Page 1

ICT Conference 2014 17 March 2014

Data Protection and Mobile Technology The risks and the solutions for schools

Paul Gibbons


About me… • 20 years’ experience of information and records management • Information Governance Manager at Greater London Authority and in NHS • Information Compliance Manager in Higher Education (SOAS) • Write about and provide training in Data Protection and other information law


Agenda • • • •

The Data Protection Act and Principle 7 Mobile technology and schools Personal devices Getting yourself in shape


The Data Protection Act • Relates to personal data • Requires compliance with 8 data protection principles • 6 rights for data subjects • Conditions under which use of data allowed


Principle 7 “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data�


Mobile Mobiles Number of lost mobile phones handed in to London Underground in 2012

20,906

The number of tablet 506 computers handed in in 2013 Source: V3 website/FOI request to TfL


Personal devices • There are 30 million smartphone users in the UK (at least) • Add to that tablets and laptops… • Research by Information Commissioner’s Office has shown that 47% use personal devices for work purposes • Your staff and governors will almost certainly be amongst them


Mobile technology in schools


Mobile technology in schools “There has been a spate of incidents where laptops containing personal information have been stolen from workplaces, vehicles and houses, or left in public places. After this, the Information Commissioner has decided that where such thefts or losses occur and encryption software has not been used to protect the data, enforcement action will usually follow.� From ICO report on DP guidance given to schools in 2012


Be afraid‌


Penalties Greater Manchester Police (October 2012) – data on crime victims on memory stick stolen from officer’s home £150,000


Penalties Glasgow City Council (June 2013) – two unencrypted laptops stolen from council offices £150,000


Penalties North East Lincolnshire Council (October 2013) – reports on 286 children with special educational needs on memory stick lost by teacher £80,000


Undertaking – Royal Veterinary College • Member of staff’s camera stolen – but contained memory card with passport images of job applicants • RVC forced to sign undertaking: – mandatory DPA training – policies on use of personal devices – encryption of all personal data on portable devices


Getting yourself in shape


Train your staff • Most incidents are result of human error • Penalties likely to be greater if staff not trained • Keep records of who has been trained


Get policies in place • • • •

Data protection policy Information security policy Use of mobile technology BYOD and personal devices

• Implement them!


Audit your IT equipment • What devices and operating systems are in use? • Record serial numbers, installed software and who it is issued to


Is software supported? • April 8 – Microsoft support for Windows XP and Office 2003 ends • After that date laptops running this software will become increasingly vulnerable • Make sure migration programme in place


What about personal devices? • Are staff/others able to access personal data using their own devices? • Read ICO guidance on BYOD http://ico.org.uk/for_organisations/data_protection/topic_guides/online/byod


What about personal devices? • Encourage staff to use security settings on devices • Use different applications to access business systems if possible


Encryption • Encrypt laptop/external hard drives • Software available to create encrypted area on device • Be careful – if you forget the password, there may be no way to get access to the data again (so an unencrypted backup in a secure location is a good idea)


Encryption • Consider issuing encrypted memory sticks • Provide facility for staff and governors to encrypt files they want to send via email


The Cloud • Discourage use of cloud services unless you have assurances written into contract • Remember servers may be outside EEA so may breach principle 8


Disposing of mobile technology • Properly dispose of old equipment in way that ensures data does not remain accessible • If third party carrying out disposal – make sure contract specifies how and requirement to comply with 7th DP Principle • Brighton & Hove - £325,000 penalty!


Be a personal data saint! • Be aware of risks – and solutions • Get policies in place

• Train your staff • Know what you’ve got • Secure your data


www.foiman.com @foimanuk

paul@foiman.com For information rights training and consultancy

ICT conference (Data Protection and Mobile Technology)  
Read more
Read more
Similar to
Popular now
Just for you