In its Inspecting e-safety – Briefing for inspectors document, Ofsted outlines what its inspectors will be it will be hoping to find. In particular, it lists examples of good practice followed by examples of inadequate practice. Good practice includes awareness of issues, integrated reporting routines (including, for example, the use of the CEOP abuse button), adequate training for both staff (at least one of whom should have specialist training) and pupils, and use of a recognized service provider including age related filtering.
Inadequate practice includes unsecured personal data (encryption is specifically mentioned), poor passwords, generic policies not regularly updated, lack of ‘progressive’ e-safety education, no filtering or monitoring, no evidence of staff training and poor reporting procedures.
While the Ofsted document indicates what it will be demanding for the protection of pupils, the ICO guidelines indicate good practice (effectively amounting to instruction) on how to protect personal data (for pupils, parents and staff). The two subjects overlap, since loss of pupils’ sensitive personal information could easily lead to cyber-bullying. This overlap is most clearly indicated in a common attitude towards the importance of using encryption. Two years ago the ICO stated that following loss of unencrypted personal data, “regulatory action may be pursued.”
Now, in this new Report on the data protection guidance we gave schools in 2012, it subtly changes its approach: “the Information Commissioner has decided that where such thefts or losses occur and encryption software has not been used to protect the data, enforcement action will usually follow.” This warning comes in the section specifically dealing with information security.
Mark Reeves senior vice president at Entrust thinks the joint attitude towards encryption is important. “Over the past few years,” he commented, “we have seen millions of passwords being hacked, stolen and leaked online so it is important that schools follow the ICO’s advice and do not rely solely on usernames and passwords as a means to protect pupil’s sensitive data.”
Christian Toon of Iron Mountain believes the answer is for schools to use standard business practices – and especially risk management. Although he believes that “The ICO recommendations will help schools make good their shortcomings,” he adds, “Teachers and schools must learn the importance of information risk management in order to safeguard the sensitive information of the children in their care and of the parents of those children.” Surprisingly, perhaps, the concept of risk management is mentioned in neither document.