Beware of the cloud: how pupil data privacy got problematic

Security is rarely a top motivation when schools purchase software. So who is responsible for making sure that pupil information stays safe? And what happens if there are breaches? In the fifth of her six-part series on technology in schools, Jess Staufenberg finds a “curiously closed” system of self assessment

The personal data of children has always been a sensitive topic. Everything from fingerprinting to hacking has caused extreme anxiety. Just last week the names of pupils feared “at risk of radicalisation” were accidentally released by their London school. Amid the panic, it can be difficult to assess what the actual threats to data protection are and whether students’ iris scans are top of the list.

Schools are increasingly putting data into the “cloud”, a form of internet storage that works across networks and can be accessed by computers in different locations. Encrypted “personal data”, from basic details such as age and gender, to “sensitive personal data” such as medical information, sexual orientation and, lately, “radicalisation risk”, may be stored in the cloud’s internet-based secure network. That network might be owned by a small UK-based company, or global player such as Google or Microsoft, each automatically backing-up pupil information simultaneously across multiple sites. Any data stored on these systems that could “reasonably identify a living person” is deemed “personal” and therefore must be handled according to the 1998 Data Protection Act – whose seventh principle (of eight) is that “appropriate technical and organisational processes” be in place.

Responsibility for checking these “appropriate” processes is increasingly shifting away from experienced organisations and towards teachers. Vicky Cetinkaya, senior policy officer at the Information Commissioner’s Office (ICO), explains that the marriage of increased responsibility with reduced control makes cloud data protection a risk for schools.

“When you are [putting data] on your own servers, you know how secure those servers are. But when you’re using something like the cloud, you give your data to a cloud provider.”

“It is not known how many schools use cloud providers”

Although the control of the data itself is given to another provider, the school remains the legal “data controller” and is legally culpable for any breaches by the provider. Schools using local authorities or non-cloud based providers also faced this risk, but the steady eroding of independent checks to assess the quality of providers makes their continued legal culpability more problematic. Tony Parkin, a consultant educational technologist, says that “it’s all word of mouth now. There’s nobody doing any assessing of how good or bad these people are.”

Culpability also gives schools little incentive to report a data breach. According to the ICO, schools report data breaches voluntarily. Providers can also choose to sign up to self-assessment measures or the Information Commissioner’s standards. Steve Harcourt, data security lead at cloud computing provider Redstor, and chair of finance at Highdown Secondary School in Reading, says the move is towards self-certification. “Ofsted has tried to allow a lot more self-monitoring, so there’s a lot more self-reporting.”

The ICO says that it does not know how many schools use cloud providers as headteachers do not have to inform the body of the methods used to secure data. In the past five years, no school has been fined for data breaches.

The result is a curiously closed system of self-assessment where, according to Steve Moss, a leading education technologist, “schools are unfortunately having to work these things out in many cases, rather than being able to rely on a highly professional body whose job it was to provide this advice”.

Steve Moss
Steve Moss

Before cloud computing took off in 2010, the system would have been overseen by BECTA – the British Educational Communications and Technology Agency – but this was closed in March 2011. At the time a second group, the Education Technology Action Group, was said by then-education secretary Michael Gove to provide better technology guidance but even its thoughts were shoved out after Gove moved office.

As the Department for Education (DfE) said in its recently updated 14-page advice on data protection and the cloud environment: “the majority of schools have only an outline knowledge of how data protection should be approached in a ‘cloud’ environment”. Yet self-regulation remains the determined direction of travel.

Schools without the “legal advisers” recommended by the DfE to understand the implications of their software purchases face a bewildering market. And the guidance fails to take into account that teachers say cost and ease are the real considerations when making purchasing decisions. Security is rarely a top motivation.

Moss says there are varying degrees of “cloud” on the market: private and public, and clouds that combine different providers.

“Academy trusts are, by and large, developing their own private clouds,” he says, citing the Harris Federation. The advantage of a closed system is that “no one can access private clouds – no one can access that information outside the organisation”.

Public clouds such as Google, which gave access to schools with Google Apps for Education (GAFE) around 2010, are surely not less secure than private arrangements?

“If schools are putting sensitive pupil data into the public cloud, they need to think about that carefully,” Moss says. “There’s a difference between the public cloud and private cloud. If you think this data is really sensitive and I don’t want to risk anyone outside the school […] then no, you wouldn’t put that in a public cloud.”

But Guy Shearer, head of IT and data at David Ross Education Trust, says schools cannot always afford a private cloud.

“Private is not cheap,” he says. “I have no doubt that Google are able to securely host data as well as, or better than I can. But […] we probably are many years away from making wholesale use of a public cloud service for anything that could be termed personal data.”

Schools must be careful who they trust, and for good reason. This week the Electronic Frontier Foundation filed a complaint with the US Federal Trade Commission (FTC) against Google for automatically tracking children’s internet searches through its “Sync” feature, found on chromebooks [laptops that run Google’s Chrome operating system] and its education apps without letting parents and students know.

So why have schools moved to cloud-based solutions, given the risks? “It’s mostly been a financial incentive, or an educational incentive,” Moss says.

Tony Parkin echoes him: “Security is not actually the school’s main worry. One thing is cost. If you start putting in massive server rooms, cooling systems and off-site storage, that’s really expensive and complicated. If you do the cloud thing, all of that becomes someone else’s problem.”

Tony Parkin
Tony Parkin

England’s largest academy chain, AET, recently boasted of its near £1 million savings after moving all its ICT operations into the cloud.

The trust’s Chris Meaney says the cloud has become more user-friendly “so you don’t need highly trained staff using the tools that schools would normally have to buy in”. Where its schools had previously spent £30,000 per year on a staff member just to deal with servers and networks, AET could now staff this centrally.

For all the conspiracy about data, and the sorts of people who might be after it, a shift towards a wireless medium like the cloud is more about pragmatism and costs than anything else.

Student data is also potentially safer now. Files have ways of disappearing; disks of being left on trains. If there are cloud security failures, it will likely be due to a lack of vetting and security advice. Unfortunately for schools, with the assessment of privacy procedures left squarely on their shoulders, without easy access to this advice, an unprecedented risk and legal responsibility has been laid at their doors.

Your thoughts

Leave a Reply

Your email address will not be published.