Identity and access management

With every new product or tech service there is a potential security issue. What are the risks, and what should schools do to provide a secure environment? Andrew Blench, SBM consultant at School Business Partner, explores

All schools will use a range of software and hardware which relies upon the storage and retrieval of personal data, including data about children and adults working in schools, ranging from a school management information system to payroll and catering systems. 

There are many risks which can occur when using these systems; this includes the risk that the wrong people access this data and use it for financial gain or criminal purposes. There is also a clear safeguarding risk to personal data falling into the wrong hands – for example, some of our most vulnerable children rely upon their personal data and location being kept from those who should not have access to them. All children should be educated in an environment where every step possible has been taken to securely store and manage their personal data; if this should fall into the wrong hands it could be used for grooming purposes and the exploitation of vulnerable young people.

Identity fraud is a very real and growing area of risk

Identity fraud is the use by one person of another person’s personal information, without authorisation, to commit a crime or to deceive or defraud that other person or a third person. Most identity fraud is committed in the context of financial advantage, such as accessing a victim’s credit card, bank or loan accounts.

There were 190,000 cases of identity fraud reported in 2018 and groups particularly targeted were the over 60s and under 21-year-olds – see Fraudscape 2019 – Fraudscape 2019 | Identity Fraud Insights | Cifas

The best measures to keep personal data secure involve a mixture of physical and logical controls. This is about restricting access to a physical location where data is stored – such as a server room or CCTV hard drive – but there should also be robust passwords which are refreshed and changed on a regular basis. 

In one school I worked in the CCTV hard drive was located in the site manager’s office, which, in theory, was always locked or occupied. However, the CCTV hard drive was linked to a non-networked PC which could be accessed without a password! So, it had physical controls, but no logical controls.

We all, quite rightly, rely upon the school’s ICT infrastructure to secure data through the use of web filtering, spam and anti-virus software installed on devices. The danger with this is that it may blind us to some of the non-technical weaknesses in how we operate in schools. We assume that the greatest risks are that electronic data will be stolen or hacked, and it is right to be aware of this risk and mitigate it; but there can be as much risk in non-electronic ways of working.

So, for example, do you have a clear desk policy? Are printed papers with financial or personal details left on desks? Do you have printed displays of students or staff photographs with names in communal areas? In the age of high-resolution smart ‘phone cameras these are easily copied. 

Externally provided services

When you’re using externally provided services you need to understand what data is being collected, and why, and where it is being stored. Any externally provided service which relies upon the secure storage of personal data in order to operate must be covered by a data sharing agreement. This agreement should state what data is shared, and for what purpose, how it is stored and what security measures are in place to keep it safe; see Data sharing agreements | ICO

Schools should keep the amount of personal data they collect, store and share to a minimum, and regularly question why they hold the data. A good litmus test is to ask ‘How often do I access this data, and what would happen if we didn’t have it?’ This is called the data minimisation principle – principle (c): data minimisation | ICO

In my previous school our admin staff created a weekly report showing the names of students who had mobile devices confiscated from them and this report was sent to a nominated governor. This was wrong on a number of levels. It turned out that the governor concerned never acknowledged the report or asked any questions. It was also an example of governors being far too operational and was a potential breach of confidentiality and GDPR. 

What happens in your setting which you could challenge using the data minimisation principle?