ICT Conference 2014 17 March 2014
Data Protection and Mobile Technology The risks and the solutions for schools
Paul Gibbons
About me… • 20 years’ experience of information and records management • Information Governance Manager at Greater London Authority and in NHS • Information Compliance Manager in Higher Education (SOAS) • Write about and provide training in Data Protection and other information law
Agenda • • • •
The Data Protection Act and Principle 7 Mobile technology and schools Personal devices Getting yourself in shape
The Data Protection Act • Relates to personal data • Requires compliance with 8 data protection principles • 6 rights for data subjects • Conditions under which use of data allowed
Principle 7 “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data�
Mobile Mobiles Number of lost mobile phones handed in to London Underground in 2012
20,906
The number of tablet 506 computers handed in in 2013 Source: V3 website/FOI request to TfL
Personal devices • There are 30 million smartphone users in the UK (at least) • Add to that tablets and laptops… • Research by Information Commissioner’s Office has shown that 47% use personal devices for work purposes • Your staff and governors will almost certainly be amongst them
Mobile technology in schools
Mobile technology in schools “There has been a spate of incidents where laptops containing personal information have been stolen from workplaces, vehicles and houses, or left in public places. After this, the Information Commissioner has decided that where such thefts or losses occur and encryption software has not been used to protect the data, enforcement action will usually follow.� From ICO report on DP guidance given to schools in 2012
Be afraid‌
Penalties Greater Manchester Police (October 2012) – data on crime victims on memory stick stolen from officer’s home £150,000
Penalties Glasgow City Council (June 2013) – two unencrypted laptops stolen from council offices £150,000
Penalties North East Lincolnshire Council (October 2013) – reports on 286 children with special educational needs on memory stick lost by teacher £80,000
Undertaking – Royal Veterinary College • Member of staff’s camera stolen – but contained memory card with passport images of job applicants • RVC forced to sign undertaking: – mandatory DPA training – policies on use of personal devices – encryption of all personal data on portable devices
Getting yourself in shape
Train your staff • Most incidents are result of human error • Penalties likely to be greater if staff not trained • Keep records of who has been trained
Get policies in place • • • •
Data protection policy Information security policy Use of mobile technology BYOD and personal devices
• Implement them!
Audit your IT equipment • What devices and operating systems are in use? • Record serial numbers, installed software and who it is issued to
Is software supported? • April 8 – Microsoft support for Windows XP and Office 2003 ends • After that date laptops running this software will become increasingly vulnerable • Make sure migration programme in place
What about personal devices? • Are staff/others able to access personal data using their own devices? • Read ICO guidance on BYOD http://ico.org.uk/for_organisations/data_protection/topic_guides/online/byod
What about personal devices? • Encourage staff to use security settings on devices • Use different applications to access business systems if possible
Encryption • Encrypt laptop/external hard drives • Software available to create encrypted area on device • Be careful – if you forget the password, there may be no way to get access to the data again (so an unencrypted backup in a secure location is a good idea)
Encryption • Consider issuing encrypted memory sticks • Provide facility for staff and governors to encrypt files they want to send via email
The Cloud • Discourage use of cloud services unless you have assurances written into contract • Remember servers may be outside EEA so may breach principle 8
Disposing of mobile technology • Properly dispose of old equipment in way that ensures data does not remain accessible • If third party carrying out disposal – make sure contract specifies how and requirement to comply with 7th DP Principle • Brighton & Hove - £325,000 penalty!
Be a personal data saint! • Be aware of risks – and solutions • Get policies in place
• Train your staff • Know what you’ve got • Secure your data
www.foiman.com @foimanuk
paul@foiman.com For information rights training and consultancy