So apparently, today is #DataPrivacyDay (apparently everything needs a hashtag these days) which got me wondering how seriously the staff at my schools this morning takes data protection.
Now if you work in IT in schools, you probably already know the reputation teachers have for not locking their computers when leaving the room and sticking their passwords to their computers invalidating the point in locking them even if they manage it(this is probably end-users as a whole, but I can only speak from experience).
Knowing this, I decided to conduct a little experiment. I waited until 10:30 (break time), and I had a little wonder around the school’s empty rooms and checked staff computers. I found 7 unlocked computers (4 of which had emails open) and 4 with post-it notes attached to the screen with username and password written down (2 of which also included emails).
“Not too bad” you may think – but when you consider this is a primary school with only 7 classes – that suddenly becomes really bad. Staff regularly use emails to share what would be considered sensitive information about students, so it only takes a set of curious eyes and this information is suddenly publicly known.
You may be thinking – “it’s a primary school. The kids aren’t that interested” – but I can tell you from experience, the figures are most likely scalable to something similar in secondary schools too.
In some businesses, this sort of lacks attitude is a sackable offence – I’m not saying that should be the case in schools, but some sort of warning system should be in place. If a pupil gets onto a staff user account, the best case scenario is they delete something and we have to restore it, no biggie but a little annoying. Worst case scenario, the school has a major safeguarding issue on its hands as the pupil has seen something damaging to themselves, another pupil or a member of staff.
There are many things we can do to help prevent this sort of thing happening, such as forcing the computer to lock after x amount of minutes, but with support of senior staff, none of these are viable. The best solution therefore is probably end-user education. If staff members are made aware of the possible repercussions they may think a little more about leaving their machines unlocked when away from the computer, or by giving them password management tools it may stop them leaving their login details written down in plain sight.