Category Archives: eSafety

My issues with BYOD

Firstly, let me state that I am an advocate for BYOD and anything else which gets more technology into the hands of learners so that it can be used *where appropriate* and that will also include some work to help SLT, Teachers and learners understand when it can be appropriate. As part of that I love to see the blog posts, articles, videos from folk at Microsoft, Google, Apple, Learning Without Frontiers and many, many more.

My first issue is around the shiny tech syndrome … the same issue that cropped up with IWBs and many other fantastic tools. You hear (or experience) a school saying “School A is using technology X and has fantastic results and we sort of understand why so *we* have to use it to!” and yes, I know this is a bit of a generalisation but we can all understand how it happens, the hard work folk involved have to put in to make it work as a result and that by some more careful thought it can be the success we all know it should be. This applies to so many different things in schools (and other sectors) so it is not just a technology thing. Having to think and plan about something can be mundane and boring but it can be, for your school, the thing that makes the difference. It is worth saying that not all schools need to plan as much as others … some schools have a culture of adaptability and innovation … and so can pick things up that bit quicker … going from a trial to full implementation with far less work, less planning, more trust between people involved (an important factor) and get wonderful outcomes. When trying to think of something to equate it to I tend to think how would a school deal with having to teach every lesson in song. If you think your school could adapt and change, very little training, understand the benefits … then this could be a sign you could go to BYOD with little educational pain.

And this gets to my second issue. BYOD and consumerisation of IT is wonderful. It puts good kit and tools in the hands of people who will make good use of it. There are barriers to this and some are practical, some are educational, some are technical and some are legal. This is where those schools who spend more time planing might be better off.

Let us deal with legal in this post … and this will not be a comprehensive list, will not form any sort of legal advice and should not be considered as a reason to go for BYOD or not to go for BYOD … merely a pointer for starting conversations with the relevant professionals who you would normally go to for advice and instruction (hopefully that covers my backside!) … so please take it as such. There are lengthy eSafety Law in Education discussions which can be had around the use of technology, online tools, walled gardens, etc and these should be considered. I cannot find a comprehensive list of what this involves other than schools should apply with the laws with regarding safeguarding … but I know that it will cover (and not a full list) The Education Act 1996, H&S legislation, Safeguarding Vulnerable Groups Act 2006, Common Duty of Care … as well as other legislation in place to deal with bullying, physical and mental harm.

And then you get onto what some regard as the mundane aspects of legislation … and whilst we have mentioned H&S already we do have to come back to that when we consider the problems some schools used to have with trailing wires in the early 1:1 laptop schemes … not so much of a problem now with mobile / handheld devices but not everyone will be bringing in iPads / Android tablets … there will be laptops, netbooks, ultrabooks … and devices will also need some charging during the day as learners forget to bring them in fully charged or as the battery slowly burns out. This also steps into the practical aspect so we can leave it there for the moment. The next bit is about security. As much as we might not like the idea, we have a responsibility to ensure that all the data, the personal information, the work created by staff and learners, the services that are provided in the school, the machines we work on each day and the devices we connect on the network are safe, secure and there will be no loss or damage.

When any device connects to a system there are both legal requirements and usually terms and conditions for that connection. With your phone it is the contract you sign and the law of the land. You are not allowed to disrupt communications, misuse data, use communications maliciously, etc as points of law. You then also agree a contract to say you will follow the rules of who you connect to … which includes the above laws (and more) and also things like the amount of data you can download / upload, damaging the name of the firm, etc … and in schools the contract *has* to be signed by the parent as a minor, as has been pointed out to me a few times recently, holds no or minimal legal power. To some extent this is similar to school rules though … but this means that you *have* to consider the damage which could be done. You might not allow some children to connect devices to the school systems due to previous actions in the same way you might not allow some children to use sharp knives in DT lessons due to the previous damage they had caused (which, technically, would be criminal damage and that is something you can hold against some children as a criminal offence … but how many schools do prosecute!)

So, we have covered the idea of a contract and that there are legal requirements for a safe system. This includes protection of data loss / damage, viruses, use of the school systems to launch attacks against other networks. As much as we might want to think that these should just be covered by who ever does your tech support … the buck stops with the Head and Chair of Governors. When schools have lost data and had to sign Undertakings with the ICO it is the head and Chair of Governors who have to do it … and it is their neck on the line for the fine and even jail.

I recently asked a group of schools about what laws they have to follow to run a school network, what standards are out there for this and who would they go to for advice. Majority of SLT put the onus on their IT Support (either in house or contracted) and even those who accepted that they could not devolve the responsibility (it is only ever shared) they had to accept the limitations of what they could reasonably manage to cover themselves.

Personally I would love to see a legal review of what it takes to run tech, including BYOD, in schools. It is worth saying that none of the above should put anyone off … just show them the areas that need dealing with and I hope to cover a few more areas (technical / practical) in the next posts.

A summary then. No matter how much we all want to focus on the inspirational benefits that BYOD brings, we also have to fact a few realities that it is like any other change a school faces. It has to be done for a good reason, has to be planned and has to take into consideration legal boundaries, operational requirements and a lot of the other boring stuff. Educational benefit is not a magic want that will sort or over-ride the other stuff … just a really good reason for putting the effort in to sort it in the first place.

So, what would folk like to see next?

A breakdown of managed wireless?

Dealing with proxies?

Day to day operation in schools?

I am open to ideas and information … I don’t have the answers and I am always looking for others to share what they have done so far and the lessons they have learnt.

Tech Support – By Schools, For Schools

I know some of you might already recognise the phrase including in the title, as it is a central tenet of the ICT Register, but the same ethos is wide spread within the education community. It doesn’t matter whether you are talking about school staff getting together at TeachMeets, having in-depth discussions via twitter though things like #ukedchat, online communities such as EduGeek.net or more local groups such as NorthantsBLT the growing role of schools taking ownership of their advice and guidance and how they share it with others is a very important part of how schools need to react to recent changes which have come out of DfE.

Many of the above are free … well, when I say free I really mean that they are paid for by people and schools using their own time for the benefit of others because they get the same sort of response back, or it is a bit of educational philanthropy on the part of others. This is brilliant in many ways, but can make it difficult to plan for sustainability. Also, there is nothing wrong with paying for advice, guidance, ideas, expertise, etc. There is often a saying used, “you get what you pay for!” and this is very true. People forget that the payment is not always cold, hard cash, but time and your own expertise … and when time, expertise, capacity and ideas are running short then people face the reality that paying for something is almost inevitable.

And this is one of the areas where I think some schools do it wrong. It shouldn’t be that paying for something in cash is the last option, it should be considered an option from the very beginning when you are planning what you need, what your goals are, how your school will develop / deliver things like CPD, technical support, parental engagement, etc.

Technical Support is a perfect example of where failing to plan can result in staff in the school, both techie and teacher, having to scrabble around to find information and guidance. I have been preparing a number of reports around the use of Framework for ICT Technical Support (FITS) within Northamptonshire schools and conversations with schools who have staff trained and accredited against FITS has shown what a difference planning makes. Except that it doesn’t just stop at the school gates. A number of schools are actively involved in supporting other schools. This will range from Lodge Park Technology College being actively engaged with the ICT Register and Microsoft’s Partners In Learning, Sir Christopher Hatton School providing support on Microsoft training courses and technical support to local schools, Wrenn School providing technical support to local schools and staff being active in online communities such as EduGeek.net, and both The Duston School and Southfield School for Girls providing staff time and expertise to chair local working groups such as the Schools Broadband Working Group and NetworkNorthants (the local IT Community for technical staff in schools and school support providers). Some of this is for free (i.e. no charge to others) but some of it does have a cost and is well worth it.

Having another school cover your tech support or provide advice around it has some major benefits. This can range from educational understanding and expertise, through to experience of deploying some education specific technologies. Couple this with easy access for teachers to talk with teachers, SLT to talk with SLT, you can having a winning combination.

So I was please to see, over the weekend, a tweet from a friend on the south coast. Tim Dalton is the IT Consultant at The Wildern School, the school which runs its own TV Studio (BBC Schools Report), has previously run YouTube style services for other schools, has developed advice and guidance on using media technologies in schools … and much more. Tim put a tweet out letting his PLN know that they are doing it again, taking their expertise and bundling it up for others. This time it is is punnet; a support, development and advisory service for other schools. Whether it is hands-on, regular tech support, development of software and applications for schools or advice and guidance around classroom use of technology and school strategy, Wildern hopes to be able to cater for your needs.

Yet another example of By Schools, For Schools …

Do you have more examples? Are you involved in similar to the folk at punnet or the other schools mentioned? Have you spoken with other schools to share ideas, expertise, tools and goals? Go on … now is your chance.

Have really asked all the questions you need to about online storage?

File System by iBjorn

Because I have a background of being involved in discussions around data protection I sometimes get a prod about online storage and web 2.0 tools. Over the last 6 months I have had quite a few over online storage options, but I have never really stuck down on (electronic) paper what my concerns are and why I have them.
There are a few concerns I have, some centre around ownership of files and data, some around data protection and some around management of the tools.

Online storage often comes under attack over IPR of images, concerns about control, heated rants about how company x is making use of *our* files / photos to generate revenue on a free service, etc … and we only have ourselves to blame for not reading the T&Cs fully, for not keeping abreast of changes to the T&Cs (though some companies make life extremely difficult to find the changes or contribute to those changes) and for not accepting that if we take part in a free service then there are likely to be limitations and issues. We take on that risk ourselves and we need to accept some responsibility for that. Whether we are talking about LinkedIn using profile photos of members in their marketing by default, changes to FaceBook privacy options, changes in security / ownership when companies merge products … there have been so many times when the masses rise up indignantly to protest and then rush around making changes and, in the worse cases, swap services … and yes, I have been there, expressing my frustration too.

This is increasingly important if we are asking children to make use of these tools as we are being trusted in our judgement and selection of these tools … after all not all children, across the broad age range we have using these tools, are emotionally, intellectually or perhaps even legally in a position to make some of these choices on their own … but that is a discussion for another time probably.

But discussions today centred around online storage, and in particular the growing use of DropBox to remove the need for USB memory devices. For those who have not come across DropBox.com, it is a an online storage system which will synchronise selected folders from one or multiple devices to an online repository. Folders or sub-folders can be shared for automated synching with other users, making it a fantastic tool for collaborative sharing of files and materials. There are a number of other tools like this ranging from Microsoft’s SkyDrive, shared document libraries in Sharepoint, Moxy, Box.net, ADrive and many more. DropBox and SkyDrive are both free so that is why you will see them in heavy use … especially in education. Free comes with limits though and sometimes that can be the amount of space, sometimes the SLA doesn’t really exist and sometimes there is a lack of control over certain aspects of functionality or how it changes.

When it comes to DropBox though, my main concern is that users are significantly at risk of breaching the Data Protection Act and they don’t even know it. This is especially important right now as it is being recommended to NQTs who might not know any better … let’s face it, there is not that much about Copyright law, Data Protection and IPR within teacher training and, from what I have seen and been told, there is a presumption that this is covered within schools by school policies … and we all know how wonderful many schools are for having decent Data Protection policies and explaining them to *all* staff.

I know that my blog is read by a wide range of people so I just need to go back a little to cover an aspect or two of the Data Protection Act. The DPA has 8 principles, which are pretty self explanatory and the 2 most important principles to look at for this conversation are 7 & 8.

If we start with DPA Principle 8 first … this about where data can be stored, moved through, processed, accessed, etc. And this is the first place we fall down with DrpoBox. There is an ongoing query that has never been fully answered about whether DropBox.com is compliant with this.

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Now, what this means is that if you use your online storage and sharing to move about or access anything that can be deemed ‘personal data’ (which for teachers can range from pictures of children, their personal details, information about their progress, medical information and so on) then you have to do it within the European Economic Area or other countries where we have set agreements. With the US this is called the U.S. – EU Safe Harbor and there is a list of companies who have been certified with this and across what aspects. It is important to remember that being certified is only part of this … the specifics of what has been agreed is equally as important and that will differ from company to company. I have previously commented about iCloud and Apple before to reflect this.

When you look at the list you will spot that DropBox.com is not there. When you dig through the T&Cs for DropBox you will find that they use Amazon for their storage facilities … which is good … Amazon *are* on the Safe Harbor list so that seems to tick the boxes … apart from they don’t say that they will only ever use Amazon and they don’t say how they use them, and what agreements they have in place. Ah … so we are back to square one then.

I have asked the question twice now of DropBox.com and not even had tickets opened. There is a discussion at the moment about this on the forums and still no definitive answer.

To deal with this I know some users of DropBox will make use of other security solutions to bolster how they deal with DropBox. This involves using an encryption tool to create a secure folder / file which is then synchronised via the only service. A common tool for this is TrueCrypt and that works fine at a technical level … meeting the criteria of DPA Principle 7, where you are taking suitable technical measures to ensure the security of data … but the principles are not pic and mix … you have to meet them all. Right now I use an encrypted folder on Dropbox for my non-sensitive files (so only I and others I trust can access them) and do not use it at all for sensitive items.

For sharing pictures for stimulus with others (teachers / children), for sharing videos, etc, especially cross-platform and when using apps on mobile devices, then I can see that it will be fine for use in UK schools … but for staff to share in general … no … not yet.

SkyDrive does meet the criteria as the data centre used is in Ireland, but it is still worth thinking carefully about what you are sharing with others and how.

Article published on EduGeek.net and copyright to EduGeek.net and Tony Sheppard

Image : File System by iBjorn (CC BY-SA 2.0)

Can you ever have too much of a good thing?

Well, it looks like you can.

I’ve recently been tracking down a number of web 2.0 tools to ensure I register / protect my online identity. I am known as Tony Sheppard and as GrumbleDook with such equality online that it is hard to separate the two. However, since there is a rather good Jazz musician called Tony Sheppard I have opted to protect my identity as GrumbleDook.

IMG_0934

Most people recognise my avatar or variations of it and I am always looking for ways to tweak it a little, make it more interesting or relevant, but without losing the importance of this being my online representation.

However (and there is always a however), I am not the only GrumbleDook out there … and I was recently castigated via email for some comments which had been made by someone else. At this point I had to spend some time explaining that I am not an online poker player, I am not an urban photographer / artist, I am not American, I do not live in Brighton / Watford / Washington / Phoenix / Sydney / Hong Kong, and I have never played in a brass band.

The fact that all of the above can be found to be linked to 7 separate individuals and I am not any of them made me wonder that because I do have a goodly number of the related domain names, I have registered accounts for a large number of web 1.0/2.0 accounts under the name of GrumbleDook and I am more often than not the person who appears in searches for GrumbleDook in the search engine of your choices … it is not surprising that someone might presume that all GrumbleDooks are actually me … especially as some are pretty techie related too!

I have spoken with people before about protecting your online identity (having had a student in an earlier school once register an account with an online service as they knew my online nickname … and having to deal with the fall out) and I still believe that it is important. The idea of a person as a brand has been spoken about by people far more knowledgeable and eloquent than me … but if I ever want to operate as a business, or ensure that anything I publish to the ‘net is recognisable as mine then it is something I have to keep up with.

I have come to the conclusion that although we may put a lot of time and effort in establishing our presence online, there are limited ways you can do this and there will always be confusion. I would also recommend that, where possible, you identify where the other people are who may share some aspects of your identity and if you can come to some sort of arrangement then it makes it better.

Will the world end if I don’t manage to ensure that *I* am GrumbleDook on particular services? No … I missed out on Facebook, there are many forums out there with GrumbleDooks on, I don’t have all the domains registered … yet … and I also have to remember that I have taken the name based on a character in a popular comedy (though not many people like the first series … some the joke is lost on many) … and so I do not have an exclusive right to the use of it.

There are examples of parents trying to do similar as I have done from when their children are born … and whilst I can understand this, I also have to point out that part of establishing an online presence is also about the social aspect of life. Many people will grow and change over the years … a number of friends and colleagues have changed their online presence over the years, rebuilding their identity. For me, I would find this difficult as my personal and professional identities are closely linked. I also believe that trying to change a personal identity is difficult but can understand the need at times to do so.

Where does this leave me now? I have a number of business tools I am starting to evaluate (including Office365 and Google Apps), and for me to continue with the professional brand of GrumbleDook, then I have to ensure that I get in there first with such tools. The grey areas come when we look at Social Networking tools … as I would consider many of these as professional tools, but others might consider them as personal tools.

Over the coming weeks I am going to be updating part of my blog to incorporate other tools I am trying to I will start using my ‘About’ page to say what is me … and even create a page to say when it is not me.

I would be interested in how others have approached some of these issues (even from fellow GrumbleDooks), with both the good and the bad in life.

With Great Power Comes Great Responsibility

After a wonderful day before half-term, running the Safeguarding Through Technology day for NetworkNorthants, I am brought home to the reality that there are many risks out their for people on the Internet, never mind children.

With the high profile news of Mac malware in the wild including variants coming in, that rely on users agree to stuff being installed (well, Macs are impervious to viruses, aren’t they?), more conversations about schools wanted raw Internet feeds because they don’t want to be dictated to about filtering policy by the LA (even though the provided solution *can* do what they want, they are happy to pay out for a perceived sense of control), lengthy discussions on online groups about legal liabilities … And believe me when I say that the idea of risk management around this can be a minefield!

But there is light at the end of the tunnel for people. With the right combination of tools you *can* make things more flexible and allow it to work for the school. Now, please note that I am not saying that by choosing certain products you can legally protect yourself about everything or that certain products are better than others but let us just run through some basic concepts and you can ask yourself what tools will fit you best.

And let us also not forget the NEN eSafety matrix to help you too .. And the CEOP resources … And Digizens … And ChildNet.

So … Ready to start?

Ok … Let us look at the safest option. No Internet at all! Well… it is the safest option … or you could say it is safest for the school. For this you are looking at a system which is, by default, set to only allow authenticating staff onto the internet. Some schools do have this and find it acceptable. Not many and it is as bad as the idea that by having a posy of flowers under your nose you will not get the plague when you step outside! Some schools can work like this though, with all interaction with the internet through staff accounts, on staff controlled devices and staff clicking the buttons. It’s doesn’t help that children that much when out in the real world, but is an approach which, educationally and technically, can be made to work. This all tends to be done using filtering technology, so that when the internet feed comes into a school it will have already gone through a filter which restricts things or a filter sat inside the school

Then you have the limited access options. First you can go down whitelists, having set of known, good websites. This can be delivered though filtering products or many of the classroom management tools. A teacher can set internet access only to particular sites and the client on the workstation will block everything else, or the filter will. The classroom tool is handier for the teacher, but the filter solution is less prone to errors.

Then you start into the controlled access options. The first one we can look at is the application of filtering solutions. This can be based on particular devices (classroom machines get one set of filters but staff laptops get another), it can be based on blocks of users (all year 5 pupils get one type of filtering but year 10 get something different), it can be based on individual users when they log in (so that two year 10 children can get slightly different access as one studies Art and needs access to some images of nudes yet the other doesn’t but studies Computing so needs access to sites containing scripting codes).

Some filtering options can have combinations of all of the above. Some solutions allow for control by time (give more access to online games during lunch), some can tie in with particular systems … such as groups within the Active Directory (whilst a child is in the ‘Art’ OU they get particular settings) … and some can be controlled by the choice of a teacher / administrator at a give time.

Then we can look at monitoring and reactive solutions. Some desktop solutions will monitor keywords and respond accordingly. They might take a screenshot and block access, they might send an alert to a member of staff, they might simply log what has gone of for review later. You can then take a more ‘classroom management’ approach.

Classroom management is always going to be the most effective way to ensure learning is taking place, as well as ensuring the safe use of computers. A member of staff with access to see and share the desktop of their pupils and students gives so much more control to the teacher. However, the most common use of this is to see if children are off task. This is a poor use of these tools. Sharing desktops, passing control around the class so that they can provide support to each other, demonstrating learning to their peers … these tools can do so much more that police the network!

And in reality, a combination of filtering and carefully chosen classroom management tools works best. For some schools you are looking for stuff that logs activity to deal with specific problems (bullying, abusive language, etc) and in others you are looking for tools to share and control desktops. Combined with flexible filtering solutions which can be targeted to support where needed, then you have a well covered school, which is managing the computer and internet usage by staff and students.

And this is before you get to some of the other benefits. Some classroom tools can support the management and maintenance of your computers. Rolling out software and patches. Monitoring your inventory. Deploying system changes. Print management. File management. Some of these you might already have, but look at all the functionality. It might be better to have the functions over a number of solutions, or it may be best to consolidate it all in one pot.

There is never going to be a single right or wrong answer. A school will have to look at the options and pick what works best for them. It has to be based on what provides the legally required protection of children, it has to provide a solution which is economically viable to produce and support, and it has to help children learn their boundaries, to give them the skills to look after themselves in the outside world.

The Cloud Is The Future

Yes … the conversation is coming round to the same thing once again. This time it is sparked off by the Apple WorldWide Developers Conference in San Francisco. With all the stuff that has gone on, it is not surprising that Apple would make some changes about how their software interacts with each other, about how they can get a bit more buy-in from their users and how they can make sure they grab back some ideas from other companies.

And true to form, Apple have come up with a number of things, lots of good stuff, but a few things which makes me take a step back and think about how it will hit schools. Of course, this is just a first look at what the offerings are and the fine detail might make a world of difference.

So, going through the keynote timeline, Apple discussed OSX first. It has been around for 10 years now (and yes, I did pay for the beta and then paid for the released version, but I also pay for a technet subscription and regular make use of beta OSS too) and there have been many changes during that time. The change in hardware (when hell froze over and Apple move to Intel) allowed a step change in how powerful the Apple computers were but for most of us it has been smaller, less spoken about changes that have made a difference. The introduction of multi-gesture on track pads was a little thing, but those who have used the magic trackpad or magic mouse know the difference it makes. So, having all the multi-touch gestures we have come to know and love seems a good thing, especially if they are improved and tweaked.

The use of the Mac App Store to deliver Apps is quite a handy thing, and the automated syncing and updating of Apps between devices will make life easier for many with multiple devices, or those upgrading. And this is where I hit flaw number one in the announcements. Those of us in schools want a nice simple way of managing technology, which doesn’t create any issues for staff using it and to make sure it is secure and consistent for learners. If I am not in centralised control then this creates a problem. And it gets worse (or better if you are a general consumer) … Lion will be a download. Lion Server will be a series of add-ons and things like Profile Manager look quite good (from the limited information so far) but what is going to happen for OS deployment? What about App deployment? Patch management? IT just doesn’t seem to add up yet, and the last thing any IT Manager wants to do is to have to wait until it comes live in July before finding out what is going on … remembering that many schools will have already been planning their summer rollout. What happens when new hardware arrives with Lion on and cannot be rolled back to Snow Leopard to fit in with the present system?

Ok … there are 250 new features so the 10 shown at the Keynote don’t really do it full justice. Version control of documents, Air Drop for quick file transfer … there will be good and bad … but make sure you plan well.

And so we get to iOS5. With no new announcement of iPhone hardware we have to look just at the OS.

To be honest, there was little here that I could sing or dance about for schools. Yes, there is better integration with things like the camera can directly link into twitter, more stuff on iBooks (some good ePub resources out there, not forgetting iTunes U) but iMessage, Game Centre, Mail … nothing really to make my skin tingle … until a throw away comment. Full screen Airplay from iOS devices to an AppleTV 2. Yes … a tablet based IWB with multi-touch and a wide range of educational apps. I am waiting for the Developer site to come live again as I am likely to upgrade my Apple TV2 and iPhone to the latest builds just to give this a try. I have already mentioned to people about getting iPads (pref iPad 2 to ensure there is a camera) to hook up to projectors but this makes it even better. No doubt, there are a number of other functions which will be wonderful, but I still worry about centralised management for a class-set of devices, and some of the cloud based news later worried me even more. I am all for freedom of control of tools … but no control at all? This now puts iOS as a consumer OS, with limited business application. It also means that it will mean a lot more work for a school to look after them.

And then we get to the cloud services. To some extent the show covered cloud services throughout. The syncing of Apps, the automated updating of apps and OS, the syncing of docs … and we all knew that iCloud was coming! And sure enough, it is here. Photostream between devices and the web, most of the previous MobileMe stuff being improved / updated and given away for free (erm … what about those of us who are subscribers? Refund?) But then we have to think about the syncing of documents. Now, there is a list of companies in teh US who have signed a Safe Harbor agreement with the US Department of Commerce, and Apple do have an entry on there … and here it is.

Personal Information Received from the EU/EEA and/or Switzerland:
Online and offline customer and human resources data. Apple collects customer data during certain transactions and communications with its customers, including when users register to use Apple products and services, purchase Apple products and services, register Apple hardware and software, apply for commercial credit, and participate in surveys. Customer data is transferred from EU Apple subsidiaries to Apple Inc. (which is located in the United States) for the purposes of marketing, facilitating transactions, customer support, customer communications, improving Apple products and services, auditing, data analysis and data storage. Human Resources data is transferred from EU Apple subsidiaries to Apple Inc. for the purposes of conducting the human resources and financial management of Apple Inc. and its subsidiaries. Such purposes include, without limitation, making available documentation on personnel, administering compensation, payroll, benefits, administering stock options, bonus plans, succession planning, recruiting new employees, addressing various legal obligations concerning personnel status, data audit and error control, and tracking the use of temporary workers and independent workers.

So … can you tell me where it covers the contents of my files? And if I stick a class list (which home addresses) on my iDisk (as it is now) or have it as a doc which travels between my devices (via the Apple server farm) then I am putting data at risk in spite of the DPA saying *DON’T*! Ok … maybe I am over-reacting … but you can see my concern. Syncing stuff can be good, but there are certain issues with it. If you are in a school do you need to sync things to the cloud to pull it back down to the same school but a device being used by the child sat next to you? What about using a little of this magic to work a bit smarter closer to home? *That* is what I am more interested in …

So … first thoughts are that there are only a few things that jump out as going to make a massive difference to use by children and use by teachers. There are still lots of things that give it even more potential … but then we hit my second thoughts. This is a consumer device that is going to be a pig to try to manage for a centralised resource. This is nothing new with Apple though … and we generally muddle through … and it is just a shame that Apple, who have such a strong following within education, still seem to miss some opportunities.

As I try things out I will put up new entries … and I am eager to have suggestions about what to look at. That said … comments such as “swap to Android / Windows / Linux / Etch-a-sketch” are pretty old hat now … even if they do raise a slight smirk.

The Perils & Pitfalls of Mobile Tech in Schools

I do have the occasional rant about things. Most of the time it is down to having passion about things I believe in or it is intend to grab the attention of others to make them think. Last night at TeachMeet Midlands 2011 it was a bit of both.

I recently spent a good 30 minutes breaking down what is wrong with trying to use mobile tech in schools, the naivety of some folk, the plain stupidity of others and the frustration of having to deal with people who are just blockers, have personal ethos issue which blind them to people using particular tech or who are just plainly wasting money! The other day, when chatting with Shaun Garriock (one of the Directors of EduGeek.net) on Skype, I ran through some of these to break it down into smaller chunks.

Since I now like to give people a chance to see what I present at TeachMeets I videoed myself doing this ‘slightly longer than the official 7 minutes’ rant and intended to just play it at the TeachMeet … but as people who were there, or who watched it online, there was a tech fail. Apparently videos using Quicktime was not expected, nor using a site which needed the QT plug-in. Normally I would just upload it to Vimeo but I didn’t want to risk a problem accessing it so stuck it on my own webspace. This did play to my advantage though … as it showed haw tech can sometimes just not work. I was happy to just pick up the mic and speak … and rant … and whilst I did not get all of what I wanted to say out I tried to cover the key areas on personal devices, relying on 3G, trying to manage apps, problems with charging devices, issues with proxies, using a managed wireless network …

Below is the planned presentation (now hosted on Vimeo) and I give a solemn promise to spend some time to put together the full 30+ minutes … and I will try to break it down into small chunks to make more sense. If anyone has good examples of where things just have not worked as expected, where they are doing things which take far more time than planned, where they have had to come up with workarounds … then please email them to me via grumbledook@edugeek.net and I will try and incorporate them over time. The first thing I will talk about it proxies and wireless networks so get those stories and ideas coming forward. I hope you enjoy the video below.

TeachMeet Midlands 2011 – The Perils & Pitfalls of Mobile Tech in Schools from Tony Sheppard on Vimeo.

Red Tape or Legal Backing

I know I’ve been a bit quiet recently. This is mainly down to workload (lots of meetings), a lot if DIY (converting part of the house/garage into a home office) and bouts of Man-Flu. However, I have been inspired a bit with a new group I have been involved in over on LinkedIn.

There is a new group, for those looking at the legal position on eSafety when it comes to areas such as monitoring, logging and accessing what children are doing with computers in schools. The group was formed by a Brian Bandey, Doctor of Law specialising in international IP, IT, Cloud, Internet and eSafety Law, and he started the ball rolling with the following breakdown. It is a part of a longer report which I think will make interesting reading.

The Legality of a School Technologically ‘reading’ a Pupil’s web activity

or

“Interception of Pupil Web-Browsing”

Introduction

The question being posed is, in a sense: “What are the law-based issues over Pupil Internet-Browsing Activities being captured by desktop monitoring services.” There’s a reasonably complex network of different Laws from different spheres active over this area and they don’t apply in equal measure to pupils vs. staff. However – although the action of the Law can be summarised, it needs to be understood that a considerable amount of detail is being lost.

Interception and Monitoring

The two main pieces of legislation in the UK with regard to interception of communications (which includes monitoring)are: The Regulation of Investigatory Powers Act 2000 (‘RIPA’) and The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (‘the Lawful Business Regulations’).

In essence RIPA provides that:

–           to intentionally and without lawful authority;

–           intercept a communication on a private system in the course of its transmission;

–        unless it is done or authorised by someone with the right of control e.g. the headmaster or his IT manager acting on his authority;

–           …. is a criminal offence.

Interception is defined widely in RIPA and includes making some or all of the contents of the communication available, to someone other than the sender or intended recipient. It is thought that transmission may also cover access to both read and unread messages e.g. on a academy/school central server.

How does the School have a Legal Right to Intercept?

An obvious route for the School is to secure good evidence of Parental Consent in the case of Pupils and Employees consent in the case of Staff. For ‘belt and braces’ – one needs to ensure that authority is given by the person (internally) who has “the right to control”.

So the Law is that Lawful authority is required to intercept:

–        If there is no lawful authority then consent of the sender and receiver of the communication is needed;

–        RIPA allows some limited interception by the controller of the system without the consent of the sender or the recipient;

–           RIPA sets out the conditions under which third parties such as the police may intercept.

–        The Lawful Business Regulations are the main source of lawful authority for the controller of the system to intercept and monitor. They permit the monitoring or keeping a record of communications for purposes such as standards, national security, prevention and detection of crime, investigating unauthorized use, and ensuring effective system operation.

–        The interception must also be relevant to the business of the system controller. (NB: This is the clinching argument for Educational Establishments – since there can be no argument that Interception and Monitoring of Pupils Web-Browsing is entirely relevant to the School’s activities)

–           Every effort must have been made to tell users that interception may take place.

–        Communication which has been intercepted and contains personal data is subject to the Data Protection Act 1998. (I’ll return to this subject)

Thus, it begins to become obvious that the Interception and Monitoring by Schools of Pupils (and Staff) Web-Browsing (and E-Mails for that matter) is perfectly lawful if carried out sensibly with reference to RIPA and the Lawful Business Regulations.

The Obligation to Monitor and Intercept

This is a serious and complex subject but I must touch on the School’s obligations to actively monitor Pupil-Pupil E-Communication (I talk of E-Communication since Pupils often shuttle communications through FaceBook or BeBo which aren’t e-mails per se).

The School must simply not ignore its Common Law Obligations (the Law of Negligence) and its Statutory Obligations (the Health and Safety Acts and the Education Act 2002) to keep Pupils Safe.

Educational Institutions have a duty to ensure the safety of their students and to protect them from any reasonably foreseeable harm. Liability arises for psychiatric conditions caused by repeated exposure to obscene or offensive material when using the institution’s IT facilities.

It is also now well-established that psychiatric conditions arise for the victims of Cyberbullying.

Finally, It is also now well-established that such psychiatric conditions which arise for the victims of Cyberbullying can lead to suicide.

Data Protection Law

This is a simple issue. Schools collect a very great deal of “Personal Data “ (a term defined under the Data Protection Act) on their Pupils. E-Mails can be Personal Data and the School simply needs to treat this data like any other – that is in accordance with the Data Protection Principles.

Human Rights and Privacy Law

The Law has always recognised that Students when at School or some other Educational Establishment have only limited rights to Privacy.

Consider:-

A Teacher sees John whispering to Jane in the Class. She moves forward (unnoticed) to overhear the conversation and overhears John’s whispered (bullying) threats.

Are we really saying here that John had his Right to Privacy under the UN Convention on the Rights of the Child (to which the UK is a signatory) and the Human Rights Act 1998
(Article 8 of the Human Rights Act 1998 is the Right to Respect for Privacy and Family Life) contravened?

The answer is a resounding “NO”. So it is with any pupil communication

It should be noted that in the famous case of Copland v. United Kingdom the Court considered that the collection and storage of personal information relating to the applicant through her use of the telephone, e-mail and internet interfered with her right to respect for her private life and correspondence. While the Court accepted that it might sometimes have been legitimate for an employer to monitor and control an employee’s use of telephone and internet – the need for informed consent was paramount.

But, as a matter of Law, Children cannot give informed consent.

So we return to the overarching need for the School seeking appropriate consents from parents.

Dr Brian Badey

www.drbandey.com

It really does cover so much, but it needs a bit more teasing out for me. When thinking about the barriers to adoption and acceptance of AUPs in schools it would be helpful to identify the areas which are covered under legal grounds for children, for introducing children into what they are likely to find or have to deal with as adults and which sections are there as moral/ethical agreements between the school, the children and the parents.

I’ll try and keep things up to date on here as interesting comments are made by various people. It is also worth pointing out the use of words such as Negligence, Law, Consent as these are specific to how these words are used within law (hence why they are capitalised), yet there are many times other with reference these words with using them solely with respect to the legal meaning, but as part of context from other Acts of Law, reports, government advisories, notices of Statutory Requirements and so on.

The group is gaining a broad range of members, but it could do with a few more specialists … perhaps an expert in Child Law, those involved in safeguarding investigations and those involved with unions (to work out the impact on staff, who are being monitored by the same systems).

(Edit – I’ve updated the post with the full statement from Brian).

Establishing an ‘SEP’ field is not always the best answer!

I’ve previously written about the importance of having some understanding about Project Management within a school. Generally this has been centred around change management and communication strategies, but a recent, local project has highlighted another area that needs to be looked at.

There are a number of national systems which have some interesting security requirements, and if you have ever had a look at the requirements for connecting to a GSi family connection then you will know what I mean. Thankfully, this is a rare occurrence in schools but it does mean most schools can get away with some shocking security breaches. When I started talking to some schools about Data Protection a few years ago it scared me how little understanding there is about security with some senior leaders. It also made me realise why so few councils give definitive guidance about data protection to schools.

The usual argument is that to have systems completely secured they would become unusable for teaching & learning … And I do agree with that. I’ve seen schools go over the top with restrictions enforced by network managers (who are only doing their job … and usually trying to stop the Head and/or SIRO being left open to legal challenge!) and it mean that T&L suffer as a result (but it does mean the Head is not given a massive fine or sent to jail …. Choices, choices!)

It all boils down to risk … and looking at how much a school wants to accept, how much is mitigate by choices and implementation of technology, how much is managed by policies and procedures and how much can be dealt with by common sense (the usual answer here is “very little”!)

In this article I will be looking at the risk in a school when accessing a secure government website such as the National eCAF website, but also trying to point out areas which also need covering for the internal use of an MIS.

Risk Management in schools is not something which gets covered in great detail, and to try and give a complete course on it here would be difficult. Suffice to say that risk is a combination of the impact of something going wrong and the probability of it happening.

This chart gives you an indication of how to look at risk.

With risk you can choose to look at it as a threat or an opportunity. In the case of the areas we are looking at it is generally a threat and you can deal with it in a number of ways (Risk Responses)

AVOID – stop the activity which introduces the risk

REDUCE – take action to reduce either the probability or the impact

FALLBACK – put in place actions with reduce the impact

TRANSFER – Put in place things which reduce the impact and often only the financial impact

SHARE – allow the risk to be spread across different people or groups

ACCEPT – know the risk is there, monitor it but accept that you will carry on as normal.

In the scenario of having a wireless network in a school that does not meet the required security criteria it means that the impact is that someone could access your network and introduce something nasty onto it which could compromise the computer being used to access the eCAF system. The impact to use of eCAF would be medium-high but the probability would vary from low (eg if the wireless network is only just below the security criteria such as using WPA) through to high (if you are using an open, unencrypted network which you have told the local community to use)

Looking at the risk responses above here are some examples of approaches schools might take.

AVOID – The school stops the risk completely by purchasing equipment that meets all the security criteria. The school might also choose to turn off the wireless network completely. Both of these response will be a problem for most schools … they are expensive or make learning nigh on impossible. Neither is likely to be a good response to be honest so common sense would say to look at other responses.

REDUCE – The school knows it should do something, but cannot buy new kit or turn it off. Instead they may try things like segregating the wireless network from other chunks of the school (VLANs perhaps) or try to do what it can to increase security (Put some encryption in place and not share details with the local community)

FALLBACK – The school can’t afford to do much now, but it does plan to buy new kit over the coming year … so there is a plan for what to do for the future and the school keeps an eye on the machines being used for eCAF in the meantime to make sure strange stuff isn’t going on.

TRANSFER – The school might decide that it gets security advice in from a firm and follows their advice,knowing that should it go wrong they have someone who is to be held accountable, or they take out insurance to deal with any fines they may incur should it go wrong.

SHARE – It would be lovely to say the risk could be shared with the council, but this is about if you are sharing your network with someone like a charity, etc … and so are prepared to accept it as a combined problem.

ACCEPT – The simplest and highest risk option … the school knows there is an issue, but is happy to take the position that they are not worried, will deal with it if something happens and they will just try to be vigilant.

For those who recognise the above, yes, I know it is a bit of over-simplification but I am hoping it gives enough of an idea to how to approach things with SLT in schools.

There are some good resources around about risk management (HSE can be helpful here) but the stance on risk will vary from school to school.

Most people will work from the position on giving advice on the position for least risk. I am not saying you will be breaking the law if you don’t follow the guidance and, if we use the above example, I am not saying that you need to buy a dedicated machine which has to be in a locked room where no-one else has the key. Those are idealistic positions … and roughly translate to advice on physical security such as “Don’t walk away from the machine whilst you are logged in and using eCAF … if you have to then lock the door on the way out. If you can’t do that then log off eCAF and the machine … or lock the desktop … or have someone else in the office who keeps an eye to make sure no-one else goes on the computer …” and so on, down the scale of risk responses. Most of this is also pertinent when using an MIS too.

I don’t think I could give you examples of each and every scenario as that would mean a bespoke risk management plan for each and every school. However, since most things are common sense then by sharing things with colleagues in, or supporting, other schools you should be able to spot similar issues.

All of the above is looking at security risks … but it applies to any project. Are you swapping your VLE provider? Are you doing a major upgrade of the Office Suite in the school? Are you moving more towards Open Source options? Every project has risks. Some are threats, some are opportunities … but you cannot plan properly until you have started to look at them.

The Perils and Pitfalls of being ‘The Block’ to learning & teaching

Once again I fall into the role of the fervent defender of the blighted IT Support teams in schools. As much as I enjoyed a good argument (oh no you don’t!) there are times when I feel that the word compromise is missing from the vocabulary of some people.

In a short break from the course I am on at the moment I picked up a tweet to a blog post from our friend Spannerman2.
It makes for good reading and raises an important points about IT and ICT & Computing as subjects, about the lack of subject specialism in teachers of these subjects and about the amount of effort which goes into running (& locking down) a school network.

It does, however, throw stones. I don’t think stone throwing is any good at the moment in education. It just generates a lot of people pointing their fingers and saying, “you are doing it wrong!” without any ideas or support for getting it right.
In conversations on EduGeek.net there have been ideas shared about how you can make things more manageable and flexible on a school network, about how you can give freedom to staff and students, about how to manage situations better and stop the ‘them & us’ perception which can be the stimulus to things getting out of hand when there is the slightest problem.

So here are a few ideas. First we will have the objectives … the school needs computers systems. It needs three types of systems really.

Let us cover the easy one first. We want a system that allows for the running of a school, the day-to-day stuff of administration, the ordering of toilet roll for the toilets, the paying of staff, keeping records on students … you know the sort I mean. It used to be that this network was kept as separate as possible from everything else. It had to be … it holds sensitive data, it needs to have careful controls over who can do what with it … both legally (DPA) and for audit reasons. However, more and more senior leaders have realised that this network holds some really valuable and vital information. Stuff that can make a difference in the way teachers operate in the classroom … and teachers also need to add to this information too. So that means it has to overlap with the other systems in the school. Problem number 1 arises, but we will come back to this one.

System number two is the one used by teaching staff to deliver what they do, day in, day out. Teaching. I don’t want to turn this into a ‘them & us’ post … I never do … and sometimes people have to remember that those most likely to read my blog from the teaching community are those most likely to understand and want to push what tech they have … in fact, the people who are the cream, those who have risen to the top … but try to remember that there are those who can do *some* of the things that you do and are learning fast … but there are also those who struggle … not just with tech, but with classroom management, with change in general … and I am thinking about *all* staff in schools. A single solution is not always the best thing … having one setup for all staff … only giving limited access to doing stuff … but the problem is that at the moment it takes time and investment to give a more flexible system for staff. There are little things which can be done, like giving rights to install software on their laptops, giving more relaxed filtering … perhaps not even ‘filtering’ as such, but just logging what is used on the internet (remember folks … audit trails!) But what happens when a laptop is brought back in to the IT team to be fixed because something they downloaded at home seems to have broken stuff (after they have turned off the anti-virus or stopped it from downloading updates or running scans) … and that is if you are lucky and they don’t just plug it into the network and infect other computers where teachers have also turned off the antivirus too … and so you have to fix their machine. You might need a spare laptop or two so that they still have a machine to use in the classroom (back to investment again) and then there is the time and staff to fix it. Problem 2 appears … planning for the inevitable workload that comes with either building systems to deal with having to fix problems like this or having to do it on a case by case basis.

And so we go on to system 3 … the most problematic because you are having to cover three conflicting needs. The student workstations / laptops. Here you have to think about what software is needed, who gets to choose that software, pay for it, develop resources for teaching using it or even for teaching the software itself (either the skills / concepts or the specific software … that argument is for another day) … and then let us think about that touchy area of classroom management. I don’t like people blaming technology when it is being used as substitute for classroom management … I’ve spoken about how filtering gets abused this way before and the same applies to locking down the desktop, turning off the ability to right-click, where things can be saved … it all boils down to how much disruption in the classroom the teachers can handle, the amount of effort which is needed to fix problems that arise and so on … So we get to Problem 3 … and this *is* aimed at the teachers who might read this blog. COMPROMISE. Oh, that was also aimed at the Techs too.

So what happens when we need these 3 systems to overlap … or even be the same system?

I would love to say that this is a perfect solution out there … but there isn’t. It will *have* to vary from school to school purely due to the nature of each school, the emphasis each school might choose to put on classroom control, on how much investment the school puts into different aspects of IT, what technology gets used, the strength of things like Web 2.0 tools, of VLEs, of email, of using data straight from the MIS … so many factors that *no-one* can give a single system that will suit everyone.

Instead … how about thinking a little more about how you are going to get to where you want to go. I can guarantee that the end system you want cannot be delivered overnight and be usable by everyone without considerable pain … so you are likely to have to do things in steps. These steps have to be done with compromise and I’m going to say my usual mantra … Change Management!

So … let us think about something that gets raised a lot at the moment. The introduction of student owned devices (yes … I know I have avoided mentioning the learners themselves … more below) can be considered in a few stages, some technical, some pedagogical. If you are going to introduce this sort of system then yes, you will have to segregate it from system 1 … the stuff you have to legally protect. A typical way of doing this would be by having a ‘dirty’ wireless network … a separate WLAN that is only used by students, *may* have some restrictions on it … but will give them access to the internet at the bare minimum (even if you choose not to filter then at least log it). You then have to consider how it will be used in the classroom. Will it be used in conjunction with a VLE? Online stuff such as Live@Edu or Google Apps? How will you ensure that the iPad is being used for work and not just to watch stuff on iPlayer? GameCentre? The netbook is not being used to just hog the school internet connection to pull down pirated video or software? Or the laptop used for chatting on IRC, tweeting about what they got up to last night or on facebook poking their mate in the class next door? The same way that it used to be notes on pieces of paper, or ‘interesting’ magazines shared by some of the boys (actually, both of those still happen too) now there is a new range of things to distract the learner …

One way of dealing with this is by using the student wireless network to force the student to log into the school terminal server system (various solutions are available to do this via a website) and so that they can use their own device in the school but with some element of control by the teacher / techie / school.

There is still another way … the idea of privilege, of use versus abuse. And this is where we talk to the learner. They can make some of the best and worst suggestions and decisions you can come across. It might be that they want the system to allow them to do nearly everything, but on the understanding that if it is abused that they get locked down. Hmm … that might even work in conjunction with other polices the school has? Wow … revolutionary concept?

It might be that the desktops are set to be rebuilt each night … so that if the students do mess things up then it is not a problem. It might be that you have systems that go back to a baseline after each log-off. you can do almost anything … but there has to be a reason to do it, it has to be a balance between what is possible, what is practical and what delivers some sort of benefit.

So … there we go … a start … I’ve already prodded a few of the detractors to techies locking things down or wanting to drop working systems to go to Open Source based purely on ethical principle rather than education need or practicality … if they want to change then I want to see a range of options and some sort of roadmap about how to adopt it, both technically and pedagogically. “Just because…” is not a suitable answer. I might want to put studded tyres on my little Smart car just because … you never know, we might get heavy snow tonight … it might become fashionable … it might mean I can drive over an ice rink to drop off James Bond to do a bit of bomb disposal and save the world … or it might tear up a recently resurfaced road … cost me a fortune to buy and get fitted the new tyres.

So … a start … let us see how it goes from here.