UK schools receive primer for data protection progress
U.K. authorities have been taking a closer look at student data protection.
U.K. legislators and regulators have been at the leading edge of data protection progress and standardization for the better part of a decade. But as the academic calendar turns to a new year, authorities have been paying special attention to how carefully schools are handling student information.
Room for improvement
A recent report issued by the Information Commissioner's Office surveyed the data security and records management practices of more than 400 schools across nine local regions. Overall, officials found that awareness for Data Protection Act mandates was quite high across the education sector with more than 90 percent of schools proactively providing parents and students with insights on how their personal information was being stored, protected and used.
However, one in three schools conceded that password management had become a potential pain point, with several systems covered by codes that were infrequently changed and of questionable strength. An additional 20 percent of schools admitted outright that their email systems were insecure.
"The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn't always there," ICO director of good practice Louise Byers noted. "In many respects that should come as no surprise – it's not teachers' area of expertise – and it is precisely what our report is aiming to address."
Recommended best practices
The most important discipline highlighted in the ICO's supplementary list of data protection best practices was that of notification. As officials suggested, keeping regulators informed on how much student data is being collected and what it is being used for is less of a tip and more of a legal requirement. Schools were also advised that, while delegation of responsibilities to certain administrators was a "sensible" tactic, ultimate responsibility still resides with the data controller that has registered notification with the ICO.
This transparency shown to regulators must be extended to pupils and parents as well. For instance, the ICO report advised administrators to provide a fair processing memorandum each time parties are asked to supply personal information. Whether it is an educational pamphlet or web portal, both students and families must be made aware of why data is being collected, what it can be rightly used for and what safeguards are in place to limit the possibility of a breach.
But while data security best practices such as access and device control were discussed at length, report authors also made a point of addressing the information disposal procedures that are so often a weak link in the chain of custody. Educators were advised to take information sensitivity and potential personal consequences that could come from a breach into account when deciding on a disposal method. Most often, document shredding and hard drive scrubbing are the prescribed strategies. But once again, institutions were reminded that delegating such tasks to a third party does not transfer responsibility for their proper execution.
Finally, ICO officials underscored the importance of crystallizing these concepts in an effective employee training framework.
"Those making decisions about running schools need to know about information rights. Many data protection failures are caused by ignorance and anything that promotes awareness is to be recommended," the report stated. "Mistakes can often be prevented by being aware that a potential problem exists and knowing who can give more detailed advice."
Administrators were encouraged to incorporate data protection workshops into professional development days hosted throughout the year. But on a more continuous basis, the ICO insisted that staff should always have access to at least one colleague with an advanced working knowledge of expectations and best practice solutions.
Security News from SimplySecurity.com by Trend Micro
Spotlight
Cloud Computing
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- Businesses demand stronger app security
- Twitter now offers two-factor authentication
- DHS needs better sharing plan, experts say
- Cloud security group develops third-party certification program
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet