Tag: data protection

Tech vendors should do more?

There is a lot of discussion in relation to how tech vendors and particularly big tech vendors need to do better, whether this is in relation to data protection, online safety, addressing fake news and many other considerations.    A recent presentation by Laura Knight at FutureShots24 where she spoke of the finite and infinite games, and of Simon Sinek’s book, “The infinite game”, got me thinking about this again.

Tech vendors need to sort it

Firstly it is important to acknowledge the benefits of technology;   The tools we have and use are there as they are useful and the tech companies that continue to operate are there as we as users choose to use their solutions, but there are also challenges and drawbacks associated with most technologies.    It is pretty clear that tech vendors need to do more to address the various challenges and risks which come about as a result of their products.    They provide a tool, whether it be a productivity suite, a social media application or a generative AI tool, among many others, with many people using these tools appropriately and for good, however, there are also then those who use these tools for ill, for criminal, unethical and immoral purposes.    Now I have blogged on this before, how tools are neither good or bad, but it is their use which is good or bad, however, the challenge is that through technology the resulting impact is magnified.   I have talked of a hammer as a tool, and how it could be used for assault, but unlike a hammer, a maliciously used social media tool can impact hundreds or thousands of people at once; the potential impact of the tools is much broader.   So, from this, it seems clear that tech vendors need to consider this negative impact and seek to mitigate the risk in the design of their platforms and through their processes.

The key here is that we are not really looking at these tools, but at their impact on wider society.   Society will continue, for good or for ill long into the future.   It is an infinite game.    Long after I am worm food, society will continue.   Likely long after many of these tech platforms have been and gone (think MySpace, Friends Reunited and the likes) society will continue.

And so, we look to rules and to laws to provide us with the frameworks and protections, where these rules and laws will exist long into the future, although they may evolve and be adjusted over time.    Sadly, though these laws and rules are designed for the long infinite game and therefore are slow to change, relying on established processes and methods not designed for the quick changing technological world we find ourselves in.  

With laws unable to keep up we find ourselves complaining that the tech vendors need to do more, and this is likely the case but the tech vendors know their time is limited as they may be dispatched to the bin should the next viral app come along, so they don’t want to expedite this through making a safer but less usable or less enjoyable or less attractive or addictive platform.   We have a problem!

But the tech companies are important

The tech companies are driven by profit as they are after all money-making companies with shareholders to answer to.   That said, many of the big tech companies do try to establish the moral and ethical principles by which they operate.    It is their drive for money which leads them to “move fast and break things”, to innovate and disrupt as they seek to find the next big thing and the corresponding profits which come with it.   And we need this innovation.   If we left innovation to governments, their processes, laws and rules would make the process of innovation so much slower than it is while it is in the hands of tech companies.  I suspect we would be still using 5 ¼” floppy discs at this point! 

The tech companies play the finite game, knowing that in this game there will be winners and losers so moving fast, disrupting and innovating is the only way to avoid being confined to the technology bin of history; think the polaroid camera, the mini-disc, and the platforms I mentioned earlier.    So, if the choice is spending longer to create a safer platform, but possibly being 2nd to the market with a product, or getting it out quickly and being 1st but then having to try and address issues later on, closing the gate after the horse has bolted, it seems pretty clear which the tech companies will choose.    Being 1st means survival while being 2nd might spell doom.

Solution?

I am not really sure that there is a solution here, or at least that there isn’t a perfect or near perfect solution.    Things will go wrong, and when they go wrong we will be able to highlight what could have or should have been done by tech vendors, governments or individuals to prevent the outcome.  But we have to remember we are dealing with technology tools operating at scale, and just take TikTok for example and its approx. 1 billion monthly users.    We haven’t yet banned cars but car accidents continue to happen!

Tech companies will continue to focus on the finite game and on maximising profit for their shareholders and on remaining viable, while politicians will also play the finite game, focussing on policies and proclamations which are more likely to be psotively received and to keep them in power, or help them to power.    But the world and society is an infinite game where what we do now may impact how things are for future generations.

I think we need to be pragmatic and I also think its about partnership and working together.  If governments, tech vendors and user groups can work together, discuss the benefits, the concerns and the issues, maybe we can make some progress.   Maybe we can find the best “reasonable” options and the “good enough”.     And I note, I feel some of this is already happening within some companies.     I suppose my one conclusion is simply that it isn’t for tech vendors to do more, it is for us all to do more, tech vendors, governments, schools, parents and adults more broadly, communities, and more.    And if we can do it, discuss and explore, find and test solutions together then maybe we can start to address some of the challenges.

Data protection and modelling

While at the School and Academies Show one of the discussions I had focussed on general EdTech and the need for teachers to model appropriate digital, including cyber security, behaviours for students. As the discussion progessed it then moved over to the topic of data protection, and I think this hit a chord with me.

Seeking solutions

The pandemic has required us to be agile in quickly finding solutions for issues, ways to engage learners and bring about the best learning experiences where students are either all online, away from the classroom, or where we have a hybrid situation, with some in the class and some not.   The issue is that the resulting search for solutions has led to tools, which may have pedagogical benefit being adopted which the due diligence as to data protection.

All staff need to appreciate that where signing up to an online service they are giving away some data.   It might seem as simple as an email address and password, but the reality is most services will also look at IP addresses, which gives away some rough geographical information, plus information on the device being used such as the browser, device type and operating system.   Then dependent on the nature of the service itself, they will then gather further data as provided by us, but also in relation to when we access a service and how often, and also which others in similar geographical areas, based on IP address, tend to access the service at the same time.

And this is all before, as a teacher, I then get students to sign up for the same service as it is useful in the teaching of my given subject or a specific topic.   So now, students are also giving away data but at my request.

Data Protection and GDPR

I think part of the issue here is that all staff are not IT experts or data protection experts.   But yet we all sign up to services which in effect gather the data we provide, and some data we don’t quite realise they are gathering.    For me the issue here is that, although we may not be experts, we need to exercise some care in relation to data protection.    Now this might be simply looking at the privacy policy for anything which seems out of place.   It might be seeking support from the IT team in a school, or seeking support of educators the world over via twitter or other forums.   The key thing is we cant simply sign up without given some consideration to the risks and implications of doing so.

Now those in the data protection world may see the above as not going far enough, they may state GDPR UK or other legislation however the reality, in my view, is most things boil down to risk based decision making.    The role of a school is not to be as secure in its data protection as a bank or other highly regulated industry, but to facilitate learning.   So there are some trade offs, where learning takes the priority and some risks are accepted, and hopefully, mitigated as much as is possible.

Conclusion

I think all schools need to spend some time discussing the implications of signing up for online services, and to data sharing with all staff.   We can’t hope to make them experts but we can hope to educate them enough to give some reasonable consideration to the implications of their actions in signing up for a service, or where getting students to sign up for an online service.  Its about doing all we can to reasonably facilitate good data protection based decision making and behaviours, in both staff and through modelling, in students.

Technology and efficiency

Technology can make things easier or more efficient however as with most things, there is usually an opposing drawback or disadvantage seeking to balance things out.    

Take for example the recent plans by some Scottish schools to introduce the use of biometrics, and in particular facial recognition, to try and speed up its lunch queues (You can read more about the plan here).   Using facial recognition means that the student can be recognised as they arrive at the till allowing lunch staff to quickly scan foods items and apply to their lunch account, where the lunch account is topped up with credit by parents via an online portal.   This will likely save a few seconds in lunch staff identifying the student on their system in order to apply the costs.   A few seconds doesn’t sound like much but if you consider 600 students going to lunch each day, even a single second grows to 10mins saved per lunch period or 50mins per week or even over 3hrs per month.   The potential benefit is pretty clear, but is this enough?

Cost

The first, and likely most obvious drawback in any technology implementation is cost.  The cost of hardware, the cost of software but also the cost of planning, implementation, training and support.   In almost every technology solution there will be an additional cost to be considered and it will be necessary to examine whether this cost is worth the proposed gain of the technology solution.    And we need to be careful to ensure we look beyond the initial financial costs and consider the more long-term support, maintenance and replacement cost, the total cost of ownership.   In the case of facial recognition in school canteens, it might be easy to compare this cost against the improvements in service or even a notional cost saving in terms of time saving.

Cyber Security

The other factor which is almost always guaranteed to act in balance is that of cyber security.    Adding addition systems or solutions will likely increase the schools cyber attack surface and risk, even where appropriate risk mitigation strategies have been put into place.   It will also add complexity which again increases risk.   As such, cyber security needs to be considered in establishing whether the proposed gains are sufficient to outweigh any risks or costs.

Data Protection

Data Protection, which is linked to cyber security, is yet another factor that needs to be considered.   It is likely more data or different types of data might be stored as the result of the proposed technology change.  We need to be sure that we have processes in place for managing this, and that we continue to comply with UK GDPR or other data protection legislation.   In the case of facial recognition this is particularly important and one of the stumbling blocks impacting on the Scottish schools proposal.    We need to ensure that data gathering is proportional and reasonable to the purpose for which it is being gathered.    In the case of gathering facial recognition data of children, below the age of 18, it is questionable whether this data gathering exercise, which means gathering sensitive biometric data, plus relates to children, is proportional when the aim is to reduce queuing and waiting times at lunch.    Simply put, technology can bring about the improvement in waiting times, however in the form of facial recognition technology, it is questionable as to whether it should.

Conclusion

I often bleat on about balance.   Seldom do we make gains through technology use without there being some sort of trade off, cost or other balancing factor.    Financial cost is the most obvious of the costs however we equally need to consider the longer-term costs of support and maintenance.   Additionally, the cyber security and data protection related risks also need to be considered in detail before proceeding.   Just because technology CAN be used isnt enough;  we also need to ask whether it is right to use it, and whether it SHOULD be used.

UK GDPR: Showing compliance

One of the few things which I felt was different between the old Data Protection Act 1998 and GDPR when it was introduced, was the need to be able to evidence compliance as part of the compliance process.   So, to be compliant you have to be able to provide evidence of compliance. 

So how to show compliance?

As we start a new academic year, I think it is therefore important to give some consideration as to how you can provide compliance with UK GDPR so I thought I would list some of the key evidence you should have.   

Data Record Summaries

One of the key things about GDPR and personal data is knowing where the person data is stored and/or processes so one of the key methods of showing compliance is to have records of which data is where, along with appropriate classification of the data, who has access to it, its purpose and how it is processed.  Now I know from personal experience this can be a very arduous job, however it is important to understand it can be carried out at different levels of details, from full details down to the individual data fields, which is likely to be too details and time-consuming, to higher-level records focussing more on record types.   It is therefore important to decide what level of detail how need.   It may be acceptable to have a high-level central record which individual departments then may keep more detailed records at a more local, department level.

Retention periods

We also need to be able to show we have considered our retention period of different record types.   Now the Department for Education provide minimum retention periods for some record types however for others’ schools will need to make this decision for themselves.    As such the evidence of compliance is then the retention policy or process plus the fact the current data stored matches this.

Policies

We can also evidence our compliance by having the appropriate policies in place, although really, it is less the policies that matter, and more that the school follows and complies with their own policies.  So, this can include a privacy policy, data protection policy, acceptable usage policy, data retention policy and information security policy.    I think, also there needs to be evidence in the form of policies or documented processes in relation to incident management and in relation to managing subject access requests or other data issues.

Is Data Protection and GDPR discussed

This to me is the most important evidence.   We can create our policies and other documents as a one-off task however data protection and compliance with UK GDPR is an ongoing process, as processes and systems change, as additional data is gathered, as the operating environment changes, etc.    As such one of the key pieces of evidence is that data protection is often discussed.   This can easily be seen in minutes of meetings, briefing documents, emails, incident and near miss logs, etc.    Simply asking random staff some basic data protection questions, such as who they would report a suspected breach to, or what to look out for in phishing emails, will help you easily identify is data protection is taken seriously and therefore, how likely that UK GDPR is complied with.

Conclusion

The above is not meant to be exhaustive detail as the reality of UK GDPR is that your approach should be appropriate for your organisation and for the data you store and process, and the methods you use to process such data.    As such I suspect no two schools will ever be the same, although they will certainly have many similarities.

If I was to make one suggestion it would be to ensure that you can show that data protection is part of the normal day to day processes.   There should be evidence of its general and regular discussion as if this is the case, if it is regularly raised and discussed, it is likely you are already well on your way to compliance.

TAGs and Data Integrity

Following on from my previous post regarding Teacher Assessed Grades (TAG) and cyber security, in my first post I focused on mitigation measures around avoiding possible data loss.   In this post I would like to focus on the integrity of data rather than possible loss.

  • Accidental changes made by users with access
  • Deliberate changes made by users not authorised to make changes, such as students.

The are a couple of issues which could impact on the integrity of TAG data:

Dealing with these issues relies on a number of basic principles which ideally should already be in place.

Least Privilege Access

This refers to simply minimising the users which have access, including minimising those users who have write access over those with read only access.   By limiting the permission level provided you therefore limit the users who may accidentally or deliberately make unauthorised changes and reduce the risk as a result.

Linked to the above it is important to fully understand which users have access to which data/systems, with this being routinely reviewed and adjusted to accommodate for staffing changes, role changes, etc. 

A checking process

It is likely you will have a process for gathering the data, with this data then reviewed by Heads of Department before eventually going to Senior Leaders then the exam boards themselves.   It is also important to have a review process to check that unauthorised changes havent occurred along the way and that the integrity of data is retained across the whole process, from collection to eventually supply to the exam boards.

Audit Trails

If we assume, that there is a reasonable likelihood of an accidental or deliberate unauthorised change, the next thing we need to be able to do is to is identify such changes including the user who performed them, and the changes they made.    It is therefore important to consider if the solution we use to store our TAG data has the relevant audit capabilities, whether it is using the audit logs in your Management Information System (MIS) or version history in either Google Workspaces or Office 365.

Conclusion

Generally, when considering cyber security, the important thing is to identify the risks and then identify and employ appropriate mitigation measures.    There is seldom a “solution” in terms of a product or configuration or setup which is perfect, however there is a solution appropriate to your context, your organisations view as to risk and risk appetite.  

It is also important to note that the best approach is a layered approach.   In this and my last post I havent mentioned the use of storage arrays, mirroring of servers and other approaches aimed at either ensuring business continuity or making recovery quick and hopefully easy.    Although these options add to the complexity of the possible approaches, the key is once again to assess the risks in your school’s situation and context, and deploy the solutions which you believe best address these risks within the framework of a risk management strategy.

Data Protection and Cyber Security in a Pandemic

In a pandemic, when trying to keep students learning and businesses operating, while schools, offices and shops are no longer able to operate as they normally would, cyber security and data protection aren’t exactly top of the list of things to consider.   They may even have fallen off the list altogether.   As such, over a year after the first lockdown I thought it appropriate to share some thoughts in relation to data protection and cyber security in schools.

During a pandemic it is critical to prioritise.   The important things come first.   So, health, safety and wellbeing are likely at the top of the list.   For businesses, during a lockdown, the ability to work remotely is critical while, when looking at educational institutions, enabling online teaching and online learning are critical, all requiring action to be taken quickly.    Back in mid-march 2020, although the writing was on the wall, we didn’t see the first UK lockdown coming and so when it did there was a rapid move to put the relevant technologies in place to enable online working, teaching and learning.

The issue with this rapid deployment of technology was that it was done based on an immediate need rather than fully thought and reasoned out.    Considerations, such as potential cyber security of data protection risks, were, due to immediate necessity, either pushed to the side or given less consideration than they would normally receive, or they are due.    So now we find ourselves a year further on, here are some of the things I think we should be looking at:

  • The big players

Schools coalesced largely around the two big players in relation to cloud based productivity solutions, being Google and Microsoft.    For me this was done for very good reasons given the functionality provided by each, however I wonder if the implications of this, such as the reliance on a single platform had been considered.   I also wonder if schools have considered what they would do in the event of a significant issue/outage within their chosen platform or if specific tools within the platform were discontinued.   I do believe that it is almost essential to select one of the two platforms, however I think it is important to consider the implications of this decision.

  • Where is my data?

During the pandemic, and in order to deliver the best learning experiences possible, teachers introduced new apps, often for specific lesson activities rather than for long term use.    I suspect that as a result of this the overall visibility in relation to the apps in use, and therefore the location of school data, may have reduced.    This is something that will need to be addressed and will likely require schools to audit the apps in use as we move forward.

  • PIA and risk assessments

Linked to the above, apps may have been introduced without an appropriate review of cyber security and data protection, including reviewing terms and conditions, privacy policies and other documentation relating to third-party apps.   This would have been done due to the need to quickly adapt to the remote learning and teaching situation we found ourselves in however as we move forward appropriate reviews and impact assessments will need to be carried out.   Additionally, changes to existing platform settings or their usage are likely to have been made to facilitate learning during a lockdown, and as such any previously conducted risk assessments or impact assessments may no longer be valid; These will therefore need to be reviewed and updated.

  • Use of personal devices

During lockdown both students and staff have often either been forced or have chosen to make use of personal devices in remote working and remote learning.    With this comes cyber risk and also data protection implications, such as the potential for school data to end up on a personal device which is shared by different members of a family.    This needs to be considered and risk assessed, and appropriate mitigation measures put in place, whether these be technical measures and/or policy measures.

  • Remote Access

Remote access to systems was key during lockdown.  How else would students and staff access the relevant systems including both teaching and learning, and administrative systems.   We now need to review this situation with a view to cyber security to limit the risk of the malicious use of remote access by external threat actors, plus also to ensure that remote access settings are appropriate to a secure IT environment.

The above 5 issues are the 5 which come most easily to my mind however I suspect I could easily continue this blog to cover 10, 15 or even more items which we now need to consider.    The pandemic and resulting lock down required us to work quickly and flexibly to identify solutions.   We now need to spend some time and reflect on the decisions made, and to check that in the longer term they continue to be the right decisions.  

As I have commented on a number of previous occasions, the issue with data protection and cyber security is that everything is ok until it isnt.   We may have put new systems in place or changed settings to support us through the pandemic.    There may be no current issue with what has been done however unless we now spend time to analyse the decisions and their potential implications, we run the risk of sleep walking into a data protection or cyber issue.   As some sense of normality hopefully returns to the world, we need to look back to the rapid change the last year has brought and assure ourselves that we are happy with what is in now in place.

GDPR; 2 Years on

Back in 2017 I wrote a post for UkEdChat in relation to GDPR (See the post here), prior to the introduction of the GDPR regulations in May 2018.   It is just over 3 years since that post, and almost 2 ½ years since GDPR came into force so I thought it would be a good time to revisit the post and share some of the things I have learned in relation to data protection and GDPR since then.

Subject Access Request

One of the key things I expected when I wrote my post in 2017 was a significant increase in Subject Access Requests.   For me this never really materialised.    What did materialise however, for the limited number of SARs received, was a more difficult and time-consuming process in trying to fully respond to requests.    Thankfully new tools such as the eDiscovery tools in Office 365 made this reasonably easy and convenient from an IT point of view but this didn’t alleviate the administrative challenges around the need to review and also redact data from that identified by the eDiscovery tool.

Evidencing compliance

One of the key things I have learned in relation to GDPR is the importance of evidencing compliance with the regulations.   Things will not always go to plan and when they don’t there is a need to prove that you have done all that is reasonably possible.   This means documenting processes, documenting incidents, even minor ones, and documenting discussions regarding the perceived risks and mitigation measures including the mitigation measures which have not been applied due to cost or operational impact.   You need to be able to prove that you have fully engaged with the legislation and made every reasonable attempt to comply.

Interpreting the rules

It is clear that the GDPR rules are not as clear as some people, and especially those selling GDPR goods and services, would make out;   There is a need for interpretation within the context of your own school and any such interpretation needs to be documented.    There is also an opportunity here to reach out to other schools similar to yours to see how they have dealt with certain situations, and how they have interpreted GDPR.   Again, a key issue is the need to document any decisions or conclusions reached in your interpretation of GDPR.

Third Party Management

I mentioned Third Party management in my 2017 post and I believe my concerns have been proven.   Third parties have shown themselves to be a source of cyber risk, with cyber criminals breaching third parties and then moving laterally into an associated school or other organisation.    Third parties have also shown themselves as a risk where they themselves are used to process or store your school data as a breach of the third party storing your data is your responsibility; you are the data controller.     The key here is the need for due diligence and a privacy impact assessment before engaging with a third party, plus the routine review of these assessments and of third parties’ approach to data protection and to cyber security.   We cant truly control the third parties we engage or the criminals who may seek to breach them, but we can try and ensure they are as prepared as possible, and can ensure we can evidence that we have taken all reasonable measures should something go wrong.

Risk Management

This is my biggest learning point from the last 3 years, since my post in 2017.     There are no 100% answers when it comes to cyber security and data protection.    It is all about managing risk.   Every action we take in terms of the setup of a system, the processes we use, the third parties, etc, all involve a business benefit or gain but also a risk.   Nothing is without risk.    As such we need to constantly be reviewing the risk and deciding what risk is acceptable and what is not.   We need to examine the available mitigation measures and decide which will be implemented and which we will not implement with this often due to potential operational efficiency loses or simply down to cost.   Above all, we need to document these considerations and the resulting decisions.

Conclusion

I am not sure GDPR changed things as much as I thought it might however it definitely did provide an opportunity to re-examine processes, systems, etc with a view to keeping data safe and secure.  This also provided a key opportunity to develop the all-important documentation in relation to processes and systems.    I think in 2017 I looked at GDPR as a piece of legislation and an end point in ensuring readiness for May 2018.    Looking back, I now see GDPR as more of an ongoing process which will never end.   GDPR is about ensuring we are doing all that is reasonably possible to safeguard the data trusted to our possession.

Digital Citizenship

AI, Driverless cars, drones and the other societal changes with Tech may bring
Cyber Security, Data Protection and Big Data
Mobile Devices: To ban or not to ban?

For a while now I have been sharing various online articles which I believe relate to Digital Citizenship via twitter and also sometimes via linkedIn however it recently came to me that it might be useful to curate these tweets so that teachers looking for discussion material in relation to specific aspects of Digital Citizenship might be able to use them.

To that end I created three Wakelets based on three themes which I thought we reasonably common in relation to Digital Citizenship.

  • AI, Drones, Driverless cars and the other societal changes with Tech may bring

https://wke.lt/w/s/kJ3z2B

  • Cyber Security, Data Protection and Big Data

https://wke.lt/w/s/XFOeIs

  • To ban or not to ban?

https://wke.lt/w/s/09MVpQ

Now it may be that in future I may expand the number of themes.  I suspect this is highly likely, but for now the above are hopefully a good starting point.

In addition, for ease, I have created a separate section on my site for this curated Digital Citizenship content in case anyone wants to bookmarks it.  This section is also available via the sites menu structure.

GDPR and third party solutions

I have previously written about third party related cyber risk in relation to data protection and GDPR but I think it warrants a little bit of a further discussion.    To start I will state what I believe is the key message:

A third-party system in use by your school, such as a cloud hosted MIS or Learning Platform doesn’t mean that data security and data protection isn’t your problem.   Its still your data and although the third party might be processing it for you, you are still the controller.   You are still responsible for the data and for ensuring that adequate security measures are in place, and that you can prove that they are in place, or at least have received reasonable assurances to the fact they are in place.

There is also a second key point which I feel needs making in that cyber security and data protection decisions should always use a risk-based approach.    The approach and level of detail required in impact assessment for a learning tool where student emails are the only personal info and for a school management system containing name, address, medical, academic, pastoral and other personal data, are totally different.    The greater the risk the greater the time and effort required to ensure that an appropriate assessment and appropriate decision making has taken place.

So, let’s take two different scenarios and look at them.   The first scenario is a good old cloud hosted solution while the second is the one which is often overlooked, being a locally hosted solution using a third-party product.

A cloud hosted solution

I feel this is the more accepted and therefore easier of the two scenarios.   Here we have a school using a cloud hosted MIS for example.   The data is held on hardware outside the school on a third-party platform.    The school must therefore ask a number of questions relating to how the third party keeps data secure, how they will provide the data in the event the school requests it and how the data will be deleted should the school cease using the service, to list just a few.     Most of this info will be outlined in the terms and conditions or any contract which was signed so it is relatively easy to get the information.   There will also be questions related to how the third party tests its security through penetration and/or vulnerability testing as well as what their process is should a data breach occur.      I often ask vendors to confirm when their last penetration test took place and, in higher risk systems, ask them to provide a summary of findings.    The answers to the above questions will help the school to establish a view on the risk associated with the platform plus to document that appropriate consideration of cyber security and data protection has taken place.

A locally hosted solution

This is, I feel, the more difficult scenario.   The third-party platform is hosted on the schools own network and hardware and therefore the security of the platform can be directly impacted by configuration decisions of the school itself.   The school therefore should ideally be conducting regular penetration testing to check the security of the infrastructure on which the third-party solution sits.   The issue here is that some third parties at this point believe that the security of the data is therefore down to the school as they control the network and network setup.   This is the kind of response I have received from a number of solutions vendors only recent.   To a point they are correct but only to a point.   The network should be constructed with “privacy by design” in mind such that it is developed with security always in mind, but the network infrastructure is only half the solution.    The other half is the third-party software.   It too should have been developed with “privacy by design” at the forefront of thinking and it is for schools to question whether this is the case.    For me, this means asking questions in relation to how the company approaches checking their application for vulnerabilities.    This ideally should involve a proactive search for vulnerabilities including the use of vulnerability assessment or through bug bounty programmes.    There is also the acceptance that the finding of vulnerabilities should be treated as a “when” as opposed to an “if”.    As such companies should be able to demonstrate that they have a plan in place for when a vulnerability is identified in their platform.   This plan should involve notifying clients in a timely fashion.   In relation to being timely I think it is important to consider the ICOs requirement to potential report data breaches within a 72 hour period, so it would be preferable that disclosure happens sooner, and ideally within 24hrs, rather than later.   It is this vulnerability notification process which I seem to often find to be particularly lacking in third party vendors supplying solutions to schools.

As schools take on more and more third-party solutions, and as more and more of these solutions are integrated and communicate with each other, the cyber security and data protection risk related to third parties only increases.    Schools therefore need to ensure that this is carefully considered and that they have taken all reasonable measures to ensure that their data and that of the students, staff and parents related to the school remain secure.    An easy starting point is therefore contacting third parties and asking some of the questions listed in this post.

Banning Office 365 in schools?

A German state have announced that they are banning the use of Office 365 in their schools citing GDPR reasons (read article here).   The issue arose, according to the article in the Verge, following Microsoft closing their German data centre resulting in a potential risk where German personal data may be accessed by US Authorities.

My view on this is that there has been a certain amount of overreaction on the part of the German state where viewed as a GDPR related action.   I can understand their concerns in relation to unauthorised access to data by US authorities.  This would represent a GDPR risk however it takes a very narrow view of the situation.

A broader view would include the implications for not using Office 365 to store data.   This means that schools are now storing their data locally on servers most likely within individual schools.   I would suggest that the ability of individual schools, school groups or local authorities to secure their local data including appropriate monitoring and patching of servers, etc is likely to be far short of what Microsoft provide in their data centres.  They are unlikely to have the resources, both technology and staffing, or the skills and experience.    As such removing one GDPR risk in relation to potential unauthorised access by US authorities has simply replaced it with another risk being a reduced level of security for data in each school.    I would suggest that the new risk is higher than the risk they have mitigated in banning Office 365.

In all this discussion there is a wider, more important, question;  who has my data including any telemetry data resulting from system usage?     The answer is sadly that this is very difficult to identify.   Every time we use an Android phone, do a google search, order from Amazon, access Office 365 or do any manner of other things using Internet connected technologies data is being generated and stored.   It is also often shared and then combined with other datasets to create totally new datasets.   Consent for data gathering is clear in very few sites/services.   In most it is buried in detailed terms and conditions written in complex legal’eese.    In some cases the terms and conditions are clearly excessive such as in the recently trending FaceApp where use of the app grants the company a perpetual license to display “user content and any name, username or likeness providing in connection with your user content” (see a related tweet here).   Basically when you provide your photo to the app they can keep it and use it as they see fit from now until the end of time.  There is also the use of tracking cookies as well, where I have large number of websites seeking permission to use cookies but without any real details as to what data is being stored or why the data is needed.

It is the wider question for which I applaud the German state as they are helping to raise the question of data, how it is gathered, used and shared.   The waters are incredibly murky when it comes to how the big IT companies, such as Google, Facebook and Microsoft, manage data.  We all need to stop and examine this situation however not as individual states or countries but on a global and societal level.    As to Office 365 being a GDPR risk;  I suppose it is but then again there are very few, if any systems which do not represent some sort of risk and I doubt we are going to put down our phones, stop searching google, buying for amazon, etc.