Security guidance for schools – please review existing practice

Security guidance for schools

Recent high level security breaches concerning loss of personal and sensitive information have highlighted the need to update security guidance. This guidance should ensure that similar losses are prevented and minimise the risk of data being misused should media or devices fall into the wrong hands.Data protection legislation means that all those who hold personal data, whether on paper or electronically, must keep that data secure. Clearly, this also applies to schools. Personal data is defined as any combination of data items that identifies an individual and provides specific information about them, their families or circumstances. This includes names, contact details, gender, dates of birth and so on, as well as other sensitive information such as academic achievements, other skills and abilities, and progress in school. It may also include behaviour and attendance records.

Keeping data secure

Any item that can hold computer information is classed as media. This includes hard drives, CDs, DVDs, printed output, tapes, and memory sticks. Modern media is easy to move so requires extra controls to ensure it is not damaged, stolen or accessed by unauthorised people.All school leaders are advised to review their existing data security policies following recent high profile issues that have led to advice being released by the Information Commissioner’s Office.Becta is working with the Department for Children Schools and Families (DCSF) and with the Information Commissioner to update existing guidance on information security. In the meantime, school management teams should take urgent steps to ensure data controllers in their institutions follow this guidance:Right-click here to download pictures. To help protect your privacy, Outlook prevented automatic download of this picture from the Internet. *       All data should be kept safe and made available only to those who are authorised to access it. Right-click here to download pictures. To help protect your privacy, Outlook prevented automatic download of this picture from the Internet. *       Do not remove sensitive or personal data from the school premises unless this is part of your school’s security policy, for example where backups are being taken off site. In this case make sure that the media used has been encrypted and is transported securely for storage in a secure location. Right-click here to download pictures. To help protect your privacy, Outlook prevented automatic download of this picture from the Internet. *       When data is required by an authorised user from outside of the school premises – for example by a teacher working from their home – we recommend that they have remote secure access to the management information system (MIS) or learning platform, where this is available. This could be achieved by secure access via the UK Access Management Federation for Education and Research. Right-click here to download pictures. To help protect your privacy, Outlook prevented automatic download of this picture from the Internet. *       Protect all desktop, portable and mobile devices, including media, used to store and transmit personal information using approved encryption software. Right-click here to download pictures. To help protect your privacy, Outlook prevented automatic download of this picture from the Internet. *       Delete sensitive or personal data when it is no longer required.

Technical guidance

School leaders should ask their support providers or technical staff to ensure that their institutions are fully adopting and using these standards.Ensure that your institution’s security policy covers how personal information is stored, transmitted or processed and that it is managed and protected accordingly. Use best practice methodologies such as the International Standard 27001.There are many potential solutions available to protect information, using both free and commercial encryption software. Information about encryption solutions can be found at the government and business sponsored website Get Safe Online. The Information Commissioner’s Office recommends that data controllers ensure that any solution meets the current standard of FIPS 140-2 Level 3 approved encryption products.

Further information

More advice on information security can be found on the Information Commissioner’s website.Advice on data processing and sharing from the DCSF, including guidance on the Fair Processing Notice that schools are required to issue to parents and children, can be found on Teachernet.Becta’s Technical specification: institutional infrastructure contains detailed advice on implementing ICT security, including an example security policy document. Becta’s Framework for ICT Technical Support Operations Management (FITS OM) security guide provides details on how to maintain a safe computing environment in a school.If you have any queries or comments relating to the security of information in schools please email engage@becta.org.uk.