Friday, 23 March 2018

GDPR / Cloud Storage - Clarity Please



I seem to be spending much of my time talking to head teachers at the moment about GDPR (General Data Protection Regulation) which is implemented on May 25th 2018. It is an issue that is certainly vexing many. However it's not just GDPR per se, but around related issues in what schools can and cannot save in the cloud, and the usual 'Google isn't safe’ mantra that is still being trotted out by some. Let's look at the GDPR issue first. From discussions I’ve had, there seems to be a lack of good information or advice about exactly what this means for a school, especially primary schools that I mainly work with. Here’s a link to GDPR education section of the Information Commissioner's Office website. Here schools can find out more information about GDPR. However, what I would really like to see is some concise information coming out from local authorities, regional consortia or the Welsh Government. Spelling out simply (if that's possible) what head teachers need to do or start thinking about.The void that's left because of the lack of good, clear information encourages rumours to spread, which leads me neatly onto my next points, cloud storage and safety.

The issue about whether Google is 'safe', should have been put to bed a long time ago. Tom Lewis and Guto Aaron have recently written excellent articles about this, outlining the security of the platform. If companies such as Airbus, Morrisons, Ocado and Nippon Airways, to name just a few, are happy to use G Suite for their companies and feel that it is 'safe', then I'm confident that my data must be safe and secure for my primary school. In Wales in particular, I think this is being raised more than other countries in the UK because of our focus on the Hwb national platform and the drive to ensure all schools in Wales use it. The unsafe rumour is then a useful message to spread to schools as it will put doubt in people's minds. Schools will then move to using Hwb more often because our regional consortia have told us it's apparently safer. "I've been on a course and was told that Google wasn't safe", is the comment I'm hearing from teachers....still. Apparently it’s going to be made ‘safer’ once it’s inside the Hwb platform! My response to this is to now tell teachers if they hear this comment, ask the person exactly what they mean by 'safer' and also to email them after the meeting asking for a written explanation. And this to me is the crux. Local authorities and regional consortia appear to be happy to have the uncertainty being generated through word of mouth about safety, but no one in a position of authority would ever have the confidence to stand up in front of all head teachers or write to all schools expressing the same concerns and telling them not to use this. They know they would be on shaky ground to say the least.

My final point is around clarity on what files are ‘allowed’ to be hosted in the cloud. There is still a concern that sensitive data shouldn’t be uploaded. Here are my basic thoughts around this. I don’t pretend to be a data security expert, but here’s me thinking out loud. Always dangerous :-)

Are OneDrive or Google Drive servers secure? I believe so. Both those companies hold vast amounts of data of the most sensitive nature for organisations and companies around the world. I’m not saying that they are not open to the most sophisticated of hackers, I’m certain that there are countries and individuals who regularly attempt to hack them. But I’m confident that there is the expertise at both Microsoft and Google who do everything to protect my data. If there was a major breach of data from either of these companies, then that would have a serious impact on their reputation. Look at what has just happened with the reputation of Facebook and that wasn’t even a data breach of the type I described above.

https://www.cnet.com/pictures/peeping-inside-googles-data-centers-pictures/

If I didn’t believe that OneDrive or Google Drive servers are secure where would I hold my school sensitive data? Most schools would save this to their school internal network server.

How secure is this? I was told of a recent conversation between a head teacher and a local authority ‘techy’ who laughed when the head teacher said he’d store sensitive data on the school network. His reason for laughing was that it is much easier for someone to break into your school and steal the server than it was for someone to break into Microsoft or Google data centres and steal their servers! Even if they did, I understand that Google for instance break up the data across several data centres. In the past I’ve also talked to schools whose servers have crashed and weren’t backed up properly and lost most of their files....just before an Estyn inspection!

Whether you think cloud storage is safe or whether your school server is safer, what’s the weakest part of this system? In my opinion it’s the user. It doesn’t matter how secure your system is from sophisticated hacking, the easiest way to get into any system is ‘through the front door’. If I know your username and password then I have access to your stuff, whether it’s in the cloud or on your network. I’ve just introduced two factor authentication across all my Google and G Suite accounts to provide an extra level of security. Something that G Suite for Education schools can introduce now which provides another level of ‘front door’ security that Hwb users don’t have. 

https://support.google.com/a/answer/184711?hl=en

So, the point of the previous questions was to think about how secure are your systems when saving sensitive data. It can be argued that the cloud storage system is equally (if not greatly) more secure than your school network. However, both have the problem that humans are the weakest link. A couple of school examples:
  • Usernames and passwords to login to the school network or various online platforms on Post-It notes stuck to monitors or laptops. I think that a quick look inside the front cover of many teacher notebooks or field notes, which are often on a desk, can also often reveal these details too!
  • USB pen drives moving a variety of data (sensitive or not) between home and school. Always the issue of these being lost in transit or corrupted.
  • Staff logged into the network or online platforms and not fully logging out when away from their machines.Interestingly, I've noticed that if a user logs out of Hwb but doesn't shut down the browser, if someone else logs in, sometimes the previous users O365 account will be accessible not yours.
  • Usernames and passwords stored in the web browser. If I go to the landing page of many online platforms in a school, the teacher will have stored their details allowing me to login as them.
  • Pupils knowing and using the teachers username and password.
In my opinion, much of what we’re talking about here is just about getting into the habit of good data security practice. Not just digitally but also making sure that any sensitive paper based materials are locked away securely and not pinned to notice boards in the staffroom or classroom!

So, what would I like to see that would help to lower head teacher stress levels?
  • A simple and concise overview of GDPR, implications for schools and what they need to do. Good advice and support is urgently needed as head teachers are very unsure who to turn to for this.
  • A clear steer on whether cloud platform storage is ‘safe’ or not, regardless of whether it is through Hwb OneDrive or Google Drive. If we agree that these are safe and secure, is there still an issue with what’s being uploaded?
Please, let’s cut out rumours being spread once and for all and for the appropriate education authorities to provide some clarity to schools on GDPR and cloud storage.