Data security (mobile storage devices)

17 June 2009

What happened?

The assessment co-ordinator of a primary school saved a considerable amount of school and student data - including student information from target tracker, videos and samples of children's work - on an 8G memory stick (flash drive) that was not encrypted. The data was saved on the device for two main reasons: a) The school server was running out of space and the device acted as a back-up and b) The co-ordinator transferred data from the administration server to the teaching and learning server.

The co-ordinator carried the memory stick off the school site between his home and school on occasions and, after attending a football game, he realised the device was lost. He contacted the stadium but it had not been found and he reported the matter to the head teacher who was the named person responsible for data protection at the school.

The co-ordinator had inadvertently breached the staff Acceptable Use Policy (AUP) that he had signed two years before and that included the following statement on data protection: ‘I will ensure any confidential data that I wish to transport from one location to another is protected by encryption and that I follow school data security protocols when using any such data at any location.'

What should I do if this happens to me?

1. All professionals working in schools should agree and follow an Acceptable Use Policy (AUP). If you inadvertently breach your school's AUP in terms of data protection, report the matter immediately to your head teacher and the named person responsible for data protection. It is recommended that you make the report in writing and copy in your trade union representative.
   
   
2. If you feel there are not strict enough protocols in the school to protect confidential data and professionals working in school (such as the use of encrypted devices being issued for staff transferring data offsite), raise the issue immediately with your head teacher or the school's named person responsible for data protection.
   
   
3. If you're a head teacher or the school's named person responsible for data protection, you should re-issue your AUP on a regular basis and reinforce strict protocols, issue encrypted data memory sticks, and systematically delete confidential data that is stored temporarily on mobile storage devices.
   
   
4. For further information, go to the Becta website.
   
   
5. Your senior management team should offer you adequate emotional and practical support during the process. If they don't, contact your teaching union for assistance. You can find contact details for the UK teaching unions here.