Comment: Working with third-party suppliers

SMS is an extremely fast, cost-effective and affordable way to provide timely messages to colleagues, students and parents
SMS is an extremely fast, cost-effective and affordable way to provide timely messages to colleagues, students and parents
Chris Jones, PageOne Communications
Chris Jones, PageOne Communications

In a period of difficult financial budget cuts, more institutions are recognising the true business value of text messaging. With many uses in the school setting, it is an extremely fast, cost-effective and affordable way to provide timely messages to colleagues, students and parents.

These applications include, for example, keeping people updated on day-to-day activities, tackling truancy and communicating school closures. Yet the effective use of SMS for such initiatives requires opening up an institution’s database assets to a third-party supplier across several different departments; from finance and HR to teaching staff and student support.

Educational institutions hold considerable amounts of personal data on students and their guardians for various teaching, research and administrative purposes. Data protection, therefore, is a key concern.

The majority of high-profile data losses reported so far have been from government bodies. However, schools, colleges and universities must ensure their own policies are watertight. Under the Data Protection Act (1998) all schools processing personal data must comply with the eight enforceable principles of good practice. That is data must be fairly and lawfully processed, accurate, processed for limited purpose, adequate, relevant and not excessive, not kept longer than necessary, processed in accordance with the data subject’s rights, secure and not transferred to other countries without adequate protection.

Educational institutions do a comprehensive job in ensuring these data protection regulations are met in-house, putting measures in place to ensure all relevant staff are properly vetted and Criminal Records Bureau (CRB)-checked before gaining access to student data. Regardless, the weak link often proves to be when student data is handed over to a third-party supplier.

The key step when appointing a third-party supplier, one that will have access to sensitive data, is to make certain it values security just as highly as your organization does.

Security must be at the root of their processes. Make sure to ask any potential supplier about the internal security measures it will put in place; also inquire about the supplier’s security accreditations. Insist on working with an ISO27001-accredited supplier for added peace of mind. Also, don’t be afraid to expect 128-bit SSL encryption on your data network, as this is the industry standard for data protection.

Next, look into whether potential or existing providers own their own data infrastructure or whether they use third-party hosting. Suppliers hosting with a third party add an additional point at which secure data could fall into the wrong hands. They also add further complications because reliability of service and message throughput are out of the suppliers’ hands and should, therefore, be avoided.

Finally, look into the actual people behind the service you are deploying. Data loss or misuse is just as likely to be caused by careless or untrustworthy employees as it is by malicious hackers or problems with software. You wouldn’t allow anybody within your institution to access sensitive data before submitting to security and CRB checks. Therefore, for your own piece of mind, demand the same level of commitment to protecting your data from your supplier.

As the amount and sensitivity of data that educational institutions hold continues to rise, and the severity of the punishment for its loss or misuse continues to increase, it is imperative that schools, colleges and universities have the correct procedures in place. In compliance with the Data Protection Act (1998), educational institutions are already well-placed to minimise the risk of in-house data security issues. Third-party suppliers, however, can often be the weakest link. Educational organizations must demand the same level of commitment to data security from external organisations as they do from their own staff or risk untold damage to their finances and reputation further down the line.

Chris Jones is CEO of PageOne Communications, provider of JANET txt, which is a government-approved messaging provider for the education sector. As a chartered engineer and with over 30 years of experience in the telecommunications Industry, Jones has worked with a number of high-profile organisations within a wide variety of sectors, including cable, and wireless and the Metropolitan Police.

Jones is currently the vice chairman of the Wireless Messaging Association (WMA), as well as director for both the Mobile Data Association (MDA) and European Mobile Messaging Association (EMMA). Having worked closely with key UK government departments such as OFTEL, the Radio Agency, the Department of Trade and Industry and the European Commission, he has become a leading voice, often providing papers on critical business issues. Jones was previously managing director and COO at PageOne, and he holds a digital communications degree from the Open University.

What’s hot on Infosecurity Magazine?