I wrote this up for someone, thought I’d share…
The school, leadership and governing body has responsibilities under the legislation specified in the Data Protection and Freedom of Information Acts. The purpose of a school Data Protection Policy is to make sure that a policy and processes are in place to ensure the school meets its obligations under the relevant legislation, and to ensure that members of staff are aware of what they are required to do to maintain compliance with those obligations.
Information on, and enforcement of, the relevant legislation is provided by the Information Commissioner’s Office (ICO) []. The ICO also provides sector-specific guidance, including guidance for organizations in the education sector [].
In summary, the guidance is as follows:
If you handle and store information about identifiable, living people – for example, about school pupils – you are legally obliged to protect that information. Under the Data Protection Act, you must:
· only collect information that you need for a specific purpose;
· keep it secure;
· ensure it is relevant and up to date;
· only hold as much as you need, and only for as long as you need it; and
· allow the subject of the information to see it on request.
For computers (and similar devices) the definition for “keeping it secure” [] is as follows (emphasis in bold is mine):
For computer security:
Install a firewall and virus-checking on your computers.
Make sure that your operating system is set up to receive automatic updates.
Protect your computer by downloading the latest patches or security updates, which should cover vulnerabilities.
Only allow your staff access to the information they need to do their job and don’t let them share passwords.
Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
Take regular back-ups of the information on your computer system and keep them in a separate place so that if you lose your computers, you don’t lose the information.
Securely remove all personal information before disposing of old computers (by using technology or destroying the hard disk).
Consider installing an anti-spyware tool. Spyware is the generic name given to programs that are designed to secretly monitor your activities on your computer. Spyware can be unwittingly installed within other file and program downloads, and their use is often malicious. They can capture passwords, banking credentials and credit card details, then relay them back to fraudsters. Anti-spyware helps to monitor and protect your computer from spyware threats, and it is often free to use and update.
Note that encryption is not the same as setting a password, although passwords are frequently used as part of an encryption scheme. An analogy is to think of setting a password as similar to putting a lock on an office door, someone can force the door (or enter via a window) and still access documents stored in the office. With encryption, as well as locking the door, the documents in the office are written in a code that even if they are accessed, means the content cannot be read by someone without details of the code used.
My understanding is that whilst on school premises, physical security to protect data is typically sufficient. For systems that are used outside the school, including USB keys and portable drives, any personally identifiable information (i.e. information that has the potential to be used to cause harm or upset) should be encrypted.
"The fact that the school was unaware of the need to encrypt the information stored on their laptop shows that many organisations continue to process personal information without having the most basic of security measures in place."
Finally, I am not a lawyer and this is not legal advice…