At the beginning of the year, a young girl was caught stealing a pair of shoes from a classmate after the theft, through the use of CCTV installed in the classroom. While in-school surveillance may eradicate clandestine paper plane throwing, it opens the floor to questions. How is the data managed? Is CCTV the ideal solution? And will the young perpetrator feel criminalised by this omniscient eye?
Classwatch, sold as ‘the answer to effective classroom management’ has been rolling out CCTV cameras throughout schools nationwide. In a country where video cameras are banned from school plays, it is vital that the data held is responsibly controlled and protected.
In January, a teenage pupil was withdrawn from the Ysgol Dyffryn Teifi school in Ceredigion,
This was “all hype” according to Paul Sayner, managing director of Proxis, a security installation company.
“It’s like snow – two inches is called six centimeters to sound more dramatic. The school didn’t get a chance to have a say.”
On the uncertainly of whether CCTV should be permissible in toilets, Sayner reasons that “it depends exactly on what it is looking at,” adding that “If you’ve got nothing to hide, why should you object to that?”
Sayner does not believe that parents should be able to object to the surveillance, maintaining that the prerogative to ‘opt out’ should be a management decision. He stresses that CCTV in 'private dwellings' are different to such surveillance as speed cameras, as their implicit purpose of the former is security.
Sayner has recently overseen the installation of video cameras at
A fingerprint too far
“[School staff] have a day job of teaching, but they don’t really have an overhead for security.” |
Andrew Clymer |
Andrew Clymer is a senior identity management security expert who took issue when he was informed that his children would face biometrics at school registration, and was successful in preventing the implementation. While Clymer would like biometrics to be “used for very sensitive stuff in the future,” he sees “no justification” for its use in schools.
“[School staff] have a day job of teaching, but they don’t really have an overhead for security.”
He questions the desire for schools to take on such responsibilities - as “Most businesses see security as a necessary evil,” - as well as a school’s physical ability to utilise such information: “I’d rather know my thumbprint was used for something very valuable, when we have the money and infrastructure”.
Pippa King, advocate of ‘Leave Them Kids Alone’ – an initiative formed by concerned parents against the fingerprinting of school children – foresees further risks with a school database. If a crime were to occur within a school, she argues, it would be “well within the Data Protection Act” (DPA) for the Police to access records “without informing parents or children”. King worries that “because digital fingerprints aren’t absolutely 100% identical [to physical prints], they can throw up false positives”.
This controversial sanction can be found under the Data Protection Act’s guidelines for the ‘fair processing of data in schools’. These guidelines are required to be shared with the data subject from the age of 13, (the Information Commissioner’s view being that most children will generally have a sufficient level of understanding by the age of 12) and prior to that, must be issued to at least one guardian. The guidelines ‘encourage’ schools to seek consent from parents, and advise that parents are informed of how their child’s data will be used.
The guidelines
Details of two ‘layers’ are given in the data protection guidelines. Layer one must be handed out to parents at the beginning of the academic year when their child is 13, and provides a brief outline of the handling of data. It stipulates that names and addresses will ‘from time to time’ be required by third parties such as the Department for Children, Schools and Families (DCSF), and agencies prescribed by law, including the Qualifications and Curriculum Authority (QCA), Ofsted, the Learning and Skills Council (LSC), the Department of Health (DH) and Primary Care Trusts (PCT).
For secondary schools, this list also includes organisations that require access to data in the Learner Registration System as part of the Managing Information Across Partners (MIAP) programme.
On top of this, the DCSF is responsible for the controversial ContactPoint database which aims to hold the information of millions of children in order to optimise coordination between professionals such as social workers.
Layer two of the data protection in schools guidelines, being far weightier and more detailed, does not need to be issued by schools, and so is instead only made available to guardians upon request. This indicates further information that may be captured from the child, such as exam results, attendance information, ethnicity, special educational needs and any relevant medical information. It should be noted that parents do not ‘opt in’ for this provision; they may only opt out.
The trouble with the guidelines is that they are just that. They are not legally enforced: an issue with which Phil Booth, national coordinator of anti-ID campaign group No2ID, holds reservations. “Most of the time you get a letter [from the school] saying ‘we’re going to do this’…Some parents can be intimidated by the headmaster.” He recalls a case of a “sixteen-year-old lad who didn’t want to be fingerprinted and was almost expelled”, and believes that schools are “getting away with murder because of a weak statement from the ICO.”
Booth points out that a school is where “most parents would consider their children to be safe”, however he recounts an incident where an associate of his “went to a skip outside a school and received all sorts of stuff from an unwiped machine.”
“School is not a business like an IT business. The situation across the country seems so patchy – it’s hard to see anything consistent or coherent”.
No abstract issue
Booth also speculates on the wider use of the data and is especially troubled by ContactPoint.
“Over time one could see that this database could contain a massive amount of data. With everyone going through such a system, profiled every year, you’re building up a very detailed profile of someone.” He points out that “Information you couldn’t gather from adults is being sifted through…It would permit a future government to ethnically profile out a future population.”
If the data is fed through to ContactPoint, it will, Booth says “be exposed to, let’s say, one million individuals with access.” He adds that “I think if you asked 100 parents about the national pupil database, they wouldn’t have a clue…Because it’s required of schools, schools don’t feel they have to report this to parents”.
He posits a worst case scenario: “A mum is fleeing an abusive partner, and moves away, but wants to keep her daughter in school. Data in the MIS systems is routed to the national pupil database, to ContactPoint. There’s a route through already – a way to find someone.”
Booth concludes that “a lot of people think data privacy issues are abstract issues. If people thought through the actual consequences, they might pay more attention…We can show or demonstrate the possibilities. We would hate to be proved right. No one in government has been able to prove it couldn’t happen…ContactPoint can never be secured. It’s nuts to think that it could be.”
Education, education, education
“In my experience, parents want to protect their children...They see their children on the internet, and on games, and they know there must be threats. They react by forbidding the internet. This is wrong.” |
Anja Beyer, research assistant, |
Nightmares aside, if schools are going to adopt such technology, then schoolchildren themselves have a right, if not a legally enforced contract, to know about the issues surrounding security and data protection.
“In my experience, parents want to protect their children,” says Anja Beyer, a research assistant currently working on a PHD in virtualisation at the technical
Children “are not aware of the issues”, observes Beyer. “If you see how they behave, they give their password data on social networks, they are naïve on internet chat.”
Consequently, Beyer wishes to bring information security to schools.
“If [children] are in Facebook…they think that it is a closed room, so they exchange information. We have to teach them that it is not private.” Beyer is critical of Safer Internet day, a government initiative which in February this year sent experts to
“
Beyer wishes to implement a network of teachers, heads of schools, parents and experts. She insists that all teachers must be educated in infosec, because the computer “has a role” in the future of most, if not all subjects.
“In the past, it was only the internet and email. In the future it is blogs, and wiki. Every [few] years there are new media applications on the internet. It is difficult to educate [under these circumstances], but if we don’t do it there will be big problems.”
There may be an obstacle in inspiring an interest in the children for the subject, but Beyer sees an opportunity in computer games.
“At a university…I held a class called ‘IT security’, and no one wanted to take part. The next year, I called it ‘IT security in computer games’, and it was full.”
Their awareness, our future
In
“We wanted to put something back into society”, says John Colley, Managing Director (ISC) 2 EMEA. “Part of the (ISC) 2 mission is to make cyberspace a safer place. We want to ‘get people young’, tell them not to do bad things and to use the internet safely.”
(ISC) 2 have partnered with Childnet International, a non-profit organisation promoting information security education. The professionals sent from (ISC) 2 are provided free of charge, meaning they are able to field questions more comprehensively than a regular schoolteacher.
As for the audience, an 11 – 14 age range is chosen because they are “generally more sophisticated internet users - often they’re the main users in the home,” Colley explains. “There are some key messages that people should know about, particularly children, [such as] being a responsible cyber citizen.” Consequently, the course covers areas relevant to a young person: cyber-bullying and the legalities involved with downloading music, as well as more universal matters involving keeping a computer’s security system up to date and never giving away unnecessary information about one’s background.
“One of the things we find difficult is that the environment changes,” says Colley, echoing Beyer’s concerns. “One week [the children are] talking about Myspace, the next week it’s Facebook.”
However the course’s success is building with 7000 pupils already put through the system, 85 interested volunteers currently being put through the induction process and an international board of directors pushing the programme’s expansion across the globe into the US and Ireland. There is also a separate programme for older children being carried out in
The Lucker Nature Kindergarten near