By law schools must ensure that the sending of personal and confidential data by email is secure by using a trusted network or by encrypting the data.
The status of security of emails between establishments within Somerset has changed due to some schools using their own email service.
All emails from Somerset LA employees are encrypted through ‘Egress’.
Replies to emails from Somerset LA employees will have the same level of security placed on them as the original email.
The EDUC email service is seen as ‘trusted’ by the county network. This is a change from the original deployment of Egress.
Schools that use their own email service are not ‘trusted’ and will need to register to receive ‘egressed’ emails.
Schools should consider a series of questions when replying to requests for personal data.
If schools send personal or confidential data to agencies outside of the Somerset trusted network, then they must protect the data through encryption. This includes emails sent to Governors personal email boxes.
Schools (including Governors) in Somerset have traditionally been provisioned with an email service (educ.somerset.gov.uk) that has been maintained centrally and in conjunction with the
Local Authority email service (somerset.gov.uk) provided a secure communication method for the transmission of personal data.
Because of changes in school technology and administrative environments many schools now use their own email services.
The default position is now that the sending of personal data through email, even from
Somerset ‘EDUC’ accounts to other accounts can no longer be a guarantee as having the necessary security for the transfer of personal or confidential data.
The Global Address List now includes email addresses that have not been created within a known safe environment and these addresses are therefore not known to be secure.
Personal and/ confidential data should only be emailed using a service that ensures encryption and/or password security.
13/04/2020 1 igover@somerset.gov.uk
All Somerset LA employees (not schools) have been provided with a method of protecting emails using a service called Egress. As the EDUC email system is now seen as a ‘trusted’ service the use of Egress is hidden to schools. This is a change from the original deployment when to receive an ‘egressed’ email EDUC users had to subscribe to the service.
At this point in time, emails that are ‘egressed’ by Somerset LA users will appear to be normal emails to schools EDUC users. Those schools that do not use the EDUC system will have to register with egress to receive the emails.
Because the original deployment led people to register an account, some are still using this facility, including the ‘free’ credits that enable them to send a limited number of encrypted emails.
On the next page are a series of questions that could be used to heighten the security of the transmission of personal data.
Personal data is seen by the Information Commissioners Office as:
Personal data means data which relate to a living individual who can be identified.
1
With a further definition of sensitive data which includes ethnicity, politics, religion, health, sexual life and criminal activity.
1 http://ico.org.uk/for_organisations/data_protection/the_guide/key_definitions#personal-data
13/04/2020 2 igover@somerset.gov.uk
If someone asks for an item of personal data, the first question that you must consider is if it is a legitimate request. If you are not sure as to its legitimacy, ask someone else at your establishment for their opinion. If you are going to refuse a request (or are going to take some time to answer) then let the requester know of your decision. Many requests will fall under the Subject Access Request or
Freedom of Information procedures of the school.
The information that the requester has asked for might already be available.
They could ask for a list of staff, emails and job titles and this could already be on the schools website. If this is the case then provide the requester with the link to this information.
Dangers exist in the transmission of the data. Many schools have MIS systems, remote access to secure file servers or use secure storage such as the Somerset
Learning Platform meaning people can be given access to data without the need for transmission. An example of this could be teachers having remote access to
MIS packages or using a shared markbook spreadsheet held in a secure area.
If it is reasonable and practical to allow the requester access then these should always be used in preference to the transmission of data. Schools must be aware that if the data is downloaded onto the user ’s hard drive then there are potential
Data Protection breeches for which the school is responsible.
The levels of security within a single email provision are inevitably of the correct level of encryption. The issue arises if the email address is outside that single email provision (domain) or is sent over the internet through a network that has unknown security.
If the request has been made through an ‘egress’ email account then replies will also be encrypted
If you can guarantee that the school is on the Somerset trusted network and you are using an ‘educ’ account, then sending personal data is secure.
13/04/2020 3 igover@somerset.gov.uk
At the moment there are two recommended ways of transmitting personal data. The first is using a service that automatically encrypts the file, and then with the provision of security methods that allow the end user to access the data. The second is the recommend method from the DfE which includes ‘zipping’ the file, creating a password and then transmitting this.
Schools could buy into a service that allows the encryption of their emails. Once deployed these place a button on say the Outlook client which eases the process of automating the encryption.
The LA adopted the service from Egress ( http://www.egress.com/ ).
The DfE have issued guidance on how data should be sent from school to school.
2 Known as S2S this provides secure ways in which to transmit personal data.
Instructions on how to use this service are given here: https://www.gov.uk/school-to-school-service-how-to-transfer-information
With details on how to encrypt files using winzip on page 7 of the pdf guide to be found here: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/3
60444/DfE_S2S_Guide_Schools.pdf
2 https://www.gov.uk/school-to-school-service-how-to-transfer-information
13/04/2020 4 igover@somerset.gov.uk