e-safety

e-Safety and e-Waste: getting it right for Ofsted

For a senior leadership team and board of governors, there can be few matters that are given as high a priority as safeguarding. With new stories breaking in the national media on a seemingly daily basis, it’s a subject that evokes raw emotion in all of us.

The fact is that nowadays safeguarding within schools has more time in the limelight than ever before. Schools and academies need to get it right – not only because of their moral and legal obligation to do so – but also because getting a good inspection report increasingly depends on it.

In the most recent guidance published by Ofsted in
October 2014 ‘Inspecting Safeguarding in Maintained Schools and Academies’, there are 59 points relating specifically to safeguarding.

One sub-area of safeguarding that schools are
increasingly having to consider is e-Safeguarding, oftenreferred to as e-Safety. Paragraph 157 of the September 2014 School Inspection Handbook states that in assessing the quality of leadership and management, school inspectors should consider the promotion of safe practices and a culture of e-Safety.

e-Safety is evaluated by Ofsted in the context of the 3 Cs:

Contact
Being subjected to detrimental online interactions
(e.g. cyberbullying)

Content
Exposure to unlawful or damaging material

Conduct
Personal behaviour that causes or increases harm(1)

It is the area of conduct that provides an inherent link to end of life IT hardware.

Sexting

Sexting – defined as sending sexually suggestive
messages or images via text messaging – is a growing concern for many parents and school leaders. Quantitative research on sexting has found rates as wide as 15% to 40% among young people, depending on age and the way what is understood as sexting is measured(2).

In considering a school that either provides a device for the individual use of a pupil, or runs a leasing scheme to enable parents and guardians to provide one for their child, the above statistics would mean up to 400 devices could contain footprints of child pornography.

As always with data, simply deleting files in an operating system does not remove them forever. A two minute web search using the browser of your choice would show a plethora of freeware and open source apps to recover supposedly ‘deleted’ files. Only through using IT recycling organisations with ADISA accredited ‘wipe on receipt’ policies and using Government accredited software would give your school peace of mind that it was properly
protecting pupils.

Child protection and admin/ teacher devices

It has been common practice for schools to provide a mobile device to aid teaching since BECTA’s Laptops for Teachers programme launched in 1998.

Guidance is very clear that when pupil data leaves the ‘secure’ school network, it needs to be encrypted. The fact remains that many schools do not have suitable encryption in place, but also – even when accessed within a ‘secure’ school network – every file still leaves the same digital footprint and risk of data recovery as discussed earlier.
Many schools and academies will have specific children who are at greater risk than others because of their life experiences. Information about all pupils should be protected in line with responsibilities set out in the Data Protection Act 1998. Indeed, a school’s leadership team is likely to be judged inadequate if the school’s arrangements for e-Safeguarding do not meet statutory requirements.

What the Government expects you to do with your hardware

The Government’s Security Classifications April 2014 set out guidelines for all public sector organisations, including educational establishments, to classify their data against three levels (OFFICIAL, SECRET AND TOP SECRET). Rather confusingly, there is also a subset category OFFICIAL SENSITIVE [PERSONAL] that all institutions should understand to assess how it affects them.

Data within a school will most likely either fall within
the OFFICIAL or OFFICIAL SENSITIVE [PERSONAL] categories.

In any case, the Annex to the Government Security
Classifications Policy (December 2012) describes the controls required to provide a proportionate and robust level of protection for assets. In terms of the disposal or destruction of computers, the guidance is clear:

“Electronic media used to process HMG
assets must be sanitised and disposed of in
accordance with the requirements in HMG IA
Standard No. 5 – Secure Sanitisation.”

HMG IA Standard No. 5 sets a wide range of requirements – not just the technical detail of overwriting data, but also the policies and processes that organisations should have in place to ensure that media are disposed of securely.

Getting peace of mind

In a nutshell, if you use an IT asset disposal partner
whose processes are certified to standards recognised by Government, such as ADISA/ISO27001, and that uses data wiping software nationally approved as meeting HMG IA Standard, then you give yourself the best possible chance of not falling foul of the Data Protection Act.

Considering point 4 of Inspecting Safeguarding in
Maintained Schools and Academies explicitly says
“Inspectors should evaluate how well schools and colleges fulfil their statutory responsibilities”, full compliance with the Data Protection Act may just help make a positive contribution to your next school inspection report.