UKEdMag: BYOD in Schools – How safe is your data? by Ed Whittaker

Quite a few schools and teachers encourage colleagues and pupils to bring in their own devices to help learning and use within lessons. However, considerations needs to be well-thought through with using personal phones or tablets, as data contained and held could be in breach of data laws, as Ed Whittaker reminds in this article extract, which is fully available in the August 2014 edition of UKEdMagazine (Click here to read the article free, and in full).

The rise in the popularity of BYOD in schools raises a number of data security issues for school leaders to consider.

What is BYOD?

There has been a huge rise in the popularity of hand held and tablet devices in the last few years, and some schools may allow staff to use their own personal devices to access school systems. This is commonly known as Bring Your Own Device, or BYOD, and there are advantages in allowing staff to provide their own IT equipment. However, the use of personal devices to access school systems raises a number of questions regarding the school management’s duty under the Data Protection Act (DPA). This is particularly so if the device is used to access the school MIS (e.g SIMS) or to hold any kind of staff or pupil information. It is important to remember that the school, as data controller, is still responsible for the security of the information; regardless of the ownership of the device used to access or process the data.

The Risks – the BYOD device is owned and maintained by the user. This means that the school has little or no control over how, where or when it is used. Before permitting BYOD use in school, there are several things to consider:

  • the type of data to be accessed via the device;
  • whether any data is going to be stored on the device;
  • how secure is any data transfer to and from the device;
  • whether there is any potential for data leakage;
  • blurring of personal and business use;
  • how secure the device is;
  • what happens when the device owner leaves;
  • how to deal with the loss or theft of the device.

Under the 1998 Data Protection Act, the school must take appropriate technical and organisational measure to prevent loss or unlawful processing of the data the device holds. This does not necessarily mean that schools should impose a blanket ban on the use of BYOD, as there can be some benefits; including: increased work efficiency and flexibility and job satisfaction. What is does mean is that schools considering the use of BYOD should first make sure they have a robust and well thought-through BYOD policy.

BYOD Policy – a good place to start would be an audit of all the types of device likely to be used by staff in the school. Then consider which, if any, personal data should be accessed by those devices and which should be held more securely. It is important that users are made fully aware of their responsibilities for keeping the any data safe and secure. This can be done by drawing up an acceptable use policy for BYOD. The policy should make it clear which data can be accessed via BYOD and which cannot. You may also wish to consider whether use of BYOD might conflict with any school policy on the use of social media.

It is important to determine how and where any personal data might be stored; on the device itself, on the school network or on externally on a public or private cloud. Regardless of where the information is stored it is still the school’s responsibility, as data controller, to take appropriate measures against unauthorised access or loss of data. Be aware that some devices have removable memory cards, so loss of data may not be apparent for some time.

Your BYOD policy should also consider how data is transferred, as the transfer process can present risks. For maximum security, ensure all data is transferred via an encrypted channel and treat any public cloud-based sharing or back-up facility with extreme caution. You should also consider whether to insist on the disabling of interfaces such as Bluetooth or Wi-Fi.

Finally, the BYOD policy should facilitate compliance with the data protection act. Although security of the device might be the primary concern, care should be taken to ensure that data is not processed for any purpose other than the one for which it was originally collected. Users should be informed of their responsibilities to use the data strictly for school business. Also, if the data is stored on different devices there is the possibility of it becoming out of date. There is also the possibility …

Read the full article in the August 2014 edition of UKEdMagazine by Clicking Here


Ed Whittaker is a secondary school chemistry teacher of 28 years experience at the in the classroom and as behaviour manager. He is co-founder of Adaptsoft which supplies custom information management solutions to schools.


Easily share this article via

You need to or Register to bookmark/favorite this content.

About UKEdChat Editorial 2995 Articles
The Editorial Account of UKEdChat, managed by editor-in-chief Colin Hill, with support from Martin Burrett from the UKEd Magazine. Pedagogy, Resources, Community.

Be the first to comment

Leave a Reply

Your email address will not be published.


*