Category Archives: Security

The changing face of Data

Change never stops. There is always something else. Kyu Shin Do. Kaizen.

The latest thing I have a chance to work on, is to support schools as they get to grips with the changes that GDPR brings. But isn’t this another piece of red tape that will be a burden to schools? Well, yes, there are additional things schools will be obliged to do, but many things they should be doing already, if they are taking data protection and information handling seriously in the first place.

About 10 years ago I was sat on a working group for Becta, looking at Information Handling and Data Protection, and a lot of the advice was pretty full of common sense and those schools that picked it up, updated practices as further advice from the ICO was released and generally kept abreast of changes … well, for them the changes brought in by GDPR are an evolution, not a revolution … and this is important to remember.

Some improvements in processes; ensuring that you discuss with data processors about what they are doing with the data the school, as data controller, lets them process; having someone to have that oversight as Data Protection Officer; and so on … but these are all manageable with the right tools.

However, some schools are not up to speed. Some schools have only seen the scare headlines in some of the more sensationalist press (I won’t even link to them, they are that annoying and wrong). Some schools are being promised silver bullet solutions or are being told it will cost extortionate amounts of money to get the right experts in. In short, for some it is the Wild West.

It doesn’t need to be. There is good advice out there. There are people working to right the wrongs caused by these myths. The ICO has even started a series of blog posts around debunking these myths.

GDPR in Schools have already started to help schools understand their position and what they need to consider. They have developed a tool to help schools manage and record what data they handle, who and how it is processed and, possibly most importantly, why they are processing it. And this approach, to help schools fulfil a legal obligation in as simple a manner as possible, is one of the reasons why I am happy to announce I have joined GDPR in Schools as their Operations Manager.

Over the coming weeks we will discuss more around obligations, some of the legalities, some of the myths and how we need to make sure the dog is wagging the tail and not the other way around. We will continue discussions on EduGeek.net’s Data Protection & Information Handling sub-forum, join in discussions on LinkedIn and Twitter (#GDPRubbish can be an amusing yet illuminating hashtag to follow), and continue to publish advice through our blogs.

If you have any questions, please don’t hesitate to ask. Some questions can’t even be answered by DfE or ICO yet, but we will be there, on your behalf, asking the questions and pressing for answers.

Why Information Security Standards make sense to School Leaders

Having worked with Learning Possibilities as a client, a consultant and as a Project Manager, I still find myself relating almost all my activities to the following phrase, “What Would School Leaders Think?”

For most people in schools, awareness of Information Security standards is limited, and usually only heard about when talking about data protection or when they have been told that they can’t or shouldn’t do something, by their IT Manager, the Local Authority or a Governor.

In fact, most schools should be able to easily understand not just the importance of Information Security but how it is assessed at companies like Learning Possibilities, and that understanding is all down to thinking like OFSTED.

As with OFSTED visits to schools, companies certified to ISO27001 (the principal Information Security standard) will have regular audits and inspections from an external body.

As with OFSTED, Leadership is key. It is not about recording security incidents or how quickly they are dealt with, it is not about recording how well your backups run and it is not about recording the results of penetration testing. It is about looking at how Leadership set objectives, evaluate them and justify subsequent decisions.

Yes, there is record keeping. Yes, there are processes and procedures that have to be followed. Yes, there is regular training on Information Management, Information Security and Data Protection. Yes, there are issues and risks to be dealt with. However, these are there to provide evidence to Leadership and the quality of work is more important than ticking boxes on the 114 controls across 14 groups.

Internal audits are the book scrutiny sessions and staff observations. External audits are the OFSTED visits. The Information Security Management System contains your Statement of Applicability (let’s call it your SEF), your policies and procedures, your record of decisions, your Objectives and Measures (5 year plan?).

It goes on. There are so many similarities and helps show School Leaders that Learning Possibilities understands the impact of OFSTED, not just because of the educational impact, but because we have our own version to go through. We also know all too well about it being about key decisions, not just weighing the pig!

External audits are done each year, and you recertify after 3 years. Out of the 3 possible outcomes only the top outcome, which is effectively a 100% adherence to the standard, gets you the certificate.

What does this mean for our customers? Well, the standard is a way of showing both the importance of Information Security to us as a company across all our work, and also that we put in the time and effort on it, ensuring that it is part of our core ways of working.

So, after a 13 month programme of work we are more than pleased to say that we passed our External Audits for this year and have now been issued with our certificate, after coming through with flying colours, the equivalent of Outstanding.

I say a 13 month programme of work … we have already started on the work for the next 3 years, including the work on the international update of ISO 9001:2008 to ISO 9001:2015, the standard for Quality Management. Another opportunity for us to hold ourselves open to inspection against the highest possible standards.