This article covers:
- Things have changed …
- Do I have obligations?
- Freedom of Information
- Data Protection Act
- Criminal Activity
- Age verification
- Where’s my stuff?
- What does the cloud really look like?
- Does it matter “where” the data centre is?
- Is my stuff mine?
- Is my stuff safe?
- Can anyone access my data in the cloud centre where it sits?
- What about access through devices?
- What if a device goes missing?
- How can I manage and monitor the things users do?
- Managing accounts and users
- What about illegal or inappropriate content?
- What about when things go wrong?
- How can I ensure my education cloud provision is effective and fit for purpose?
Things have changed …
Ask a pupil or student where the internet is. It’s a question that can prompt a whole range of odd physical reactions that invariably result in glances upwards and pointing randomly somewhere above them. Watch a frustrated mobile phone user try to get a better signal by holding their mobile phone higher.
And to be honest it’s not surprising with phrases like “in the cloud” or “all around us” that the pervasive nature of technology has woven itself not only into the practical aspects of our lives but also drives an underlying culture of expectation around access. Connectivity has become the “fifth utility”: water, gas, electricity, phone and then…internet. An image which has done the rounds recently, sums it up by adapting Maslov’s Hierarchy of human need… almost with a scrawled and urgent desperation.
The educational technologist and BECTA stalwart Tony Richardson was known for his references to the cusp; we in education always seemed to be on the cusp of the next technological advance. We are no longer on the cusp; we are swimming in the very same waters and travelling the very same spaces as the outside world. Meeting the aspirations and providing the same experiences that users have in that environment has been a difficult journey for schools to travel; considerations around ethical and safe environments have been important but have slowed progress.
As connectivity becomes faster, more reliable and more ubiquitous it has not only made these environments more efficient and enabling but has changed irrevocably the way we store and interact with the information that we use in our online lives.
Think of the laptop you bought a few years ago? Still got it? Got a large hard drive? Heavy?
Storage on the device was a deciding factor in device purchase. Keeping stuff local and carrying it meant that security was not necessarily important. After all you had it with you and who was going to access it? So password securing devices felt a little bit over the top and actually got in the way. Data would only be lost if the device was lost which was unlikely given its size. Sensitive data could be encrypted and all data could be backed up on a massive hard disc somewhere at home or in the office.
Online services and social media like Facebook, Bebo, MySpace and their ilk moved data from devices into the cloud. It was no longer on the device or desk hard drive but in Palo Alto or Dublin or Latvia. Things changed rapidly.
Devices decreased in size, became more mobile and since operating systems were less important than input, display and connectivity, purchase choices became more device-agnostic. Interoperability between devices became essential and the “internet of things” began to develop. Sales in desktops and laptops dropped and tablet sales rose; Christmas 2012 saw PC World selling 5 iPads every second which resulted in a significant rise in tablet use and ownership. Ofcom Media Literacy Tracker in 2013 reported a rise in tablet use of under 5’s from 1% in 2012 to 53% the following year.
The purchase of large suites of software receded in favour of apps; smaller components that were regularly updated, low cost and delivered online and could be “smashed” together to create unique customised palettes of tools that were flexible, adaptable and more importantly geared to the individual.
The world had changed.
Once, schools were the places where you went to experience great technology and exemplary pioneering in applying those new tools to enhance learning. And at some point that curve was crossed by the development of technology beyond the school gate to the point where young people were “powering down” as they stepped through the doors.
The cusp is now. Educational settings are venturing into these brave new worlds to not only meet the technological aspirations of their students and staff, but to create the opportunity to shape pedagogical use in a way that is empowering, fulfilling and productive. These environments are not the same lumbering, heavily-managed, costly, central mechanisms of old. They are more aligned to the apocryphal Facebook mantra of “Move fast; break things”. Less Learning Platforms; more “platforms for learning”.
And when things break? What are the considerations for any organisation? How do you represent reasonable duty of care? How do you make the most of the potential these technologies offer and still provide the same safeguarding protocols consistent with those you already have?
The following paragraphs explore those considerations.
Do I have obligations?
Freedom of Information
FOI may require anything you write in an official capacity to be potentially made public. This might mean you need to consider how long content is stored for and the ease of which it can be recovered from a cloud archive.
Cloud services very often are not designed for the long term storage of content, particularly transient communications with high volume like email. Schools should consider how to secure, archive and back-up to a local system what could be sensitive or important data.
A summary of good practice in dealing with requests can be found here
Data Protection Act
Schools, like any other organisation, are subject to the Data Protection Act (DPA) and its eight basic principles. The DPA refers to ‘personal data’ – this can be described generally as information which identifies an individual and is personal to an individual.
The DPA contains eight “Data Protection Principles” which specify that personal data must be:
- Processed fairly and lawfully
- Obtained for specified and lawful purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept any longer than necessary
- Processed in accordance with the “data subject’s” (the individual’s) rights
- Securely kept
- Not transferred to any other country without adequate protection
It’s also worth considering that whilst not all data is “personal”, the information that is, has varying levels of sensitivity based on the impact were it to be compromised.
The Information Commissioners Office has produced a report, in plain English, aimed at helping schools meet their data protection obligations; you can read the report detailing data protection advice for schools here and a simple summary of the report here.
There are also safeguarding obligations for the use of technology in schools that include:
- Effectively monitoring the use of systems to detect potential and actual safeguarding issues
- Monitoring, alerting and responding to illegal activity or attempts at compromising data security
- Providing consistent safeguarding provision both within and beyond school if devices/services/data leave the site
Schools have an immediate obligation to report illegal or criminal activity to the Police. The Law defines criminal offences across a range of Acts that include:
- The Protection from Harassment Act 1997
- The Malicious Communications Act 1988,
- Section 127 of the Communications Act 2003
- Public Order Act 1986
- The Defamation Acts of 1952 and 1996 (and the recent 2012 amendment that references targeted trolling on social media)
US Law requires any company operating within the US to comply with the Children’s Online Privacy Protection Act (COPPA) which legislates against companies who store, process and manage information on children aged 13 and under and the active or targeted marketing to that age group.
Whilst this is an American law the Federal Trade Commission has made it clear that the requirements of COPPA will apply to foreign-operated web sites if such sites “are directed to children in the U.S. or knowingly collect information from children in the U.S.”
The law has caused huge international impact, so that even websites which are not either under US jurisdiction, or which servers or headquarters are not located into US, started blocking children under 13, even giving up parental consent.
This of course is an issue for any school needing to use online commercial services that are based in the US who comply with COPPA since children under 13 using those services whilst not breaking the law, would be breaking the providers terms and conditions.
Whilst many commercial services may appear “free” it is vital to understand age restrictions by reading terms and conditions carefully. Most schools now use or “buy into” cloud education suites like Google Apps for Education or Microsoft Office 365 which are designed for specifically for children and schools.
Other services like Facebook, Twitter, Blogger etc are of course also useful cloud tools in and beyond the classroom but it is important to be aware of age restrictions here too.
Where’s my stuff?
What does the cloud really look like?
Most cloud content is usually held in large data centres provided by companies that then sell that space out to providers. These vary in size depending on where they are and who owns them. The images here show Telefonica’s 65,700 square meter data center in Alcalá, Spain that handles much of Europe’s cloud computing services.
(Courtesy of @timoarnall “Internet Machine” project)
Does it matter “where” the data centre is?
It depends. If the system is to be used for content that is not classed as personal data then it’s a decision based on service, fitness for purpose, quality and cost.
But that rather negates the real efficacy of a cloud system that uses personal data to verify access; assign resources; define lines of communication and arrange groups. Most education systems have to make use of personal information to function.
The DPA (Principle 8) states that personal data must not be transferred to any other country without adequate protection in situ. Data protection requirements vary widely across the globe. Countries in the EU approach privacy protection differently to those outside and are more stringent in the detail and responsibilities of data users than perhaps the US. However, there is a mechanism that helps to bridge that differential in US-EU Safe Harbour Framework which allows US organisations to comply with the EU enhanced privacy protection.
If your data is stored in the US look out for the Safe Harbour Framework. It is worth noting that the Safe Harbour Framework is a self-regulated code of practice and not regulated by any legislation, but may very well allow you to demonstrate duty of care.
Is my stuff mine?
The old adage goes that if you’re not paying for a product, then by default you are the product. And whilst there is no hard and fast rule that people who pay for a product are treated any better than those who don’t, there is often a feeling that by using a free product we pay a data price.
A frequent example of this is the prevalence of apps in the classroom on a whole range of devices. Many are free but require a user to sign up to a host of permissions that very often are complex and have unprecedented access to a range of systems and information on individual devices from location to email contacts to content accessed.
Outside the education environment, most users make a decision on the efficacy of the app against the permissions it requires: it’s not like the permissions are hidden; they are all up front. It’s just that most of the time they are not read with any real engagement.
Curating cloud services to ensure your users information, in particular students’ details, are not “data mined” is an important consideration, not just from the point of view of security but ethically too. Both Google and Microsoft make clear statements that their education products are not used to inform advertising but other useful apps out there on Play and the AppStore can’t always promise the same.
Common Sense Media, is a not for profit organisation in the US that provides a whole range of ratings and reviews for a wide range of media including apps, software and websites. Their Graphite tool is designed to assist schools in making the right pedagogical and ethical decisions and rates apps in terms of learning potential and suitability through a searchable interface.
Is my stuff safe?
Can anyone access my data in the cloud centre where it sits?
Data centres (as one can imagine) are required to have stringent physical interventions in place against data being compromised from internal or external access.
If for example, a storage device is physically removed from a data centre, it is instantly locked (eg BitLocker) so that it cannot be read by another device. Likewise there are sophisticated security mechanisms in place to prevent external hacking of data. Whilst this cannot always be guaranteed to be 100% safe, this sophistication is often beyond the local capability of a single school and so may be regarded as reasonable duty of care.
What about access through devices?
This is much more likely given that devices are going to and from your school in bags, on buses, lying around at home so security now becomes much more of an issue at a user level than it ever has before.
Passwords and authentication are critical. Some points to consider are:
- Are passwords strong? Do users know what a strong password looks like?
Howsecureismypassword? gives great practice… but perhaps don’t experiment with your actual password?
- Do you insist on rolling user passwords regularly? Every 60 days? Many businesses do…
- Is sensitive data secured by two factor authentication? (If you’re not sure what that is then try this link)
- Are users educated in good password practice? It needn’t be boring … even very young children can start learning… very often they are already using login information for the sites they use at home like Minecraft, Club Penguin, Moshi etc
- Is this backed up with a clear and reliable password policy? If you need a template then SWGfL provides one as part of its policy suite.
It’s also important to ensure there is a clear and reliable culture around reporting issues such as compromise, loss or unethical practice. This doesn’t happen on its own and needs to be taught.
Working with partner US Common Sense Media, SWGfL have produced a free Digital Literacy and Citizenship Curriculum for Foundation Stage to Year 10+ which has a variety of strands one of which focuses on Privacy and Security. Pupils and students learn strategies for managing their online information and keeping it secure from online risks such as identity thieves and phishing. They learn how to create strong passwords, how to avoid scams and schemes, and how to analyse privacy policies.
What if a device goes missing?
The big advantage of cloud systems is that, apart from simple local settings, content is not on the device but in the cloud so… lose your device … you haven’t necessarily lost your stuff.
Cloud services can offer device management systems that can:
- Lock a device if missing
- Send a message or alarm to a missing device
- Remotely delete any local data and information on a missing device
- Track a missing device using location services when it connects to a network
- Take photographs if the device is accessed or the internal storage is changed eg SIM card (Usually snapping the user at the same time from the front camera!)
- Generate reports to pass to investigating authorities
Many of these services are free and offer reasonably priced enterprise versions too. Examples are:
How can I manage and monitor the things users do?
Local networks based on site have the advantage of being relatively easy to filter and monitor for inappropriate or illegal use and many schools will already have these systems in place. Filtering can be provided as part of a school’s internet provision, particularly if they have that service delivered through an LA or Regional Broadband Consortium (RBC) or indeed a school may choose to provide its own through a variety of commercial solutions. These could be boxes or servers that are part of an existing network or more frequently cloud-based filtering servers. Examples of physical filtering solutions are Lightspeed and Smoothwall; an example of cloud filtering is SecURLy (though expect to see more services emerging as this area matures)
Many schools may use monitoring systems on their local networks that will scan network data for profanity, keywords linked with bullying, self harm, suicide, etc. These may very well be established commercial monitoring solutions like eSafe, Securus or Impero or monitoring mechanisms that are provided by the ISP or RBC. SWGfL provides a service that is part of an extended Home Office pilot called Proactive Monitoring that detects, alerts and reports illegal content on one of its connections directly to the police, removing the onus on the school to do so.
However, when services move into a wider cloud-based environment hosted by an external partner it becomes more difficult to know what users are storing or accessing, particularly if their connectivity away from the school is a domestic or business one without the systems or protections schools enjoy.
With all of those separate user folders and portfolios with their separate passwords and widely varying content, how can you be sure they are not being used to store inappropriate materials? Illegal materials? The school provides the tools and there is therefore an expectation that the school should ensure that users are operating in a space that is as safe as can be created.
Managing accounts and users
Dealing with one Apple ID on your own iPad or Google account on your Nexus at home is very empowering; you can make choices about how you set it up, the apps you want; the subscriptions you choose and how many photos or documents to store on it. Setting up tens of devices with potentially hundreds of users has a whole different set of considerations:
- What about the distribution and timetabling of devices particularly those that go home?
- Can users store content locally eg photos?
- Can the school network and connectivity sustain the use of many devices?
- Is there one standard profile for everyone or can each user customise?
- How are those profiles managed or swapped?
- Are personal devices allowed to be commissioned to the school system (BYOD)?
Investigating device management before the procurement of devices is a sound strategy as is having a realistic plan for implementing mobile technologies across the school. A Mobile Device Management layer is becoming more critical in establishing access rights to these technologies. There are a variety of commercial solutions including Meraki from Cisco and Mobile Manager from Lightspeed but a recent development has been the open source standard being offered through WSO2 EMM (Enterprise Mobility Manager).
When considering BYOD there is a plethora of advice available. The National Education Network (NEN) collegiate of RBCs and industry partners have had their Technical Strategy Group group produce a free BYOD White Paper for Schools whilst SWGfL have developed a free Transparent Filtering service for schools who subscribe to its Schools Internet Service that allow settings to seamlessly connect personal devices to the network in a way that is managed, filtered and monitored.
What about illegal or inappropriate content?
It’s difficult to be entirely sure what content is being used or stored by your users when using personal cloud storage space although recent news reports suggest that there is a variety of strategies employed by service providers around routine scanning of users content.
“When users place their data with cloud computing services, they lose the ability to maintain complete control of that information,” said Lillie Coney, associate director of the Electronic Privacy Information Center (EPIC).
A Maryland man was charged earlier this month with possession of child pornography after authorities were tipped off by the National Center for Missing and Exploited Children (NCMEC). Police say Verizon Online found approximately 23 suspect images during a routine sweep of the man’s cloud drive and alerted NCMEC, a non-profit established by Congress and primarily funded by the Justice Department.
While cloud storage providers are required by law to respond to known or suspected instances of child pornography, not all scan users’ accounts looking for them.
Dropbox, Amazon and Google — the former two of which did not respond to requests for comment — take a more hands-off approach, according to their terms of service. They will investigate notifications of suspected illegal activity, but won’t use automated prescreening.
Is there a difference between services that actively police and those that don’t? Coney says yes.
“One is treating data like it belongs to them and the other is following a due-process approach regulated by the courts or existing laws,” she told NBC News.”
This essentially means that the school also needs to be clear about what the expectations are around illegal and inappropriate content and how it intends to ensure those expectations are met. These might include:
- Clear and effective agreement through an Acceptable Use Policy or computer splash screen with “agree” button
- Positive statements around the use of technology dotted around areas where that technology might be used (particularly effective are student-designed posters)
- Active education in raising awareness of what illegal or inappropriate both mean
- Staff development in recognising and escalating reports of illegal content
- Revisit staff guidance around the Education Act 2012 which gives schools the power to confiscate and search devices if they are deemed to contain content that might impact on the safety and well-being of users and their peers
- Reminders that Cloud Service Providers can and do scan content stored on their servers
- Establish regular spot checks on mobile devices and advertise the fact that these will be carried out on school devices and removable media
- Establish and communicate that online portfolios, and storage with cloud service providers (eg Skydrives or Google Drives) provided as part of a school cloud solution will be subject to random spot checks eg by resetting passwords back to default to allow auditing by the Cloud Service Administrator.
What about when things go wrong?
Like any other safeguarding issue there must be clear and rigorous incident management practice that is consistent with other safeguarding policy.
- Clear and well communicated policy
- Effective routines for securing and recording evidence
- Established reporting routes that are well-communicated, respected and agreed by all
- Clearly communicated sanctions that have been agreed and shared with all users
- Audit trails that are used to shape interventions and inform future practice
SWGfL BOOST is a suite of tools that provides not only active and passive reporting mechanisms, but also an Incident Response Tool that ensures that in the event of a significant online safety incident, you are following perceived effective and best legal practice. This not only ensures better protection for your users but also underpins the professional integrity of your organisation in demonstrating reasonable duty of care.
How can I ensure my education cloud provision is effective and fit for purpose?
It’s tempting to dive in, particularly when tablets look like an attractive and immediate solution and Google and Microsoft can both offer “free” effective software to make the cloud vision work.
But are you ready for cloud?
SWGfL have developed with BT a brand new catalogue of Education Cloud Services designed to make learning more accessible. It offers schools a new way to buy ICT: all the services are cloud-based and can flex to meet individual school requirements. Some of the service packages available are:
- Cloud Advanced – based on a virtual Windows desktop “Cloud PC” ( a desktop for the web)
- Cloud Enable – social learning technology, cloud email, apps and storage, all linked to ‘identity’
- Cloud Connect – all the features of Cloud Enable, plus safe, secure connectivity with filtering
This fresh approach started by asking teachers, learners and school ICT managers what they wanted from a modern ICT service. From this we were able to design and build a new strategic platform for the delivery of cloud-based services to improve educational outcomes at reduced cost.
These services are available from any location, at any time, on any device (with a modern internet browser), extending the reach and accessibility of education services for all teachers and students. All the cloud services have been specified and validated by the South West Grid for Learning and will be available to buy via the SWGfL ECS Framework.
The whole concept is informed by a brand new and innovative Cloud Visioning Tool from the same team that brought you the multi award-winning 360 Degree Safe Online Safety Tool. Driven by the same technology it allows you to choose the best solution for your school and continues to guide and shape that vision as it develops.