01 Apr Data breaches don’t just happen to other schools
Dominic Norrish is group director of technology at United Learning and chair of governors at an all-through academy. This guest post is reproduced with permission from its original version published on his blog, from where you can follow Dominic at @DomNorrish.
This post is prompted by a #bettchat session I hosted on Twitter about the emergence of myriad data protection threats due to the ubiquity of mobile personal technology in UK schools.
I worry about how prepared our sector is to counter these threats, and even how aware of them it is. If I had to bet on the next big education scandal to hit the mainstream press, a large-scale breach of pupil data would be among the front-runners. It will happen somewhere – the extent and seriousness of the breach will be determined by how well the school in question has managed this risk.
The benefits of technology in education
Wow, that was a depressing start. Let’s just remind ourselves of something positive: appropriate technology in schools can be highly beneficial, both administratively and educationally. That’s why we all use it. For example, many teachers will have used an app that helps organise seating charts and presents information about learning needs. Equally, learning tools that allow work to be sent to pupils, and to be sent back completed for marking are creating positive, rapid cycles of assessment and feedback. Purposeful, force-multiplying stuff, deployed for all the right reasons.
The data enabling those benefits
However, both of those beneficial examples of educational technology rely on sensitive personal data about pupils in order to work. They need to know contextual data (name, form, age, gender… possibly more) to function at even a basic level. And that’s before we take into account the data which the user (teacher or child) is creating with that app. The hyperlink above leads to the ICO’s definition of sensitive personal data, but to summarise, these are data by which someone can be identified and which no one would otherwise be able to know about them. Schools are legally required to keep these data secure.
Now think about all the things we routinely record about pupils – notes on attitude and behaviour, learning needs, pastoral incidents, assessment grades and predictions, end of year reports, their contact details, etc. These are all sensitive personal data. They have historically been kept in a school’s MIS (protected by a firewall and log-in credentials), which is a relatively safe place to keep them. Let’s face it, even if you left an unattended computer logged into most MISs, a passing casual data thief would be defeated by the ‘design’ of the interface anyway…
Similarly, children have created data whilst in school about themselves for decades – documents, photographs and videos – and these data have been both controlled by device functionality and context (you’re probably not going to try sexting your peers using a school digital camera, for example) and by the fact that they also typically reside within the school’s secure network and building. However, things have changed dramatically in the last couple of years.
What’s the risk?
Data breaches still happened in this locked-down 2009-ish example of school IT, but generally they were restricted to things getting sent to the wrong printer/ posted to the wrong address. Because of this, I think schools may be falsely confident about their level of risk. School leaders may have heard about large scale data breaches such as the Fappening, or even searched the Ashley Madison email logs in a rising panic after reading about that one.
But in my experience, not many schools or governors feel their institution is itself at risk from similar breaches.
Living in the past
If you’ll permit a history teacher’s overblown analogy, it’s like we’re all living in villages at the foot of Versuvius in 100 AD. The mountain rumbles now and then but, hey, it’s been a while since Pompeii and anyway we’re not so stupid to ignore the warning signs if they start up again…
This mindset is a dangerous one. It assumes that the IT world of 2009 (on-premise, locked-down, school-owned) exists today, which it does not.
It assumes that there will be time to act before a large scale data breach affects every child in the school. Both of these assumptions are incorrect. The mountain won’t rumble ominously – schools experiencing a 2016-style data breach will be engulfed by its pyroclastic surges before they know what’s hit them.
In too many cases, we’ve entrusted unknown others with access to data without realising it. An alarming amount of data is now held by third parties on schools’ behalf, either hosted on cloud services (some of which are quite safe, some of which will not be) or – far less transparently – in the hands of app developers in who-knows-where.
The most obvious example is iCloud: when an iPad’s Photo Stream is left turned on, every photo that that a child takes silently makes its way up to non-EU server farms which have recently experienced high-profile breaches. Scary stuff, once you think about the implications for more than thirty seconds. Thousands of other examples exist though – any app which a child or teacher uses is potentially taking user data of some sort off the device.
Asking the right questions
Do you know why? Do you know to where? Are you confident you remain in control of these data, as you are legally obliged to ensure? Perhaps you do, but only if you’ve stopped and asked these questions.
This is why a data protection process called a Privacy Impact Assessment (PIA) is a pretty essential management action for any school making use of apps on mobile devices (and recommended for every school introducing any new technology tool). The documentation may seem daunting, but in reality the process is just a matter of asking sensible questions about what you’re planning to do and making a judgement on risk. I’ve previously written about one school which has taken a very clear line on DP & apps and it’s well worth learning from their experience.
Key actions for schools
If I had to boil all this down to a list of key actions for schools, it’d be as follows:
- Make sure Data Protection is a defined responsibility for someone on SLT and reports to the appropriate sub-committee of the governing body. Accountability and oversight are crucial here;
- Pay attention to the changing landscape of DP. @ICOnews is a good place to start. EU law in this area is shortly to change quite a bit, and there’s a new data sharing agreement between the EU and US you should probably understand too;
- Follow the DfE’s advice on cloud service providers. This is a really useful document;
- Introduce the concept of PIAs for every new thing you let teachers/ students loose on.
Some people view data breach as inevitable in modern times – they may be right, and the only sensible response is to become alive to the risk and to do everything you can to mitigate its impact.