Huge shake-up in school data management?
It's no surprise that an on-going shake-up in the management of personal data at all levels of administration and government was going to affect schools sooner or later. As the main source of national pupil data through the school census, its where our most sensitive information about children is ciollated and held. It will also come as no suprise that not all schools protect their data effectively, with USB memory sticks, external hard drives and Virtual Private Network (VPN) access typically being used to remove data for working on from home. This is compounded by electronic exporting of data from SIMS to external processors in order to set up learning platform accounts, where mass data has been handed over for hosting on systems outside of the control of the school. Its worth mentioning that a school is a data controller and therefore responsible for the data it collects, and equally for where it sends data for processing.
With no fanfare at all, and none of the usual press releases (I found out from Merlin John's Blog), Becta recently published 'Good practice in information handling in schools - Keeping data secure, safe and legal' [PDF: 186K] . This extends the best practice guidance required of local and national government to schools, and make no mistake, that with the accompanying four good practice guides, will mean significant changes to the way data is managed at school level. So, are schools ready? The answer is almost certainly no!
The document heralds the coming of four focussed accompanying guides, which are briefly outlined:
- Impact levels and labelling
- Data encryption
- Audit logging and incident handling
- Secure remote access.
The first impact on a school will be the need to have in place a Senior Information Risk Owner (SIRO), a named individual responsible for information risk and responding to incidents. This will typically be the Headteacher or other senior leader.Their responsibilities include:
- Owning the information risk policy (assuming your school has one), and risk assessment.
- Appointing Information Asset Owners (IAO's)
- Acting as advocate for information risk management.
The second impact is an audit of information assets. Once each item of personal data is identified, it must be allocated to an 'Information Asset Owner' (IAO), who will be responsible for its protection. Each school will have several IAO's. Their job is to understand:
- What information is held and for what purpose
- How information is amended or added to over time.
- Who as access and why.
In order to implement the new measures schools are required to implement a number of technology and operational changes. To quote directly from the guidance "... Some of these can be accomplished quickly and within existing resources, others will require investment and participation of suppliers of school ICT systems and managed services." The crux of the issue is that this isn't going to be a cheap exercise, and may require schools to assess the risk in the short run and establish operational changes. As the document continues:
"... Until new technology or enhancements to your existing ICT infrastructure can be put in place, you are likely to need to make operational changes. These may mean that certain types of sensitive data may no longer be accessible away from the school in the short term."
Complying with the guidance is going to hit schools hard, (and isn't specifically funded), and will require a radical rethink of how data is stored accessed and used. My guess is that most won't have the expertise to carry out risk assessments in what is a complex and developing professional area. Just as an instance, imagine how many spreadsheets are on teacher laptops, USB memory sticks etc. containing assessment and attendance information. What about accessing personal data at home from your learning platform? Becta was responsible for setting up contracts for learning platforms wthout considering the consequence of the implicit need for secure transfer, processing and storage of personal data by third parties.
I have a question. Who will be checking that the guidance is followed? There is no mention of any obligation to periodically audit the effectiveness, which rather suggests that systems and processes are likely to be reactive following an incident. Should the Local Authority have a role in compliance, e.g. periodic compliance audits?