White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.
Contents Introduction... 2 Data Protection and Security... 2 The Edvance Solution... 6 Summary... 9 Glossary... 10 References... 10 Copyright 2011 SAMI. All rights reserved 1
Introduction As ICT solutions gain greater momentum within school settings, the benefits of school management systems are becoming more apparent. But as a school principal, have you ever wondered where your school data is actually stored and what your responsibilities are in relation to data protection law? In a recent ICT in Schools survey, 25% of the 286 school principals who took part stated that they were not did not have confidence in the security of their systems for storing pupil data. Other high profile data privacy cases, such as the widelyreported Sony security breach in spring 2011, have highlighted the responsibilities associated with the handling of personal data. This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems. It shows how the introduction of a school management system can be used to introduce best practices and dramatically improve the processes and procedures associated with the management of this data. It also demonstrates how the careful selection of an online system can ultimately give confidence that data is stored in a secure environment. Data Protection and Security While the far-reaching benefits of web-based school management systems are well documented, it is understandable that school principals may not be entirely comfortable with adopting such an approach to school administration. As data controller for all pupil, staff and parent/guardian information, responsibility for compliance with the Data Protection Acts of 1988 and 2003 falls on the shoulders of the school principal. In the transition from pen and paper or locally-held spreadsheets to web-based management solutions, the role of the school principal as controller of personal data is compounded as the data is potentially centralised and accessed over an internet connection. With several types of solution on offer in the marketplace, potential risks and vendor commitments in relation to data privacy are often unclear or unspecified. The Data Protection Acts of 1988 and 2003 specify responsibilities in terms of defined roles. The data controller is the person who, either alone or with others, controls the contents and use of personal data. In a school management scenario, this is fulfilled by the school principal, who accepts the data from parents, pupils and staff and is responsible for the safe storage and maintenance of this information. The data processor is the person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment. Where the school management system is in use, the software provider fulfils the role of data processor as it provides the means for the data to be processed. The data subject is clearly the pupil, parent or staff member, who is the subject of personal data. From the initial collection of personal data to the subsequent storage and processing, data protection obligations are shared in several ways between the school and the software provider. The cycle begins with the fair collection of data by the school and the agreement by Copyright 2011 SAMI. All rights reserved 2
the data subjects that their data can be processed. Aspects of the data protection act then come into play as the data is stored and processed. 1. Transfer of data outside the EEA: Let s now look at the main considerations governing the location of data: The transfer of personal data to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer and, in particular, but without prejudice to the generality of the foregoing, to (a) the nature of the data, (b) the purposes for which and the period during which the data are intended to be processed, (c) the country or territory of origin of the information contained in the data, (d) the country or territory of final destination of that information, (e) the law in force in the country or territory referred to in paragraph (d), (f) any relevant codes of conduct or other rules which are enforceable in that country or territory, (g) any security measures taken in respect of the data in that country or territory, and (h) the international obligations of that country or territory. (Ref: Data Protection Act 1988, Section 11(1)) In addition, a full list of exception to this is provided in Section 11 (4) (A) of the Data Protection Act. However, the relevant exceptions may be summarised as follows: for transfers of personal data to the US, where the US recipient has signed up to the Safe Harbor principles (which impose similar obligations on US companies to those which apply in the EU) where the data controller is based in the EU and the data recipient is based outside the EEA, that the parties enter into a data transfer agreement, in the form approved by the European Commission or that the data subjects have given their consent to the transfer (although this exception is least favoured by the data commissioner) Copyright 2011 SAMI. All rights reserved 3
What does this mean for the school? As controller of the personal data collected, the school must guarantee that it will not transfer personal data outside the European Economic Area (EEA) to a country which is not recognised as having an adequate level of protection for privacy, unless it can rely on one of the exceptions. Where the transfer of personal data outside the EEA is carried out by the software provider with the school s approval, it remains the responsibility of the school to ensure that an exception can be relied upon. The software provider may provide a clear guarantee that this obligation is met by the school by providing a solution that is hosted on dedicated servers located within the EEA. In contrast, some commercial solutions make use of cloud-based messaging and collaboration platforms such as Google Apps that are hosted at geographically-distributed data centres in unidentified locations. For data protection compliance, it is essential that the providers of such cloudbased solutions can either guarantee that the storage of data is limited to the EEA or prove that one of the exceptions applies. If neither of these is possible, it is ultimately the school that is in breach of data protection law. 2. Security Measures: Next, let s consider the required security measures: Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. (Ref: Data Protection Act 1988, Section 2(1)(d)) (See also Sections 2C(1), 2C(2), and 2C(3)) What does this mean for the school? As data processor, the software provider must ensure that it takes appropriate security measures to protect personal data against unauthorised access, unauthorised alteration, disclosure, destruction and other unlawful forms of processing, in particular where processing involves transmission of data over a network. The security measures taken by the software provider should be clearly-stated and prove to provide adequate protection. At a minimum, there must be adequate encryption on the stored data, security on all network connections and stringent processes and procedure for all data access. 3. Duty of Care: Also important is the duty of care that the data controller and data processor must demonstrate: Copyright 2011 SAMI. All rights reserved 4
For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned (Ref: Data Protection Act 1988, Section 7) What does this mean for the school? As data processor, the software provider must guarantee a duty of care to the owner of the personal data. In addition to the security measures above, the software supplier should ensure that transparent and stringent data protection procedures among staff members who have access the data and the production environment. 4. Disclosure to Third-parties Finally, let s consider the restrictions on third-party disclosures: Personal data processed by a data processor shall not be disclosed by him, or by an employee or agent of his, without the prior authority of the data controller on behalf of whom the data are processed. (Ref: Data Protection Act 1988, Section 21) What does this mean for the school? The software provider must obtain the school s prior authority in the event that it intends to disclose personal data to a third party. To achieve maximum data privacy, it is advisable for the software provider to eliminate the need for disclosures to any third-parties. This can clearly be achieved by using a privately-owned and privately-managed hardware and software infrastructure to host the service. In contrast, some commercial solutions make use of Cloudbased messaging and collaboration platforms such as Google Apps that are managed by a third-party and are not entirely under the control of the software provider. In order to comply with the data protection act, the supplier must should either include a reference to such disclosure in its Terms of Use and/or Privacy Statement, or otherwise ensure that it obtains prior authority from each school to disclose personal data to the third-party. With due care and open co-operation between the school and the software provider, all of the potential issues above can be tackled comprehensively and ultimately give confidence that the school s data protection obligations are being met. Copyright 2011 SAMI. All rights reserved 5
The Edvance Solution Software Asset Management Ireland (SAMI) is an Irish-owned company that provides a comprehensive school management system called Edvance. With successful installations in many Irish primary schools, Edvance has proven to be a robust and secure solution. With data security as an utmost priority, SAMI has invested in its own hardware and software infrastructure to provide a hosting solution that can answer all of the questions that should be asked of any system under consideration: Where is the data hosted? Edvance data is hosted within a highly-secure data centre, which is located in the College and Technology park in Dublin. Custom built for maximum security and uptime, this data centre provides a guarantee of physical security and data security. The data centre is a fully Irish owned company and is operated, with its own independent network infrastructure and data centre facilities. What security measures are provided as part of the service? The data centre is manned and monitored 24 hours a day, 365 days a year by a team of skilled and trained Network Operations Centre engineers located onsite. It is positioned in a secured park whose entrance is manned 24x7, by security personnel. In addition, equipment is monitored via CCTV camera. The hosting core network contains redundant Cisco Firewall, IDS and DDoS mitigation services. What other guarantees are provided? The hosting agreement is governed by a strict penalty-driven service level agreement (SLA) that has been agreed between Digiweb and SAMI. It guarantees 99.99% network and power uptime, while also allowing 24 / 7 / 365 access to approved SAMI staff. Who owns the hardware? SAMI owns the high-specification servers that host the Edvance solution (Xeon E5520-2x2.27GHz processor, 32GB RAM). SAMI has invested substantially in the hardware infrastructure to ensure reliability, security and allow full control over the system, while housing it in a secure, monitored environment. The infrastructure has been carefully designed for scalability so that the solution can grow effectively as our business grows. Choosing and owning our hardware allows full control over the infrastructure so that it can be tailored to satisfy the needs of Copyright 2011 SAMI. All rights reserved 6
our growing customer base. How secure is data in the database? Before data is transferred to the database, it is encrypted using 256-bit encryption. This mitigates against data security risks on the network and separates data security from database-specific security measures. How secure is data that is transferred between the browser and server? The data is transferred over a secure channel that uses SSL to provide data security. How is data backed up? A full backup of data is performed nightly and stored on our backup servers, which are also located in the secure environment provided by the data centre. Who as access to the system? Access to the system is limited to SAMI staff. Strong password as used as per defined procedures and passwords are available to a limited sub-team only. Due to investment in our infrastructure as per the measures outlined above, SAMI can commit to: As a result of the above, what guarantees are provided? a. at all times comply with Irish and EU data protection laws b. use the data lawfully and only for the intended purpose c. no personal information will be collected unless provided voluntarily d. never transmit your data outside of Ireland e. never share your data with any third party unless required to by law f. never store your data on any equipment that is not owned or under the direct control of SAMI Copyright 2011 SAMI. All rights reserved 7
The investment in a robust architecture for Edvance and the secure measures that have been put in place allow SAMI to address the data protection obligations in the following ways: 1. Transfer of data outside the EEA: Edvance is hosted on a high-specification dedicated server that is owned by the software provider, SAMI. It is located within a data centre in Ireland and is controlled exclusively by employees of SAMI. These measures provide a guarantee that the data is held within the EEA. This relieves the school of concerns over the location of the data and helps the school to fulfil their obligations in relation to this responsibility. 2. Security Measures: Edvance data is hosted within a private database on a dedicated server that is owned by the software provider, SAMI. The data is encrypted using symmetric SHA-1 encryption and the connection from the browser to the server is protected using SSL. 3. Duty of Care: Employees of SAMI have signed a data privacy agreement, committing to stringent measures when processing third-party data. E.g. Access to school data is restricted to a well-defined team On transfer from schools to SAMI, all data is password protected Data is stored in a dedicated area that is password protected and limited to a well-defined team Data is not stored on local machines. It is not emailed externally or internally outside the Edvance data team CDs used to transfer data from schools to SAMI are shredded after use Edvance provides tightly-controlled logins that limit access to particular data depending on the role group of the user: Principal Teacher Secretary Logins can be managed solely by the school principal or secretary. 4. Disclosure to Third-parties Edvance is hosted on a high-specification dedicated server that is owned by the software provider, SAMI. It is located within a data centre in Ireland and is controlled exclusively by employees of SAMI. SAMI does not use any third-parties to process data on their behalf. Copyright 2011 SAMI. All rights reserved 8
These measures provide a guarantee that the data is not disclosed to any third parties and is handled exclusively within an environment that is controlled by SAMI. It removes concerns over adequate data protection and relieves the school of obligations in relation to this responsibility. Summary School management systems can be used not only to ease the burden of administration but also to centralise sensitive data and to help fulfil data protection obligations. The careful selection of a school management system plays a key role in determining whether data protection obligations are met by the school, which is ultimately responsible for the data of its pupils, staff and parents/guardians. In selecting a school management system, it is essential that the school gains an understanding of the underlying technology in the product, the precise location of their data, the security measures that are being taken by staff while processing the data and to be aware of third parties involved in the storage and processing of data. At a minimum, it is recommended that the data is stored on a dedicated server at a known location within the EEA, the data is stored and accessed securely and that security procedures of the supplier are adequate. SAMI s Edvance product is a comprehensive solution that employs industry-standard security protocols for the storage and handling of school data. It has implemented stringent data protection procedures among the limited team that has access to production data. Most of all, SAMI has invested in its infrastructure by using its own dedicated servers that are housed at a secure location in Ireland. This not only helps to fulfil the obligations of the software supplier but goes the extra mile to remove obligations that would normally lie with the school itself. *The information provided in this document is relevant as per time of authorship and is subject to change. Copyright 2011 SAMI. All rights reserved 9
Glossary Data: Automated data: Manual data: Personal data: Sensitive personal data: Data controller: Data processor: Data subject: automated data and manual data information that (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or (b) is recorded with the intention that it should be processed by means of such equipment information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller personal data as to (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, (b) whether the data subject is a member of a trade union, (c) the physical or mental health or condition or sexual life of the data subject, (d) the commission or alleged commission of any offence by the data subject, or (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings a person who, either alone or with others, controls the contents and use of personal data a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment an individual who is the subject of personal data References Data Protection Commissioner Resources: http://dataprotection.ie SAMI Website: http://www.sami.ie Edvance Website: http://www.edvance.ie Copyright 2011 SAMI. All rights reserved 10
ICT in Schools Survey 2011: http://www.edvance.ie/surveyfindings.pdf Software Asset Management Ireland, 8/9 Hanover Street East, Dublin 2, Ireland www.sami.ie