e-security in an e-school 20 September 2008 Louise Bennett British Computer Society Chairman Security Forum Specialist Panel

Differences between paper records of personal data and computer records The quantity of retained data The number of individual’s data in the database The attitude of data users to electronic data

The exploding digital universe – IDC Report – Some facts: Data volumes from 2006 170 exabytes to 2011 1,700 exabytes Half needs high standards of security Over one third compliance intense 20-40% preservation intense

Information should be like A shaft of sunlight cutting through fog

Some official e-records about children The Children’s Index Who? Everyone under 18 What? Record of all agencies contacted from birth (excluding case records). Why? To enable sharing

Some official e-records about children Contactpoint Who? Children birth to 19 What? Contact with services Why? Response to Victoria Climbie Enquiry, to prevent child abuse.

Some official e-records about children eCAF Who? About 50% of children What? In depth personal assessment of every child receiving services over and above basic medical care and education Why? To help professionals working with children

Some official e-records about children MIAP on-line cv Who? Every 14 year old in England (from Feb 08) What? Exam results, personal learner number and personal details Why? LSC tracking system for employers

Not if all the personal data is properly looked after, but Does it matter? Not if all the personal data is properly looked after, but some people are concerned Action Rights for Children (ARCH)

Take data guardianship seriously What can we do? It is about “culture” Take data guardianship seriously Treat everyone else’s personal data as you would like yours to be treated

The DPA principles Process fairly and lawfully Obtain for specific purposes Adequate, relevant, not excessive Accurate and up to date Not kept longer than necessary Processed in accordance with DPA rights Kept securely Not transferred out of EEA without protection

BCS information governance and data guardianship themes cover: Accountability Visibility Consent Access Stewardship

Extend the DPA principles to include: Consent of data subjects for data sharing Right of revocation of consent and redress Sound, published data governance principles Right to limit access Original collector has stewardship if shared Ownership and risk explicit in the “chain of sharing”

Risk combines likelihood and impact IA Risk Assessment: Risk combines likelihood and impact Does impact mean the same to a minister concerned for his reputation, a school concerned for its place in the league tables and a parent concerned for his child’s privacy and long term well being?

Next Steps More public debate Improved professionalism for systems Instigate a cultural change in those handling personal data in which the impact on citizens is the primary concern Openness on what personal data is held, where and why Refine and extend the Data Guardianship Principles An “Information Governance Code” with guidance on data handling good practice Effective audit and penalties for failure