Educating children on data protection

At the beginning of the year, a young girl was caught stealing a pair of shoes from a classmate after the theft, through the use of CCTV installed in the classroom. While in-school surveillance may eradicate clandestine paper plane throwing, it opens the floor to questions. How is the data managed? Is CCTV the ideal solution? And will the young perpetrator feel criminalised by this omniscient eye?

Classwatch, sold as ‘the answer to effective classroom management’ has been rolling out CCTV cameras throughout schools nationwide. In a country where video cameras are banned from school plays, it is vital that the data held is responsibly controlled and protected.

In January, a teenage pupil was withdrawn from the Ysgol Dyffryn Teifi school in Ceredigion, Wales, in what her father referred to as ‘an outrageous invasion of privacy’, when cameras were installed in the school’s toilets. Ceredigion Council responded by issuing a statement assuring those concerned that the footage was only examined if an incident was reported, and only by senior members of staff who had undergone a Criminal Records Bureau (CRB) check.

This was “all hype” according to Paul Sayner, managing director of Proxis, a security installation company.

“It’s like snow – two inches is called six centimeters to sound more dramatic. The school didn’t get a chance to have a say.”

On the uncertainly of whether CCTV should be permissible in toilets, Sayner reasons that “it depends exactly on what it is looking at,” adding that “If you’ve got nothing to hide, why should you object to that?”

Sayner does not believe that parents should be able to object to the surveillance, maintaining that the prerogative to ‘opt out’ should be a management decision. He stresses that CCTV in 'private dwellings' are different to such surveillance as speed cameras, as their implicit purpose of the former is security.

Sayner has recently overseen the installation of video cameras at Balby Carr Community Sports College in Doncaster, England, as well as a CCTV controlled biometric access control system, requiring students to use their fingerprint to gain entry to the college. Site manager Andrew Smith has reported no negative feedback, and insists that all students were happy to have their fingerprints recorded, and were educated on the implications beforehand.

A fingerprint too far

Biometrics have long proved an efficient addition to the thoroughly modern school, and used even for innocuous purposes such as borrowing library books, or buying school dinners.

Andrew Clymer is a senior identity management security expert who took issue when he was informed that his children would face biometrics at school registration, and was successful in preventing the implementation. While Clymer would like biometrics to be “used for very sensitive stuff in the future,” he sees “no justification” for its use in schools.

“[School staff] have a day job of teaching, but they don’t really have an overhead for security.”

He questions the desire for schools to take on such responsibilities - as “Most businesses see security as a necessary evil,” - as well as a school’s physical ability to utilise such information: “I’d rather know my thumbprint was used for something very valuable, when we have the money and infrastructure”.

Pippa King, advocate of ‘Leave Them Kids Alone’ – an initiative formed by concerned parents against the fingerprinting of school children – foresees further risks with a school database. If a crime were to occur within a school, she argues, it would be “well within the Data Protection Act” (DPA) for the Police to access records “without informing parents or children”. King worries that “because digital fingerprints aren’t absolutely 100% identical [to physical prints], they can throw up false positives”.

This controversial sanction can be found under the Data Protection Act’s guidelines for the ‘fair processing of data in schools’. These guidelines are required to be shared with the data subject from the age of 13, (the Information Commissioner’s view being that most children will generally have a sufficient level of understanding by the age of 12) and prior to that, must be issued to at least one guardian. The guidelines ‘encourage’ schools to seek consent from parents, and advise that parents are informed of how their child’s data will be used.

The guidelines

Details of two ‘layers’ are given in the data protection guidelines. Layer one must be handed out to parents at the beginning of the academic year when their child is 13, and provides a brief outline of the handling of data. It stipulates that names and addresses will ‘from time to time’ be required by third parties such as the Department for Children, Schools and Families (DCSF), and agencies prescribed by law, including the Qualifications and Curriculum Authority (QCA), Ofsted, the Learning and Skills Council (LSC), the Department of Health (DH) and Primary Care Trusts (PCT).

For secondary schools, this list also includes organisations that require access to data in the Learner Registration System as part of the Managing Information Across Partners (MIAP) programme.

On top of this, the DCSF is responsible for the controversial ContactPoint database which aims to hold the information of millions of children in order to optimise coordination between professionals such as social workers.

Layer two of the data protection in schools guidelines, being far weightier and more detailed, does not need to be issued by schools, and so is instead only made available to guardians upon request. This indicates further information that may be captured from the child, such as exam results, attendance information, ethnicity, special educational needs and any relevant medical information. It should be noted that parents do not ‘opt in’ for this provision; they may only opt out.

The trouble with the guidelines is that they are just that. They are not legally enforced: an issue with which Phil Booth, national coordinator of anti-ID campaign group No2ID, holds reservations. “Most of the time you get a letter [from the school] saying ‘we’re going to do this’…Some parents can be intimidated by the headmaster.” He recalls a case of a “sixteen-year-old lad who didn’t want to be fingerprinted and was almost expelled”, and believes that schools are “getting away with murder because of a weak statement from the ICO.”

Booth points out that a school is where “most parents would consider their children to be safe”, however he recounts an incident where an associate of his “went to a skip outside a school and received all sorts of stuff from an unwiped machine.”

“School is not a business like an IT business. The situation across the country seems so patchy – it’s hard to see anything consistent or coherent”.

No abstract issue

Booth also speculates on the wider use of the data and is especially troubled by ContactPoint.

“Over time one could see that this database could contain a massive amount of data. With everyone going through such a system, profiled every year, you’re building up a very detailed profile of someone.” He points out that “Information you couldn’t gather from adults is being sifted through…It would permit a future government to ethnically profile out a future population.”

If the data is fed through to ContactPoint, it will, Booth says “be exposed to, let’s say, one million individuals with access.” He adds that “I think if you asked 100 parents about the national pupil database, they wouldn’t have a clue…Because it’s required of schools, schools don’t feel they have to report this to parents”.

He posits a worst case scenario: “A mum is fleeing an abusive partner, and moves away, but wants to keep her daughter in school. Data in the MIS systems is routed to the national pupil database, to ContactPoint. There’s a route through already – a way to find someone.”

Booth concludes that “a lot of people think data privacy issues are abstract issues. If people thought through the actual consequences, they might pay more attention…We can show or demonstrate the possibilities. We would hate to be proved right. No one in government has been able to prove it couldn’t happen…ContactPoint can never be secured. It’s nuts to think that it could be.”

Education, education, education

Nightmares aside, if schools are going to adopt such technology, then schoolchildren themselves have a right, if not a legally enforced contract, to know about the issues surrounding security and data protection.

“In my experience, parents want to protect their children,” says Anja Beyer, a research assistant currently working on a PHD in virtualisation at the technical university of Ilmenau, Germany. “They see their children on the internet, and on games, and they know there must be threats. They react by forbidding the internet. This is wrong,” argues Beyer, insisting that the correct reaction is education.

Children “are not aware of the issues”, observes Beyer. “If you see how they behave, they give their password data on social networks, they are naïve on internet chat.”

Consequently, Beyer wishes to bring information security to schools.

“If [children] are in Facebook…they think that it is a closed room, so they exchange information. We have to teach them that it is not private.” Beyer is critical of Safer Internet day, a government initiative which in February this year sent experts to Berlin. According to Beyer, this is not enough, and the children don’t necessarily know about the initiative. She also laments the current teaching in German schools.

“Germany is divided into 16 federal states – each has its own curricula for schools and its own teaching programme. The federal states have differences in how they teach security. In my home [federal state] they have a subject called ‘Media Skills’, but it’s a very open word – a very small [aspect is] about information security… It depends on where you go to school - you have the right or the wrong education.”

Beyer wishes to implement a network of teachers, heads of schools, parents and experts. She insists that all teachers must be educated in infosec, because the computer “has a role” in the future of most, if not all subjects.

“In the past, it was only the internet and email. In the future it is blogs, and wiki. Every [few] years there are new media applications on the internet. It is difficult to educate [under these circumstances], but if we don’t do it there will be big problems.”

There may be an obstacle in inspiring an interest in the children for the subject, but Beyer sees an opportunity in computer games.

“At a university…I held a class called ‘IT security’, and no one wanted to take part. The next year, I called it ‘IT security in computer games’, and it was full.”

Their awareness, our future

In England, one organisation taking information security education upon themselves are infosec certification provider (ISC)².

“We wanted to put something back into society”, says John Colley, Managing Director (ISC) ² EMEA. “Part of the (ISC) ² mission is to make cyberspace a safer place. We want to ‘get people young’, tell them not to do bad things and to use the internet safely.”

(ISC) ² have partnered with Childnet International, a non-profit organisation promoting information security education. The professionals sent from (ISC) ² are provided free of charge, meaning they are able to field questions more comprehensively than a regular schoolteacher.

As for the audience, an 11 – 14 age range is chosen because they are “generally more sophisticated internet users - often they’re the main users in the home,” Colley explains. “There are some key messages that people should know about, particularly children, [such as] being a responsible cyber citizen.” Consequently, the course covers areas relevant to a young person: cyber-bullying and the legalities involved with downloading music, as well as more universal matters involving keeping a computer’s security system up to date and never giving away unnecessary information about one’s background.

“One of the things we find difficult is that the environment changes,” says Colley, echoing Beyer’s concerns. “One week [the children are] talking about Myspace, the next week it’s Facebook.”

However the course’s success is building with 7000 pupils already put through the system, 85 interested volunteers currently being put through the induction process and an international board of directors pushing the programme’s expansion across the globe into the US and Ireland. There is also a separate programme for older children being carried out in Hong Kong.

The Lucker Nature Kindergarten near Belford, UK, recently installed a biometric ‘fingerprint entry’ access system as protection for children and nursery staff. While the toddlers themselves are not expected to present their sticky fingers, it seems there is no minimum age for being exposed to the capture of personal data, and thus no guarantee that the data subject will comprehend and understand of the dangers involved. The line between protection and violation is thin indeed. However, if there is a natural environment to gain an understanding of the implications of information security, it is the classroom. Technology will change, but children will grow with it, and can learn with it, and pretty soon many of them will be taking responsibility for information at businesses and organisations, so it’s important to ensure that they take their knowledge with them. The future, and your data, is in their hands, so invest in them wisely.