180 likes | 294 Views
Brent Heads’ ICT Steering Group 06-03-09. Data Issues. Agenda. Introduction Some of the main questions Part 1: Data Security Some issues Securing Personal Data Part 2: The Connected Future Some Issues Data Sets AOB. Some of the Main Questions. Why Automated Collection?
E N D
Brent Heads’ ICT Steering Group06-03-09 Data Issues
Agenda Introduction Some of the main questions Part 1: Data Security Some issues Securing Personal Data Part 2: The Connected Future Some Issues Data Sets AOB
Some of the Main Questions • Why Automated Collection? • What is collected and when? • Why is it collected by Chesterfield House? • Why is it collected by Fronter? • Why is it collected by London Grid for Learning(Atom Wide)? • What does a school need to do to comply with the Data Protection Act? • Why the need for regular school audits?
Some issues seen in some schools File servers stored in unlocked offices e.g.. Poor data backup arrangements e.g… Subsets of data available on websites in Excel Subsets of data taken out of school on unencrypted USB Keys Full data sets taken out of school on laptops not password protected or encrypted Remote access to school admin servers via insecure software e.g. PCAnywhere Inaccurate MIS data
Data Security - DOs Strictly limit access to personal data to those who need it to do their jobs. Tailor the subset of data which users can see, to that required to do their job. Enforce the use of strong passwords that contain both numbers & capital letters. Enforce regular password changes that do not allow users to reuse old passwords. Regularly review users & rights to ensure that these reflect job needs, that they are current & correct. Do ensure that remote access to the school network is limited & that connections are encrypted. Limit & control the personal data that is taken from the school on portable devices (Memory sticks, PDAs, Laptops etc.) Ensure that all personal data that is taken out of the school is in encrypted form. Ensure that personal & other data is regularly backed up & that a copy is securely stored off-site wherever possible. Ensure that all file servers that contain personal data are in a secure, normally locked location. Ensure that PCs that have regular access to personal data through the logged in user are provided with a password protected screensaver
Data Security – DON’Ts Allow remote access to fileservers using products such as PCAnywhere or Microsoft’s Remote Desktop Connection software. Post spreadsheets containing personal data without individual password protection on public facing web sites. Post children’s photos on school websites without ensuring that no personal details are present in the file name or metadata. Do not allow children’s photos to be downloadable from school web sites by right-clicking the image. Allow remote access to file servers from “Any IP Address” without strictly limiting the range ports that are opened.
Data Security Audit Where do I start? • Carry out a regular data security audit • Are you registered with the Information Commissioners Office – is your registration up to date? www.ico.gov.uk There is a wealth of information on this site • On the audit trail check the dos and don’ts If your registration is not up to date and/or you are not doing a regular audit, and responding to its findings, it is unlikely that you are compliant with the act
LGfL Secure and Remote Access Secure Remote Access costs £60 pa per concurrent user. Secure Remote Access allows access to school networks for users who want to connect remotely from anywhere within the LGfL network or via the Internet through standard web browser clients. It is secure and encrypted
Securestore – Secure and Remote Storage Secure, encrypted data storage Automated, prescheduled and on demand backups A minimum 1 month backup history Easily upgradeable storage space Quick and simple data restoration Uses existing broadband connection overnight, keeping costs down 50GB + 1 Server licence costs £450pa
Some Issues • MLE Integration • SIF • Groupcall • USO • StaffMail • LondonMail
Data Sharing (1) The Connected Future sees a number of information systems both inside & outside school sharing data. Data security is paramount & systems need to exchange data over an encrypted channel. Data elements need to be in a consistent, standard form & need to be present in Schools’ MIS e.g. MLE integration and various data sets Standardised data exchange protocols are required.
Data Sharing (2) The standard defined for data exchange is SIF (Schools [now Systems] Interoperability Framework). This is an Internationally defined standard. SIF products are not yet available. In the interim the Authority has determined that an alternative, called Groupcall Xporter will be deployed to all schools. (See Brent circulars 2270, Nov 2006 & 3457 Jan 2009) available in the Resources area to regularly & automatically collect data.
GroupCall Xporter Xporter a small service that runs on the school’s MIS server & is configured centrally. Xporter runs specified MIS reports & transfers the data securely Xporter collects staff and pupil data to keep USO up to date Xporter collects the CTF data set used by the LA Xporter will be superseded in 2010 by SIF
Resources enabled by GroupCall Unified Sign-On (USO): A single username and password for every relevant student and member of staff in London, granting access to all supported LGfL resources Second-factor authentication is available using OTP (one time password) tags for services accessing any sensitive data StaffMail: For Staff, Governors and Admin Full Exchange 2007 Functionality Provided ‘free’ to LGfL Schools Replacement to Synetrix @mail system LondonMail: Web-mail service for curriculum use. Replaces DigitalBrain service Inbound and outbound mail filtering by MicroSoft, protects against viruses, spam and inappropriate content Provided ‘free’ to Brent Schools
*Note 1: The CTF data set also contains detail of pupil’s SATs results, their previous school, ethnicity, SEN status, free school meal status, address & attendance information.*Note 2: The SIF data set contains all that is in the CTF data set together with information on staff as well as pupils. Staff information also contains, for example, the National Insurance (NI) number, length of service and grade.
Resources Copies of the Consultation version of the Brent Data Security Strategy are now available