BYOD in schools - How safe is your data?

Ed Whittaker

Ed started his career in chemistry, working for ICI Organics Division in Blackley. Having decided that 21 days holiday a year was simply not enough, he left industry to take up teaching at the age of 30. He spent the next twenty odd years teaching chemistry to GCSE and A level - and learning about behaviour management the hard way. Early in his teaching career he became interested in classroom management techniques following some Keystone Kops style episodes in his Y9 lessons. For the last few years of his teaching career Ed was the behaviour lead in a large Manchester comprehensive and was responsible for the successful introduction of BFL into the school. In July 2008 Ed left teaching to form Schools Data Services Ltd, specifically to promote IRIS, an on-line behaviour and rewards management facility devised by Ed and ex school MIS manager Andrew Rose.

Ed lives in Rochdale with wife Helen, two boys and a dog of very small brain called Archie. His main ambition is to make a difference in education by providing an alternative low cost, high value MIS to schools.

Follow @IRIS_behaviour

Website: www.iris.ac Email This email address is being protected from spambots. You need JavaScript enabled to view it.

The rise in the popularity of BYOD in schools raises a number of data security issues for school leaders to consider.

What is BYOD? There has been a huge rise in the popularity of hand-held and tablet devices in the last few years, and some schools may allow staff to use their own personal devices to access school systems. This is commonly known as Bring Your Own Device, or BYOD, and there are advantages in allowing staff to provide their own IT equipment. However, the use of personal devices to access school systems raises a number of questions regarding the school management’s duty under the Data Protection Act (DPA). This is particularly so if the device is used to access the school MIS (e.g SIMS) or to hold any kind of staff or pupil information. It is important to remember that the school, as data controller, is still responsible for the security of the information; regardless of the ownership of the device used to access or process the data.

The risks - that BYOD device is owned and maintained by the user. This means that the school has little or no control over how, where or when it is used.

Before permitting BYOD use in school, there are several things to consider:

  • the type of data to be accessed via the device
  • whether any data is going to be stored on the device
  • how secure is any data transfer to and from the device
  • whether there is any potential for data leakage
  • blurring of personal and business use
  • how secure the device is
  • what happens when the device owner leaves
  • how to deal with the loss or theft of the device

Under the 1998 Data Protection Act, the school must take appropriate technical and organisational measure to prevent loss or unlawful processing of the data the device holds. This does not necessarily mean that schools should impose a blanket ban on the use of BYOD, as there can be some benefits; including: increased work efficiency and flexibility and job satisfaction. What it does mean is that schools considering the use of BYOD should first make sure they have a robust and well thought-through BYOD policy.

BYOD policy - a good place to start would be an audit of all the types of device likely to be used by staff in the school. Then consider which, if any, personal data should be accessed by those devices and which should be held more securely. It is important that users are made fully aware of their responsibilities for keeping the any data safe and secure. This can be done by drawing up an acceptable use policy for BYOD. The policy should make it clear which data can be accessed via BYOD and which cannot. You may also wish to consider whether use of BYOD might conflict with any school policy on the use of social media.

It is important to determine how and where any personal data might be stored; on the device itself, on the school network or on externally on a public or private cloud. Regardless of where the information is stored it is still the school’s responsibility, as data controller, to take appropriate measures against unauthorised access or loss of data. Be aware that some devices have removable memory cards, so loss of data may not be apparent for some time. Some security steps which could be taken include:

  • using a password to secure access to the device
  • using encryption to protect the information
  • ensure that the device is locked if incorrect password is entered too many times
  • ensure the device locks if left inactive
  • maintaining a clear separation between school and personal data, e.g by using different apps

Your BYOD policy should also consider how data is transferred, as the transfer process can present risks. For maximum security, ensure all data is transferred via an encrypted channel and treat any public cloud-based sharing or back-up facility with extreme caution. You should also consider whether to insist on the disabling of interfaces such as Bluetooth or Wi-Fi.

Finally, the BYOD policy should facilitate compliance with the data protection act. Although security of the device might be the primary concern, care should be taken to ensure that data is not processed for any purpose other than the one for which it was originally collected. Users should be informed of their responsibilities to use the data strictly for school business. Also, if the data is stored on different devices there is the possibility of it becoming out of date. There is also the possibility that the data is stored for longer than necessary. There might also be some difficulty in responding to the right of the data subject to know how and where their information is stored.

BYOD raises a number of data protection concerns due to the fact that the device is owned by the user rather than the data controller. However, it is crucial that as data controller the school ensures that all processing of personal data which is under its control remains in compliance with the DPA. In the event of a security breach, you must be able to demonstrate that you have secured, controlled or deleted all personal data on a particular device.

Photo credit: Ivan Casasempere

Get articles like this every week 

 

We promise to protect your personal information. Read our privacy policy.

In order to make our website better for you, we use cookies!

Some firefox users may experience missing content, to fix this, click the shield in the top left and "disable tracking protection"