Tuesday, July 7, 2015

How can schools share sensitive pupil data securely?

Schools are expected to process and share increasing amounts of information about pupils – from exam results being sent to governing bodies, to information about ethnicity, special educational needs and medical conditions being shared with approved organisations such as local authorities, and health and social care providers. This is necessary to ensure that not only are curriculum standards being met but that schools are providing holistic care for the pupils in their charge.

Yet schools need to be aware of the types of data they are sharing – and how to do this securely.

Most of the information shared is personal data, as it includes of names, gender and dates of birth. However, sensitive personal data, including ethnicity, physical and mental health, sexuality, and criminal records, can also be shared with these external organisations. Therefore, it is essential that schools ensure the correct technical steps are being taken in order to protect this information as it leaves their institutions.

Sharing pupils’ data outside of schools 

Despite the sensitive nature of this data, a concerning number of schools still continue to utilise unsecure mechanisms for sharing this information. Data exchanged via plaintext emails, fax and even post could not only compromise children’s privacy but also expose institutions to fines up to £500,000 by the Information Commissioner’s Office (ICO) if a data breach takes place.

To resolve this issue, in ‘Inspecting e-safety’, Ofsted has declared that it is inadequate practice to send pupils’ information without using encryption technology to protect this highly sensitive data. In addition, according to the ICO, email and file encryption solutions certified via CESG’s CPA scheme are best suited to meet the appropriate security levels required by schools, as well as help them remain DPA compliant.

Top tips for secure pupil data exchange  

In order to protect pupils’ data that is shared over the internet, schools need not only implement risk management policies and procedures (such as staff training and / or the shredding of all confidential paper waste) but also ensure appropriate technical measures (such as encryption software) are put in place, including:

Email and file encryption

Mechanisms for secure electronic transfer vary widely, however it is important that they offer robust encryption, sophisticated functionality and ease of use – all without affecting existing work processes and infrastructure. In practice, this looks like:

  • Capabilities that integrate seamlessly with existing email clients, such as Microsoft Outlook, so school staff don’t need to log into separate systems to send emails and files securely
  • Ability to provide real-time access control over encrypted emails and file attachments, as well as time-based access restrictions, to reduce the impact of sending information in error and / or third parties mishandling data  
  • Embracing cloud technology securely. As an increasing number of schools move their systems to the cloud via Office 365 Education and Google Apps, they need to provide the highest level of assurance around who can access this data both in transit and when stored in users’ mailboxes 
  • Easy for recipients to use. Uptake of any encryption solution depends on recipients being able to not only understand its necessity but actually be able to intuitively use it

Secure web form 

While email and file encryption are useful when schools need to share sensitive information externally, a secure web form provide an alternative mechanism for securing pupils’ data flowing back into the network. In particular, this can be of importance, when parents need to provide information, including scans of passport, when pupils join a new school. Some of the key advantages of a secure web form include:

  • Security: Providing third parties with an encrypted solution to use means that pupils’ sensitive data is always awarded the correct level of information assurance
  • Simplification and improved efficiency: Web forms provide a single point of contact for numerous third parties and can be integrated internally to populate existing systems and workflows, reducing the admin time schools need to spend simply processing incoming data
  • Cost-effectiveness: A secure web form can replace the need to send  personal data and any other information by post or couriers 

No comments:

Post a Comment