The latest thing I have a chance to work on, is to support schools as they get to grips with the changes that GDPR brings. But isn’t this another piece of red tape that will be a burden to schools? Well, yes, there are additional things schools will be obliged to do, but many things they should be doing already, if they are taking data protection and information handling seriously in the first place.
About 10 years ago I was sat on a working group for Becta, looking at Information Handling and Data Protection, and a lot of the advice was pretty full of common sense and those schools that picked it up, updated practices as further advice from the ICO was released and generally kept abreast of changes … well, for them the changes brought in by GDPR are an evolution, not a revolution … and this is important to remember.
Some improvements in processes; ensuring that you discuss with data processors about what they are doing with the data the school, as data controller, lets them process; having someone to have that oversight as Data Protection Officer; and so on … but these are all manageable with the right tools.
However, some schools are not up to speed. Some schools have only seen the scare headlines in some of the more sensationalist press (I won’t even link to them, they are that annoying and wrong). Some schools are being promised silver bullet solutions or are being told it will cost extortionate amounts of money to get the right experts in. In short, for some it is the Wild West.
It doesn’t need to be. There is good advice out there. There are people working to right the wrongs caused by these myths. The ICO has even started a series of blog posts around debunking these myths.
GDPR in Schools have already started to help schools understand their position and what they need to consider. They have developed a tool to help schools manage and record what data they handle, who and how it is processed and, possibly most importantly, why they are processing it. And this approach, to help schools fulfil a legal obligation in as simple a manner as possible, is one of the reasons why I am happy to announce I have joined GDPR in Schools as their Operations Manager.
Over the coming weeks we will discuss more around obligations, some of the legalities, some of the myths and how we need to make sure the dog is wagging the tail and not the other way around. We will continue discussions on EduGeek.net’s Data Protection & Information Handling sub-forum, join in discussions on LinkedIn and Twitter (#GDPRubbish can be an amusing yet illuminating hashtag to follow), and continue to publish advice through our blogs.
If you have any questions, please don’t hesitate to ask. Some questions can’t even be answered by DfE or ICO yet, but we will be there, on your behalf, asking the questions and pressing for answers.
Having worked with Learning Possibilities as a client, a consultant and as a Project Manager, I still find myself relating almost all my activities to the following phrase, “What Would School Leaders Think?”
For most people in schools, awareness of Information Security standards is limited, and usually only heard about when talking about data protection or when they have been told that they can’t or shouldn’t do something, by their IT Manager, the Local Authority or a Governor.
In fact, most schools should be able to easily understand not just the importance of Information Security but how it is assessed at companies like Learning Possibilities, and that understanding is all down to thinking like OFSTED.
As with OFSTED visits to schools, companies certified to ISO27001 (the principal Information Security standard) will have regular audits and inspections from an external body.
As with OFSTED, Leadership is key. It is not about recording security incidents or how quickly they are dealt with, it is not about recording how well your backups run and it is not about recording the results of penetration testing. It is about looking at how Leadership set objectives, evaluate them and justify subsequent decisions.
Yes, there is record keeping. Yes, there are processes and procedures that have to be followed. Yes, there is regular training on Information Management, Information Security and Data Protection. Yes, there are issues and risks to be dealt with. However, these are there to provide evidence to Leadership and the quality of work is more important than ticking boxes on the 114 controls across 14 groups.
Internal audits are the book scrutiny sessions and staff observations. External audits are the OFSTED visits. The Information Security Management System contains your Statement of Applicability (let’s call it your SEF), your policies and procedures, your record of decisions, your Objectives and Measures (5 year plan?).
It goes on. There are so many similarities and helps show School Leaders that Learning Possibilities understands the impact of OFSTED, not just because of the educational impact, but because we have our own version to go through. We also know all too well about it being about key decisions, not just weighing the pig!
External audits are done each year, and you recertify after 3 years. Out of the 3 possible outcomes only the top outcome, which is effectively a 100% adherence to the standard, gets you the certificate.
What does this mean for our customers? Well, the standard is a way of showing both the importance of Information Security to us as a company across all our work, and also that we put in the time and effort on it, ensuring that it is part of our core ways of working.
So, after a 13 month programme of work we are more than pleased to say that we passed our External Audits for this year and have now been issued with our certificate, after coming through with flying colours, the equivalent of Outstanding.
I say a 13 month programme of work … we have already started on the work for the next 3 years, including the work on the international update of ISO 9001:2008 to ISO 9001:2015, the standard for Quality Management. Another opportunity for us to hold ourselves open to inspection against the highest possible standards.
Over the next few weeks I am looking at each point to tease apart the ideals behind them, to try to see both sides of the discussion and to share examples about who others have work on the issues. A lot of this will be from a UK-centric position but hopefully it will provide some insight into the similarities and differences with our friends in other countries.
Today’s point is about Decision Making
The technology function of your school organization exists to serve the educational function, not the other way around. Corollary: your technology coordinator works for you, not vice versa.
To use technology you should have a reason, understand what you want it to do and also understand how you can measure whether it is achieving it or not.
Oh dear … this sound like we are going to talk about planning again.
In the past a number of choices about technology have been a little chicken and egg with what has been used. There have been pilot projects or innovative schools who have gone out and done something interesting with new or emerging technology. The technology has inspired them to try something new and when it has worked you then find research to look into it on a wider scale. This is where folk like Becta came in … as well as groups such as the Association of Learning Technology, NAACE, Besa and so on. They took the research to the next level, either as partnerships with schools, those doing the research, with suppliers or as the controller of funds (or any combination) … resulting in ring-fenced funds to allow schools and LAs to implement a given technology.
So the idea that the technology should be based on your choice has not always been the way it should have been, but it was usually instigated based on good practice and research. How will it was implemented is then debatable and how much that removed control and decision making from individual schools is another point some will raise.
But where does the technology coordinator (NM, ICT Coordinator, LA Technology Manager) sit in this? To some extent they might have chosen the specific technology based on available funds, with a certain set of features, but the pedagogy behind it all should be pretty agnostic and be able to use whatever is provided. An IWB is an IWB … and whilst specific software might have benefits over other solutions the idea of it being used by learners is common … it is just the method which might change. The arguing point against this is around wireless tablets connected to projectors (removing the requirement for the learner to come to the front of the class … an important feature in some schools with learners who do not engage when in front of their peers) or the ‘add-on’ tools such as voting systems (actually a separate technology in their own right but can work well with IWBs).
The other arguing point around this is about policies and strategies. I hate to say it but there is a little thing called the law. In fact it is the Law. It deserves the capitalisation. And this varies across the world. There are many things which educationally would seem to be perfect decisions but are then put on hold or stopped because the NM / Tech coord / etc says no. This is not done lightly, nor is it done without consideration for what benefits will be lost and it is usually done with some attempt at compromise. Areas where there will be clashes ranging from safeguarding, copyright and intellectual property, data protection and information management, funding and classroom management. A good NM will educate you about these (if you are not up to speed) and will work with you to get the most out of tech … but they are frequently the gatekeeper as to what tech you can use because they have the knowledge about the bits which will cause problems. In the same way you have people to tell you not to try blowing up the science lab (in spite of how much fun it was when we were at school to see people do experiments that blackened the ceiling), or have people who tell you not to use certain classrooms due to them falling down … you have people who will say not to use certain technologies in certain ways. I’ll discuss the legal side of this in a later post … but just try to believe that a good NM is talking these into account and advising Senior Leaders, classroom teachers, office staff, parents, learners, local community and the random people who ring up the school because of things you post on the internet.
Yes, the Technology Coordinator works for you, but part of that job is choosing or helping to choose appropriate technology and keeping you safe. Don’t give them a job and then tell them they can’t do it!
On the other side, your NM should not keep things as a dark art and be the only person making choices. Any choices made should be clearly explained and, as per the last blog post, show where they are held accountable. Likewise the choice of technology should not force you down a particular educational route, but it can be an inspiration for doing something different. Be aware of the differences and look at the early adopters to see what they did and what worked / failed.
And so I take a quick interlude from my look at the recent Apple Workshops to think about a few queries some schools have raised in the last few weeks about Apple and Data Protection.
When it comes to their OS X devices (desktops and laptops) Apple have had some built in encryption for some time. FileVault was introduced in Mac OS X 10.3 and used to just encrypt user files. Not a perfect solution but the introduction of FileVault 2 in Mac OS X 10.7 (Lion) we now have a solution to encrypt the whole drive. The ICO has raised the need to encrypt laptops so if you have personal data on your MacBook then you should seriously look at FileVault for encryption. There are other commercial offerings and solutions which cover a variety of platforms, allowing for better audit and control … but yes, there are going to be at some cost. In the same way that BitLocker is a fantastic way to deal with the issue on Windows 7 laptops (which has been blogged about by the Microsoft Education UK team) then it is good to consider making use of the built-in tools provided by Apple.
When we come to Apple’s mobile OS, iOS, and the newer devices being used (iPhone 3GS and later models, all models of iPads and iPod Touch 3rd gen and later models) then these are all capable of going onto iOS 5. By default these devices make use of hardware encryption. Apple say, “Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages and attachments. Third-party applications can use the data protection APIs in iOS 4 and later to further protect application data.”
The growing use of iOS devices as tools for Senior Leaders and teachers in schools will mean that sensitive emails and files are likely to be on these devices and so you need to take appropriate action to protect the data.
Apple do have a larger paper about iPad security and from my perspective it boils down to a few key facts.
1 – Set a passcode on your device. This will mean that should someone repeatedly attempt to get in then it will be wiped.
2 – Don’t rely on a simple passcode. Whilst it is nice and easy to have a simple code of 4 numbers, it is not exactly secure. You wouldn’t have a password of 4 characters for your desktop or laptop to log into your school network so why do it for a mobile device? If you look at your iPhone and check the pattern of smudges where your fingers type you can see where you enter it in … and the direction of the smudge can make it easy to guess. Other mobile OS have a similar problem so it is nothing new.
3 – If you are using smart covers on iPads then make sure that you turn off the feature to automatically unlock when you open the cover. This sort of defeats the object of security. Fine for classroom devices but not for those with personal / sensitive data on.
4 – Tools such as the iPhone Configuration Utility (ICPU) allow you to create a profile for devices to change some of these settings. If you are creating settings for school devices or to allow devices to connect to school systems then you should look at this to force improvements. This will include password length, complexity, Autolock time period (I have mine for 1 minute and the maximum number of failed attempts to login before the device is wiped (mine is set to 4).
5 – Remote wipe should be available … either via management tools within the school or if a personal device then via iCloud with Find My iPad.
Not an extensive list of how to deal with this and there are some other really pod guides out there, but hopefully this gets more people considering how they use Apple mobile devices and take a bit more care.
Because I have a background of being involved in discussions around data protection I sometimes get a prod about online storage and web 2.0 tools. Over the last 6 months I have had quite a few over online storage options, but I have never really stuck down on (electronic) paper what my concerns are and why I have them.
There are a few concerns I have, some centre around ownership of files and data, some around data protection and some around management of the tools.
Online storage often comes under attack over IPR of images, concerns about control, heated rants about how company x is making use of *our* files / photos to generate revenue on a free service, etc … and we only have ourselves to blame for not reading the T&Cs fully, for not keeping abreast of changes to the T&Cs (though some companies make life extremely difficult to find the changes or contribute to those changes) and for not accepting that if we take part in a free service then there are likely to be limitations and issues. We take on that risk ourselves and we need to accept some responsibility for that. Whether we are talking about LinkedIn using profile photos of members in their marketing by default, changes to FaceBook privacy options, changes in security / ownership when companies merge products … there have been so many times when the masses rise up indignantly to protest and then rush around making changes and, in the worse cases, swap services … and yes, I have been there, expressing my frustration too.
This is increasingly important if we are asking children to make use of these tools as we are being trusted in our judgement and selection of these tools … after all not all children, across the broad age range we have using these tools, are emotionally, intellectually or perhaps even legally in a position to make some of these choices on their own … but that is a discussion for another time probably.
But discussions today centred around online storage, and in particular the growing use of DropBox to remove the need for USB memory devices. For those who have not come across DropBox.com, it is a an online storage system which will synchronise selected folders from one or multiple devices to an online repository. Folders or sub-folders can be shared for automated synching with other users, making it a fantastic tool for collaborative sharing of files and materials. There are a number of other tools like this ranging from Microsoft’s SkyDrive, shared document libraries in Sharepoint, Moxy, Box.net, ADrive and many more. DropBox and SkyDrive are both free so that is why you will see them in heavy use … especially in education. Free comes with limits though and sometimes that can be the amount of space, sometimes the SLA doesn’t really exist and sometimes there is a lack of control over certain aspects of functionality or how it changes.
When it comes to DropBox though, my main concern is that users are significantly at risk of breaching the Data Protection Act and they don’t even know it. This is especially important right now as it is being recommended to NQTs who might not know any better … let’s face it, there is not that much about Copyright law, Data Protection and IPR within teacher training and, from what I have seen and been told, there is a presumption that this is covered within schools by school policies … and we all know how wonderful many schools are for having decent Data Protection policies and explaining them to *all* staff.
I know that my blog is read by a wide range of people so I just need to go back a little to cover an aspect or two of the Data Protection Act. The DPA has 8 principles, which are pretty self explanatory and the 2 most important principles to look at for this conversation are 7 & 8.
If we start with DPA Principle 8 first … this about where data can be stored, moved through, processed, accessed, etc. And this is the first place we fall down with DrpoBox. There is an ongoing query that has never been fully answered about whether DropBox.com is compliant with this.
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Now, what this means is that if you use your online storage and sharing to move about or access anything that can be deemed ‘personal data’ (which for teachers can range from pictures of children, their personal details, information about their progress, medical information and so on) then you have to do it within the European Economic Area or other countries where we have set agreements. With the US this is called the U.S. – EU Safe Harbor and there is a list of companies who have been certified with this and across what aspects. It is important to remember that being certified is only part of this … the specifics of what has been agreed is equally as important and that will differ from company to company. I have previously commented about iCloud and Apple before to reflect this.
When you look at the list you will spot that DropBox.com is not there. When you dig through the T&Cs for DropBox you will find that they use Amazon for their storage facilities … which is good … Amazon *are* on the Safe Harbor list so that seems to tick the boxes … apart from they don’t say that they will only ever use Amazon and they don’t say how they use them, and what agreements they have in place. Ah … so we are back to square one then.
To deal with this I know some users of DropBox will make use of other security solutions to bolster how they deal with DropBox. This involves using an encryption tool to create a secure folder / file which is then synchronised via the only service. A common tool for this is TrueCrypt and that works fine at a technical level … meeting the criteria of DPA Principle 7, where you are taking suitable technical measures to ensure the security of data … but the principles are not pic and mix … you have to meet them all. Right now I use an encrypted folder on Dropbox for my non-sensitive files (so only I and others I trust can access them) and do not use it at all for sensitive items.
For sharing pictures for stimulus with others (teachers / children), for sharing videos, etc, especially cross-platform and when using apps on mobile devices, then I can see that it will be fine for use in UK schools … but for staff to share in general … no … not yet.
SkyDrive does meet the criteria as the data centre used is in Ireland, but it is still worth thinking carefully about what you are sharing with others and how.