[Advisory] Sending pupil-level data outside of the school

[Frances Burton]

I agree with Paul here, what you describe is exactly the process a SAML profile such as Shibboleth will do to authenticate a user to access an online service. The UK Access Management Federation provides the "trust" fabric that underpins the use of the technology.

I think it's important to distinguish here, though, between data you pass to authenticate a user to access a service and the data you provide to the third party that provisions the service - such as class and pupil data for remote hosted VLEs. Passing this data comes very much in the realm of the DPA and the guidance from the ICO is very clear on what can or cannot be passed inside and outside the EU as well as within those zones that have safe harbour agreements.

Their guidance notes are very helpful with this http://www.ico.gov.uk/what_we_cover/data_protection.aspx

The UK federation exists to facilitate and promote the privacy preserving authentication to online services and content, it is funded for the schools sector in England and is free to participate in for organisations serving the education community in the UK.

Please do contact me if you would like any further info on the take up of Federated Access Management in the UK schools sector

Kind regards

Frances Burton
Schools & FE Co-ordinator: UK federation
JANET (UK)

-----Original Message-----
From: advisory-admin@talk.naace.org [mailto:advisory-admin@talk.naace.org] On Behalf Of Crispin Weston
Sent: 02 December 2009 08:39
To: 'Miles Berry'; advisory@talk.naace.org
Subject: RE: [Advisory] Sending pupil-level data outside of the school

I agree with Miles.
We have been having a similar discussion within SALTIS re.
VLE-to-learning-service interoperability, as part of the BECTA/ISB content
packaging profile discussions.
The position being taken by the requirements for this project is that there
should be a Chinese wall around the school platform (including MIS and VLE)
outside which student identity should not go. 
The VLE should therefore send to third-party content services a unique but
anonymous identifier for a student, as well as a term of address (and in
future, perhaps other key data for licensing purposes, such as school
membership, and for profiling purposes such as competency, preference and
accessibility data). 
So the content service would know that this was "Fred" with an ID of
"{25892e17-80f6-415f-9c65-7395632f0223}" who was the *same* Fred that did
some work last Friday - but nothing more.
I anticipate that the profile work will be backed by guidelines which would
make clear that, to preserve the anonymity of the identifier, compliant
content services should not solicit personal details from students.
I think the business of tracking "trusted" third-party services would be
bureaucratic nightmare, which would erect unnecessary barriers in the way of
new entrants to the market.
Crispin.

> -----Original Message-----
> From: advisory-admin@talk.naace.org [mailto:advisory-
> admin@talk.naace.org] On Behalf Of Miles Berry
> Sent: 02 December 2009 08:19
> To: advisory@talk.naace.org
> Subject: Re: [Advisory] Sending pupil-level data outside of the
> school
> 
> I'm a big fan of Google Apps for schools, and I could imagine others
> having a similar enthusiasm for live@edu, but have a nagging concern
> about using cloud based services to store pupil level data; I have a
> passing acquaintance with safe harbour agreements, and know Google
> are
> registered as part of the programme, but wonder if this is enough to
> set my mind at ease.
> 
> Best wishes,
> Miles.
> 
> 2009/12/2 Mike Bostock <mike@new-media-learning.org>:
> > This issue is an important one to get right.
> > If a school asks if it is safe to send pupil level data off to
> some company
> > or organisation, I am not sure what the authoritative answer would
> be.
> > It is a good one for Naace members to be certain of.
> >
> > Becta has a useful page at :
> >
> >
> http://schools.becta.org.uk/index.php?catcode=ss_lv_saf_dp_03&rid=14
> 734&section=lv
> >
> > There is a useful 'Dos and Don'ts' document which talks about
> using
> > encryption amongst other things.
> >
> > I would like to see some advice on how a school ensures how that
> data is
> > used once it gets to whoever it is intended for.  I would expect
> privacy
> > policies, Data Protection Act and CRB checks to be mentioned  -
> but I
> > haven't yet discovered a good source of reference.
> >
> > Can anyone throw some light on whether there is a (short)
> statement that
> > would represent a good practical answer to the original question?
> >
> > Mike Bostock
> >
> ...
> 
> 
> 
> --
> Miles Berry
> Senior Lecturer, ICT | Roehampton University | roehampton.ac.uk |
> 0208 392 3241
> Community Manager | Open Source Schools | opensourceschools.org.uk |
> 07779 628656
> Blogger | milesberry.net
> Twit | twitter.com/mberry
> 
> _______________________________________________
> Advisory mailing list Advisory@talk.naace.org
> http://talk.naace.org/mm/listinfo/advisory
> To unsubscribe send a message to Advisory-admin@talk.naace.org with
> the body text:
> 
> unsubscribe Advisory YourEmailAddress
> 
> or: send a message to Advisory-request@talk.naace.org
> with the body text:
> 
> unsubscribe YourPassword YourEmailAddress


_______________________________________________
Advisory mailing list Advisory@talk.naace.org http://talk.naace.org/mm/listinfo/advisory
To unsubscribe send a message to Advisory-admin@talk.naace.org with the body text:

unsubscribe Advisory YourEmailAddress

or: send a message to Advisory-request@talk.naace.org
with the body text:

unsubscribe YourPassword YourEmailAddress

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG