Holding Schools to Account over Children's Data Security

Submitted by Ben on Sat, 21/01/2017 - 08:03
School and Nursery iPad App

The iPhone has just turned ten years old, and a lot has happened in that time, with the massive proliferation of apps for every conceivable purpose. But, it's only recently that apps have started to make their way into nurseries.

I learned about it directly; my boys are at nursery (or "playgroup" in the US?), and we received a letter asking for consent to store their addresses, photos, care information and other details in the cloud. Small companies had successfully sold a mobile application to the nursery, and over the next months, we were told, they would be migrating all the progress logs and "learning journeys" into the app.

Now, I don't think that's a necessarily bad thing. If it means that the staff have more time to play with children because they're freed from tedious manual record-keeping, then that's great. But as I spend a great deal of my day working to keep websites safe, it did raise some questions in my mind as to the sanity of making this sort of switch.

  1.  Computer security is hard. If Sony and Yahoo can't keep data safe, a tiny app company is not especially likely to be any better at it.
  2. Nursery staff are not likely to be security experts. Ingraining secure behaviour in users is a long, thankless task, and those users will actively work to thwart your best efforts.
  3. Collating personal information makes a breach all the more severe - one failure, and potentially sensitive information on thousands of children could be shared online.

Now, this is as true of schools as it is of nurseries, and I wanted to do something to make it easier for parents to hold schools to account over applications which they think could be a problem, or programmes which might be tricky. It looked like I'm not alone in these concerns, and friends had started to contact me with similar stories. At the end of last year, a couple of us put a site online to address the issue.

School Data Watch is intended as a resource to which you can direct your school or nursery when you want to ensure that they're taking security seriously. It's not perfect, and it needs input from lots of people to get better, so I'd like to appeal to anyone who reads this to visit the site, get in touch, join the Facebook group (the irony is not lost on me, but it seems like the right approach), and help to build a resource that we can all use to help our schools  deliver better, more secure applications for education.