rule breakers. Instead, you assume that most students will act appropriately most of the time and then you enforce reasonable expectations and policies for the occasional few that don’t. To use a historical analogy, it’s the difference between DUI-style policies and flat-out Prohibition (which, if you recall, failed miserably). Just as you don’t put entire schools on lockdown every time there’s a fight in the cafeteria, you need to stop penalizing entire student bodies because of statistically-infrequent, worst-case scenarios.
  6. You never can promise 100% safety. For instance, you never would promise a parent that her child would never, ever be in a fight at school. So quit trying to guarantee 100% safety when it comes to technology. Provide reasonable supervision, implement reasonable procedures and policies, and move on.
  7. The ‘online predators will prey on your schoolchildren’ argument is a false bogeyman, a scare tactic that is fed to us by the media, politicians, law enforcement, and computer security vendors. The number of reported incidents in the news of this occurring is zero.
  8. Federal laws do not require your draconian filtering. You can’t point the finger somewhere else. You have to own it yourself.
  9. Students and teachers rise to the level of the expectations that you have for them. If you expect the worst, that’s what you’ll get.
  10. Schools that ‘loosen up’ with students and teachers find that they have no more problems than they did before. And, often, they have fewer problems because folks aren’t trying to get around the restrictions.
  11. There’s a difference between a teachable moment and a punishable moment. Lean toward the former as much as possible.
  12. If your community is pressuring you to be more restrictive, that’s when it’s time to educate, not capitulate. Overzealous blocking and filtering has real and significant negative impacts on information access, student learning, pedagogy, ability to address required curricular standards, and educators’ willingness to integrate technology. It also makes it awfully tough to prepare students for a digital era.
  13. ‘Walled garden’ online environments prevent the occurrence of serendipitous learning connections with the outside world.
  14. If you’re prohibiting teachers from being ‘friends’ with students online, are you also prohibiting them from being ‘friends’ with students in neighborhoods, at church, in volunteer organizations, at the mall, and in other non-school settings?
  15. Schools with mindsets of enabling powerful student learning usually block much less than those that don’t. Their first reaction is ‘how can we make this work?’ rather than ‘we need to keep this out.’
  16. As the lead learner, it’s your responsibility to actively monitor what’s being filtered and blocked and to always reconsider that in light of learning and teaching needs.
  17. If you trust your teachers with the children, you should trust them with the Internet. Addendum: Mistrust of teachers drives away good educators.
  18. If you make it too hard to get permission to unblock something, you might as well not have the option in the first place.
  19. Unless you like losing lawsuits, remember that students and staff have speech and privacy rights, particularly off-campus. Remember that any dumb decision you make is Internet fodder and has a good chance of going viral online. Do you really want to be the next stupid administrator story on The Huffington Post?
  20. When you violate the Constitution and punish kids just because you don’t like what they legally said or did and think you can get away with it, you not only run the risk of incurring financial liability for your school system in the tens or hundreds of thousands of dollars but also abuse your position of trust and send messages to students about the corruption of power and disregard for the rule of law.
  21. Never make a policy you can’t enforce.
  22. Don’t abdicate your teaching responsibility. Students do not magically gain the ability at the end of the school day or after graduation to navigate complex, challenging, unfiltered digital information spaces. If you don’t teach them how to navigate the unfiltered Internet appropriately and safely while you have them, who’s going to?
  23. Acceptable use and other policies send messages to students, staff, and parents. Is the predominant message that you want to send really that ‘the technologies that are transforming everything around us should first and foremost be feared?’
  24. Imagine a scale with two balancing pans. On one side are all of the anxieties, fears, barriers, challenges, and perceived problems that your staff, parents, and community members put forth. If you want effective technology integration and implementation to occur in your school system, it is your job as the leader to tip the scale the other way. Addendum: It is difficult to understand the learning power of digital technologies – and easy to dismiss their pedagogical usefulness – if you are not familiar enough with them to understand their positive affordances.
  25. In a hyperconnected, technology-suffused, digital, global world, you do your children a disservice – and highlight your irrelevance – by blocking out our present and their future.
  26. Educating is always, always more powerful than blocking.

BONUS 1. Elsewhere in your state – perhaps even near you – are school districts that have figured this out. They operate under the same laws, regulations, rules, and procedures that you do. If they can be less restrictive, why can’t you?

A huge thanks to everyone who has influenced my thinking and my writing in this area, including folks like Doug JohnsonSylvia Martinezdanah boydWill Richardson, and Tina Barseghian. I’m sure that I’ve forgotten a few talking points that I’ll just add later. Which one is your favorite (or least favorite)? What would you add to or change on this list?

For other Leadership Day 2012 posts, see the complete list of submissions and/or#leadershipday12.

And the winner is … iOS6

Today was another peak in the circus of an Apple Fanboi!

The Apple World Wide Developer Conference always has some interesting things to see and today’s keynote was no different. There will always be some hype, some disappointment, some pragmatism and some anger … and different people will feel it about different things, even within the realm of Apple Fandom.

To be honest, there was nothing which was too unexpected. We saw some hardware improvements in the Pro notebook range, tweaks in the consumer (albeit expensive consumer) notebook range and a some other hardware updates didn’t make it into the keynote but have come up on the Apple Store. Until we see the new kit in the hands of testers and real people it is hard to say what difference they will make but two key items on the top end MacBookPro are likely to be spoken about a bit … access to 2 Thunderbolt ports give you high speed I/O to a range of devices, from displays, external RAID enclosures, adapters for Gigabit Ethernet / Firewire 800 / fibre channel and a range of capture devices … and you still have a HDMI port for a second display and video output anyway. Couple that with the Retina Display and you have a device for video editors, photographers and so on … giving them one of the best graphics experiences for seeing their work. Of course, the debate goes on about whether some people can notice the difference with screens of this high calibre, and whether this is a marketing gimmick … and so we will have to wait to see what it is like when people start using the machines in anger.

We saw a raft of features spoken about with Mountain Lion, the next incarnation of OS X (no longer even called Mac OS X … a disappointment to those of us who paid for the original Mac OS X Beta). A number of these have been covered before as we are now on Preview Release 4. The strength which appeared to be taken from the new features seemed to be the accessibility tools (dictation, etc) and the portability of your personal settings to other devices. We have already seen the push for iCloud and how this links with Photostream between your devices … and this increase with iMessage, Notes, Reminders, Sharing and so on …

The key areas I am looking at with Mountain Lion are around AirPlay and Notification Centre. As someone who has a lot of inbound information streams there are some tools I use to manage this, but Notification Centre looks as if it could make a big difference for me.

And then we get onto the area that everyone was waiting for … iOS6.

With no formal announcement of an iPhone5 we are all looking to see what the new OS will do on existing hardware. Although we were told it would work on legacy devices back to iPhone 3GS, 4th gen iPod Touch, the iPad 2 and the new iPad (and yes, that is how Apple term it on their site) we do not know how much of the functionality will work. Siri will work on the new iPad we are now told, but will it work on the iPad 2? I doubt it … in the same way it doesn’t work on an iPhone4. A lot of the updates make more sense for the iPhone and iPod touch than the iPad. Moving from Google to Apple’s own Map service, Passbook for holding electronics tickets for cinema, flights, etc (possibly a lead into Near Field Communications [NFC] for using an iPhone for payment services?), improvements in how you manage incoming phone calls and notifications (it has only taken them a few years) … but the accessibility improvements have also seen me amazed that Apple appear to have really understood a need on the iPad. Enabling a parent / carer / teacher to only allow one app on a device as well as restricting touch input on particular parts of the screen seem to be encouraging using iOS devices with children. Engaging them whilst not overloading them.

An area of concern is the increasing integration with Facebook … as much as I generally trust Apple we are now in the situation where the ever changing preferences on Facebook will also have to deal with how that is applied with iOS too.

There is a lot to take on board with it all and I would recommend people watch Tim Cook take the keynote, if nothing else to see the difference between him and Steve Jobs, as well as a lengthier demonstration of all of the above.

As for what it all means for schools and education …

Hardware – Apple personal computers (desktop / laptop) are expensive. They can work out good value if you buy the one which is right for your requirements and you know how to get the most out of them, but in the present times of austerity this is more and more difficult. It seems to be that more schools are going down the mobile device (iOS or Android … and eventually Windows 8 !) and this is understandable. The lack of a decent server in the Apple hardware range does show that management of any Apple Device is not taken that seriously (IMHO) by the folk at Cupertino. A disappointing comment to make, but one many experienced Mac Sysadmins would agree with.

Mountain Lion – Again, the lack of mention of how the Server tools will work means that it will be interesting to see how the devices fit into a school environment. The increased emphasis on a personalised device, with settings and information following you around via Apple’s iCloud, means that there could be clashes in an education environment. The major bonuses for me come in the way of Airplay as a means of ditching the Interactive Whiteboard (until you are ready to make the most of them) and tools such as Dictation.

iOS – Again, the emphasis on a personalised device does work well with BYOD, but the increasing number of schools I speak with who only see the shiny nature of it or the cost cutting side … iOS6 will do little to improve or support the use of BYOD over iOS5. Until we look at the management tools and what settings can be applied to encourage best use of the devices … then we should still plan on making the most of iOS5. Siri is a major improvement, but like all information services (google search, wikipedia) information on its own does not give you understanding and knowledge … so we have to understand the most appropriate use (teachers before technology folks). Accessibility will be an interesting area to work on and develop, and how we make the most of personal devices as a tool and not as a cheap (or expensive) gimmick to generate engagement for the sake of it.

I am trailing Mountain Lion on my work MacBookPro (starting to get on a bit but should be serviceable) and will put my thoughts on this blog as I discover things I like or loathe, or if I spot things that could be fun in the classroom, or things which could help a teacher or SLT change / improve their working life.

I will also be testing iOS6 on an iPad2 (my own one) to see what apps do and don’t work, to try to see if we can lock it down and tweak settings, and to see if there are restrictions on some functionality … hopefully helping people work out whether they need to go for the new iPad or if they can get away with a cheaper iPad 2.

If you have any particular areas you want me to test or try out then let me know. You lot are going to be more inventive than I am for a lot of this because you are pushing the limits in class already.

The Data Protection Interlude – Apple

And so I take a quick interlude from my look at the recent Apple Workshops to think about a few queries some schools have raised in the last few weeks about Apple and Data Protection.

When it comes to their OS X devices (desktops and laptops) Apple have had some built in encryption for some time. FileVault was introduced in Mac OS X 10.3 and used to just encrypt user files. Not a perfect solution but the introduction of FileVault 2 in Mac OS X 10.7 (Lion) we now have a solution to encrypt the whole drive. The ICO has raised the need to encrypt laptops so if you have personal data on your MacBook then you should seriously look at FileVault for encryption. There are other commercial offerings and solutions which cover a variety of platforms, allowing for better audit and control … but yes, there are going to be at some cost. In the same way that BitLocker is a fantastic way to deal with the issue on Windows 7 laptops (which has been blogged about by the Microsoft Education UK team) then it is good to consider making use of the built-in tools provided by Apple.

When we come to Apple’s mobile OS, iOS, and the newer devices being used (iPhone 3GS and later models, all models of iPads and iPod Touch 3rd gen and later models) then these are all capable of going onto iOS 5. By default these devices make use of hardware encryption. Apple say, “Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages and attachments. Third-party applications can use the data protection APIs in iOS 4 and later to further protect application data.”

The growing use of iOS devices as tools for Senior Leaders and teachers in schools will mean that sensitive emails and files are likely to be on these devices and so you need to take appropriate action to protect the data.

Apple do have a larger paper about iPad security and from my perspective it boils down to a few key facts.

1 – Set a passcode on your device. This will mean that should someone repeatedly attempt to get in then it will be wiped.

2 – Don’t rely on a simple passcode. Whilst it is nice and easy to have a simple code of 4 numbers, it is not exactly secure. You wouldn’t have a password of 4 characters for your desktop or laptop to log into your school network so why do it for a mobile device? If you look at your iPhone and check the pattern of smudges where your fingers type you can see where you enter it in … and the direction of the smudge can make it easy to guess. Other mobile OS have a similar problem so it is nothing new.

3 – If you are using smart covers on iPads then make sure that you turn off the feature to automatically unlock when you open the cover. This sort of defeats the object of security. Fine for classroom devices but not for those with personal / sensitive data on.

4 – Tools such as the iPhone Configuration Utility (ICPU) allow you to create a profile for devices to change some of these settings. If you are creating settings for school devices or to allow devices to connect to school systems then you should look at this to force improvements. This will include password length, complexity, Autolock time period (I have mine for 1 minute and the maximum number of failed attempts to login before the device is wiped (mine is set to 4).

5 – Remote wipe should be available … either via management tools within the school or if a personal device then via iCloud with Find My iPad.

Not an extensive list of how to deal with this and there are some other really pod guides out there, but hopefully this gets more people considering how they use Apple mobile devices and take a bit more care.

(image : Padlock by Marc Kjerland CC BY-SA 2.0 http://www.flickr.com/photos/marckjerland/4254099567/)