In a pandemic, when trying to keep students learning and businesses operating, while schools, offices and shops are no longer able to operate as they normally would, cyber security and data protection aren’t exactly top of the list of things to consider. They may even have fallen off the list altogether. As such, over a year after the first lockdown I thought it appropriate to share some thoughts in relation to data protection and cyber security in schools.
During a pandemic it is critical to prioritise. The important things come first. So, health, safety and wellbeing are likely at the top of the list. For businesses, during a lockdown, the ability to work remotely is critical while, when looking at educational institutions, enabling online teaching and online learning are critical, all requiring action to be taken quickly. Back in mid-march 2020, although the writing was on the wall, we didn’t see the first UK lockdown coming and so when it did there was a rapid move to put the relevant technologies in place to enable online working, teaching and learning.
The issue with this rapid deployment of technology was that it was done based on an immediate need rather than fully thought and reasoned out. Considerations, such as potential cyber security of data protection risks, were, due to immediate necessity, either pushed to the side or given less consideration than they would normally receive, or they are due. So now we find ourselves a year further on, here are some of the things I think we should be looking at:
- The big players
Schools coalesced largely around the two big players in relation to cloud based productivity solutions, being Google and Microsoft. For me this was done for very good reasons given the functionality provided by each, however I wonder if the implications of this, such as the reliance on a single platform had been considered. I also wonder if schools have considered what they would do in the event of a significant issue/outage within their chosen platform or if specific tools within the platform were discontinued. I do believe that it is almost essential to select one of the two platforms, however I think it is important to consider the implications of this decision.
- Where is my data?
During the pandemic, and in order to deliver the best learning experiences possible, teachers introduced new apps, often for specific lesson activities rather than for long term use. I suspect that as a result of this the overall visibility in relation to the apps in use, and therefore the location of school data, may have reduced. This is something that will need to be addressed and will likely require schools to audit the apps in use as we move forward.
- PIA and risk assessments
Linked to the above, apps may have been introduced without an appropriate review of cyber security and data protection, including reviewing terms and conditions, privacy policies and other documentation relating to third-party apps. This would have been done due to the need to quickly adapt to the remote learning and teaching situation we found ourselves in however as we move forward appropriate reviews and impact assessments will need to be carried out. Additionally, changes to existing platform settings or their usage are likely to have been made to facilitate learning during a lockdown, and as such any previously conducted risk assessments or impact assessments may no longer be valid; These will therefore need to be reviewed and updated.
- Use of personal devices
During lockdown both students and staff have often either been forced or have chosen to make use of personal devices in remote working and remote learning. With this comes cyber risk and also data protection implications, such as the potential for school data to end up on a personal device which is shared by different members of a family. This needs to be considered and risk assessed, and appropriate mitigation measures put in place, whether these be technical measures and/or policy measures.
- Remote Access
Remote access to systems was key during lockdown. How else would students and staff access the relevant systems including both teaching and learning, and administrative systems. We now need to review this situation with a view to cyber security to limit the risk of the malicious use of remote access by external threat actors, plus also to ensure that remote access settings are appropriate to a secure IT environment.
The above 5 issues are the 5 which come most easily to my mind however I suspect I could easily continue this blog to cover 10, 15 or even more items which we now need to consider. The pandemic and resulting lock down required us to work quickly and flexibly to identify solutions. We now need to spend some time and reflect on the decisions made, and to check that in the longer term they continue to be the right decisions.
As I have commented on a number of previous occasions, the issue with data protection and cyber security is that everything is ok until it isnt. We may have put new systems in place or changed settings to support us through the pandemic. There may be no current issue with what has been done however unless we now spend time to analyse the decisions and their potential implications, we run the risk of sleep walking into a data protection or cyber issue. As some sense of normality hopefully returns to the world, we need to look back to the rapid change the last year has brought and assure ourselves that we are happy with what is in now in place.
Technology and Learning