Regular readers of this newsletter will know that I have
paid a lot of attention and focus to the General Data Protection Regulation
(GDPR). To recap, the GDPR is EU Data Protection legislation which is coming
into force in May. It is a ‘beefed up’ version of the UK’s Data Protection Act
1998 and aims to introduce a common standard of data protection across the
European Union – particularly covering the latest advances in social media.
Despite Brexit, the UK will be under the legislation from May 25th
2018 and the legislation is expected to make its way into British law after our
exit from the European Union.
In the last couple of articles that I have covered the topic
of GDPR in, I have focused primarily on GDPR in cyberspace – the need to focus
on cyber security in order to keep on the right side of the legislation. Cyber
security in the context of GDPR is no doubt extremely important, but for this
article I would like to move away from technology and focus on GDPR in the
context of physical security.
When referring to GDPR and compliance, very few commentators
refer to the necessity to secure physical data. However, personal data is still
stored in a physical format and therefore is still subject to GDPR legislation.
For example, many schools use physical folders with pupil and parent
information. Remember that Article 4 section 12 of the GDPR states that a “‘personal data breach’ means a breach of
security leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or otherwise
processed;”. This means that a member of staff, or worse a pupil, accessing
sensitive data without proper consent is classed as a breach.
Think also of physical computers. Most staff will have
access to a computer that they use for their work. In many cases, this will
contain sensitive information. Do you have a policy in your school that staff
must lock their computers if they leave their desk, even if it is only for a
short while? Are those computers protected with strong passwords? In my
experience working in the IT industry for many years, most users will not set
strong passwords. They are usually easy to guess, or in the most worrying
cases, system defaults such as ‘password’.
A report for the Telegraph newspaper in 2017 found that the
top 10 most common passwords are as
follows:
1.
123456
2.
123456789
3.
qwerty
4.
12345678
5.
111111
6.
1234567890
7.
1234567
8.
Password
9.
123123
10.
987654321
Granted, passwords are difficult to remember, especially
when you have lots of different passwords for lots of different user accounts.
Nobody wants to have to keep phoning their IT department because they’ve
forgotten their password again.
Nonetheless, a strong password is absolutely critical to
keeping sensitive data secure. A handy tip for creating passwords is to think
of a phrase that sticks in your mind. For example: ‘the quick brown fox jumps
over the lazy dog’. Now take the first letter of every word in that phrase and
combine them to make a word: ‘tqbfjotld’. The password itself is unlikely to be
guessed, but because you remember the phrase, you remember the password.
What about the security of your devices and servers? If you
keep a server on-site a determined intruder could gain access to it on
location. This would allow them to copy data onto an external drive and remove
it from school grounds. If you do keep a server on-site, make sure that it is
in its own locked room – and preferably that that room is air conditioned to
avoid overheating. If you would like an extra level of security, then CCTV is a
really good option. It is now possible to get ‘Cloud CCTV’ options, whereby a
camera (or network of cameras) are installed in your school and connect to the
internet network. It is then possible to access a live video feed of all your
cameras in one online portal. The cameras can also record snapshots or video,
allowing you to obtain the evidence you need to prosecute should the worst
happen. The cameras are small and unobtrusive and are reliable – speak to me if
you would like to find out a little more.
A good starting point for getting your physical data
security up to scratch would be to assess what data you hold in physical form,
where you keep it, and whether you need to keep it any longer. First of all,
any data that is not crucial to running your school should be destroyed – there
is no use keeping data unnecessarily.
Build up a list of your data sources and the data you hold.
Then consider who has access to it, both intentionally and possibly
unintentionally. If you keep folders with sensitive information in on school
grounds, are they kept in an area away from unqualified staff? Are they kept in
locked cabinets? Do your staff know exactly who should have access to what and
can you be sure that they know not to share information with others? If you
have important data stored on hard drives in servers and computers, do you
ensure that you encrypt that data?
It is also worth introducing a policy around external hard
drives and USB sticks, as well as personal cloud drives such as DropBox and
Google Drive. We recommend that use of external drives is at least restricted,
but preferably banned outright, and the use of personal cloud storage should
also be banned – it is untraceable. Personal accounts for these services follow
users wherever they go, meaning staff could potentially access sensitive
material even if they are no longer employed by your school.
By ensuring all your staff (and pupils) understand and
appreciate GDPR and how it affects your school, you can make sure everyone is
pulling in the right direction to help your school be compliant. GDPR
compliance involves an effort from all stakeholders in your school and the
first step is strong, unambiguous policies surrounding data security.
For more information on GDPR, or for an IT security audit of
your school, please do not hesitate to get in touch with me on 0330 002 0045 or contact schools@entrustit.co.uk.