The level of personal information held by schools and educational establishments on pupils and students has never been so high. For instance, as well as standard, individual information on address, medical conditions, results, social services reviews etc… many schools now employ fingerprint technology for the issue of school meals and other services. This is highly personal data and schools need to have more than technology in place to secure it. Its not just about how data is stored but also about who has access to it and how it is moved about and later sanitised or destroyed. To ensure data is adequately secured requires a full understanding of actual and not perceived risks to the security of its data. This means that focus needs to be on where the data needs to be and ensuring appropriate levels of security are in place to mitigate those risks.
Advent IM Ltd, the UKs leading Holistic Security Consultancy, understands the education sector, having worked with many different establishments, from primary schools to Universities. The new service offering is designed to provide a health check on school policies and procedures to ensure appropriate processes are in place for safeguarding pupil and staff data. This includes not only electronic management of data but also physical control of access to and storage of hard copy data. It underlines internal awareness of the Data Protection Act and can help schools build sustainable policies and procedures to ensure best practice within the Act and wider information security.
Experience shows time and again that data loss, breach or compromise is more often than not due to human error. In a recent survey by the Ponemon Institute, it was discovered that almost 80% of data breaches came from within, whether it was accidental or intentional. In a school environment, the possibility of a curiosity-based breach via a pupil cannot be ruled out. Indeed, most pupils know technology better than we do and see finding ways to circumnavigate the system as a challenge, but staff can also be a weak link.
There are many reasons why the human element is so vulnerable to security lapses. They can be a lack of policy or understanding, or a failure to ensure the policy is understood by all staff. It is rare that a data breach is a malicious act, but making sure all the human aspects are battened down, in addition to the technological security elements, is a “must do” for any school.
One of the schools to go through the pilot scheme was Wren’s Nest in the West Midlands. They said,
“The Consultant gave Wren's Nest a thorough, detailed information security audit which we found extremely helpful. The report, advice and guidance have provided our organisation with a valuable insight into information security. We will now investigate our current procedures and policies to enable us to move forward and identify further e-safety tools and policies to meet current legislation and reassure all key stakeholders of how seriously we take Information Security. It has clearly highlighted what additions/amendments we need in our action plan for security of IT and data protection for staff and children. The benefit will be; reassuringly robust security for everyone. Thank you."
Another pilot scheme member was Sutton School and Special College, who's representative commented:
“It [the audit] highlighted many areas that were not currently being monitored effectively. I will use this report to further enhance policies and procedures within the school. The report is an effective guidance for structured and continuous improvement.