Identity and access management

Every new product or tech service brings with it potential security issues. Andrew Blench, of School Business Partner, explores the risks involved, and what should schools do to provide a more secure data environment

All schools use a range of software and hardware which relies upon the storage and retrieval of personal data – including data about children and adults working in schools – ranging from a school management information system (MIS) to payroll and catering systems. There is always a risk that the wrong people will access this data and use it for financial gain or criminal purposes.

In school settings there is an additional safeguarding risk to consider should personal data fall into the wrong hands; some of our most vulnerable children rely upon their personal data and locations being kept safe from those who should not have access to them; if this should fall into the wrong hands it could be used for grooming purposes or the exploitation of vulnerable young people.

Identity fraud is another very real and growing area of risk in society in general and especially for schools. Identity fraud is the use by one person of another person’s personal information, without authorisation, to commit a crime or to deceive or defraud that other person or a third person. Most identity fraud is committed in the context of financial advantage, such as accessing a victim’s credit card, bank or loan accounts. There were 190,000 cases of identity fraud reported in 2018 and groups particularly targeted were the over 60s and under 21-year-olds.  (See Fraudscape 2019 – Fraudscape 2019 | Identity Fraud Insights | Cifas)

Belt and braces – physical AND logical controls

The best, and most successful, measures to keep personal data secure are a mixture of physical and logical controls. This involves restricting access to a physical location where data is stored, such as a server room or CCTV hard drive. It’s also vital to have robust passwords which are changed on a regular basis. 

Real-life example 1

In one school I worked in the CCTV hard drive was located in the site manager’s office which, in theory, was always locked or occupied. However, the CCTV hard drive was linked to a non-networked PC which could be accessed without a password! So, physical controls were in place, but no logical controls.

We all, quite rightly, reply upon our school’s ICT infrastructure to secure data through the use of web-filtering, anti-spam and anti-virus software installed on devices. The danger with this is that it blinds us to some of the non-technical weaknesses in how we operate in schools. We assume that the greatest risks are that electronic data will be stolen, or hacked – and it is right to be aware of this risk and mitigate it – but there can be just as much risk lurking in our non-electronic ways of working.

So, for example, do you have a ‘clear desk’ policy? Are printed papers with financial or personal details left on desks? Do you have printed displays of students, or staff photographs and names, on show in communal areas? In the age of high-resolution smartphone cameras these are easily copied. 

Data-sharing agreements help with the what, why, where

In relation to your externally provided services you need to understand what data is being collected, why, and where it is being stored. Any externally provided service which relies upon the secure storage of personal data to operate must be covered by a data-sharing agreement which should state what data is shared, and for what purpose, how it is stored, and what security measures are in place to keep it safe. There’s good advice here; data sharing agreements | ICO

Use the ‘data minimisation principle’

Schools should keep the amount of personal data they collect, store and share to a minimum and regularly ask themselves why they hold the data. A good litmus test is to ask, ‘How often do we access this data, and what would happen if we didn’t have it?’ This is known as the ‘data minimisation principle’.

Real-life example 2

In my previous school our admin staff created a weekly report showing the names of students who had mobile devices confiscated from them every week and this report was sent to a nominated governor. This was wrong on a number of levels. It turned out that the governor concerned never acknowledged the report, or asked any questions. It was an example of governors being far too operational and a created a potential breach of confidentiality under GDPR principles. 

What happens in your setting which you could challenge using the data minimisation principle?

This is another important and helpful read for you to look at: Academy trust guide to reducing fraud – GOV.UK (www.gov.uk)

Building these approaches into your everyday practice demonstrates your ongoing commitment to keeping data safe and, as they become second nature, they will provide a relatively easy way of ensuring your school’s data is as safe as it possibly can be.

Don’t forget to follow us on Twitter like us on Facebook or connect with us on LinkedIn!

Be the first to comment

Leave a Reply