GDPR Question

[Peter Barry]

Hi Folks,

GDPR is nearly upon us and I have an interesting question concerning the "student data domain".

Our students all have access to our LAN and thru this they access Google Suite which is password protected.

However LAN access is achieved thru a generic username and NO password.

Some teachers set projects and tasks that results in Student owned data on the network.

Each student has their own network folder which is not protected.

Students can and have access each others folders, hidden and removed their data.

 

Question.

Are we in breach of GDPR if student generated data or outputs from school projects are not

protected from other students?

Is there anyone out there who synchronises from VSware to LDAP to Google Suite?

This is a solution, which we have in our strategic plan but if the answer to the question above is we are in breach of GDPR

then we need to start looking at it now.

Any comment appreciated.

Peter

[Danny Murray]

We've had a similar setup except that we do have logins so they also have their own "My documents" on top of the shared mess that is "student files". To be honest I'd love to be rid of it so that more students would use Google Drive which is far easier to share and view on mobile devices.

I suppose the issue with that is if a student were to upload some dodgy material on your LAN, it would be tricky to find who did it because you can't see who had logged in, especially if they cleared their logs. I'm not sure but isn't there a line about "taking all reasonable measures to protect student data"?.

I'd love to know the answer to this question. Looking forward to getting to grips with GDPR!

--
--
You received this message because you are subscribed to the Google
Groups "CESI-list" group.
To post to this group, send email to cesi...@googlegroups.com
To unsubscribe from this group, send email to cesi-list+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cesi-list?hl=en-GB where all messages are archived and are publically available to non members of the list. Messages may also show up in search engines etc.
Visit the web site www.cesi.ie
Attempts to use the list for commercial purposes may result removal from the list.
---
You received this message because you are subscribed to the Google Groups "CESI-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cesi-list+unsubscribe@googlegroups.com.
To post to this group, send email to cesi...@googlegroups.com.
Visit this group at https://groups.google.com/group/cesi-list.
For more options, visit https://groups.google.com/d/optout.

[Andrew Howden]

Hi Peter,

I don't think you need to worry too much, although best practice is that users have their own username and password... I guess the fuller answer thought is that it depends on the data that children have access to, exam data, medical records etc. should all be secure (just as they should be now).

You could so easily get tied up in knots complying with the GDPR, in fact for a school to be fully compliant, I doubt it would be possible to function, at least against the same operating budget. Equally due to it being linked to case law, wherever compliance looks like in May may be different in June etc. More just for info: The "12 steps" is a good high level resource and combined with a risk based approach should see you through.

VSWare doesn't support OAuth (that I'm aware of) so integration with AD/LDAP and G Suite isn't possible. Google GCDS integrates G Suite into AD/LDAP and there are even tools for sync'ing the other way around!

Thanks,

Andrew

---
Andrew Howden | Education Technology Consultant | North27 Limited

Mob: +44 (0)7746 424612
Tel: +44 (0)1604 550127

Email: andrew...@north27.co.uk

LinkedIn: https://www.linkedin.com/in/andrew-howden

Web: https://www.north27.co.uk

On 15 January 2018 at 20:16, Peter Barry <pjb...@tcd.ie> wrote:

--

--
You received this message because you are subscribed to the Google
Groups "CESI-list" group.
To post to this group, send email to cesi...@googlegroups.com
To unsubscribe from this group, send email to cesi-list+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cesi-list?hl=en-GB where all messages are archived and are publically available to non members of the list. Messages may also show up in search engines etc.
Visit the web site www.cesi.ie
Attempts to use the list for commercial purposes may result removal from the list.
---
You received this message because you are subscribed to the Google Groups "CESI-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cesi-list+unsubscribe@googlegroups.com.
To post to this group, send email to cesi...@googlegroups.com.
Visit this group at https://groups.google.com/group/cesi-list.
For more options, visit https://groups.google.com/d/optout.

Office address: North27 Limited, Innovation Centre, Green Street, Northampton. NN1 1SY
Registered in England, No: 8407259. VAT No: GB 190835196.

If you receive this email by mistake, please let us know and/or delete it. Please do not forward it. We believe that it is free of viruses, but even so we cannot be responsible for any electronic infection that it may have acquired.

[J Muller]

GDPR is going to be an interesting journey for many. One might think that it is all crystallized and clear, but it is not. 

MS is, of course, lobbying to choose Onedrive over Gdrive and pointing out the lower risk of Onedrive. Flipside is that G Suite is getting more popular in EU based schools because iPads and ther devices just can use cloud for collaboration and storage so much more easily.

There is a risk that Google will be challenged on still having a link to US-based storage of some information. That could mean Google-users could be forced into a costly switch. Then again, Google might change their infrastructure (One of their competitors Zoho has created a separated EU infastructure split off from their original US-Based only infrastructure.).  With the number of schools using Google-classroom inside the EU the risks are slowly reducing, but it is a risk.

Main risk would be sensitive data. But that has not been clearly defined in many cases. Copies of sensitive medical information would certainly be sensitive and I'm sure many would process that in separate processes and systems, but google-virtual tours? Again. Time will tell but some schools at least are sticking with Google or even switching to google. 

Technically speaking the USA-based schools are ahead of the EU with regards to cloud-based working and thinking. Notice the comments from some ed-tech people in this discussion https://community.spiceworks.com/topic/1430684-options-for-going-server-less-via-google-apps  which also shows that some districts and schools that use G-Suite simply use GAM and not AD. So they really separate employee/teacher-info from teaching/student info. 

A post like this one https://plus.google.com/103723674888705137050/posts/j5F3WxcD8aR  shows the 16 servers a group of 10 schools with 2500 pupils is donating to a technical college after moving their data into G Suite. If you have doubts about the provenance you can easily follow the posts of that same admin about their roll-out. 

So in fellow GDPR countries it is already being done (Going serverless). As you may imagine, the technology is fairly easy to understand, it is probably best to pay proper attention to the human side of things. Make a comparison with a onedrive based solution, for example, to compare risks and costs. 

 

[Greg Ashe]

We switched the entire student body to G-Suite by converting student computers to ChromeOS. So there is now separation between students and teachers. ChromeOS computers are all directly part of HeaNet 87.x.x.x. network, teacher computers are Windows AD on internal 192.168.*.* network.

Gregory Ashe

IT Manager

Main: +353 61 621010

Direct: +353 61 386443

Mobile: +353 87 2346850

Email: g...@glenstal.com

www.glenstal.com

--
--
You received this message because you are subscribed to the Google
Groups "CESI-list" group.
To post to this group, send email to cesi...@googlegroups.com
To unsubscribe from this group, send email to cesi-list+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cesi-list?hl=en-GB where all messages are archived and are publically available to non members of the list. Messages may also show up in search engines etc.
Visit the web site www.cesi.ie
Attempts to use the list for commercial purposes may result removal from the list.
---
You received this message because you are subscribed to the Google Groups "CESI-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cesi-list+unsubscribe@googlegroups.com.
To post to this group, send email to cesi...@googlegroups.com.
Visit this group at https://groups.google.com/group/cesi-list.
For more options, visit https://groups.google.com/d/optout.

---

NB Disclaimer Important: ​

Information in this email (including attachments) is confidential. It is intended for receipt and consideration only by the intended recipient. If you are not an addressee or intended recipient, any use, dissemination, distribution, disclosure, publication or copying of information contained in this email is strictly prohibited. Opinions expressed in this email may be personal to the author and are not necessarily the opinions of Glenstal Abbey or Glenstal Abbey School. If this email has been received by you in error we would be grateful if you could immediately notify the sender, and thereafter delete this e-mail from your system.  

You are requested to carry out your own virus check before opening any attachment. The author, as well as Glenstal Abbey and Glenstal Abbey School, accept no liability for any loss or damage which may be caused by viruses, malware or malicious software.

​

Please consider the environment before printing this email.​

---

[Imogen Bertin]

A large number of third level students use G-Suite through their college for their educational accounts and I doubt that would be changed to MS on cost grounds, but who knows?

--

Reagrove, Minane Bridge, Co. Cork, Ireland P17 KH32
Tel: +353 87 2655261 Landline: 021 4887300 Email: imo...@ctc.ie 

https://www.techability.ie 

[J Muller]

Just what I was thinking. Teachers on internal network, much of the teaching-materials in G-suite.  I am not sure how common it is in Ireland. 

Would you be willing to share a bit more about your setup and experiences. The few times I asked educators in charge of these environments they usually said that G Suite had been easy and reliable. Problems were usually related to connectivity rather than G Suite. Some compared the staff's O365 and students' G suite implementation and referred to the latter as "a party" compared to the former. My impression is that converting the teaching-materials to G Suite is less hard than expected, as is the process of getting teacher to us it and the uptake on the students' side. But that may be different in your case. i also have not heard of implementations in Gaelic, which may be exotic enough to have specific adoption problems.

Thanks,

J. Muller

On Tuesday, 16 January 2018 08:36:41 UTC, Greg Ashe wrote:

We switched the entire student body to G-Suite by converting student computers to ChromeOS. So there is now separation between students and teachers. ChromeOS computers are all directly part of HeaNet 87.x.x.x. network, teacher computers are Windows AD on internal 192.168.*.* network.

Gregory Ashe

IT Manager

Main: +353 61 621010

Direct: +353 61 386443

Mobile: +353 87 2346850

Email: g...@glenstal.com

www.glenstal.com

On 16 January 2018 at 00:25, 'J Muller' via CESI-list <cesi...@googlegroups.com> wrote:

GDPR is going to be an interesting journey for many. One might think that it is all crystallized and clear, but it is not. 

MS is, of course, lobbying to choose Onedrive over Gdrive and pointing out the lower risk of Onedrive. Flipside is that G Suite is getting more popular in EU based schools because iPads and ther devices just can use cloud for collaboration and storage so much more easily.

There is a risk that Google will be challenged on still having a link to US-based storage of some information. That could mean Google-users could be forced into a costly switch. Then again, Google might change their infrastructure (One of their competitors Zoho has created a separated EU infastructure split off from their original US-Based only infrastructure.).  With the number of schools using Google-classroom inside the EU the risks are slowly reducing, but it is a risk.

Main risk would be sensitive data. But that has not been clearly defined in many cases. Copies of sensitive medical information would certainly be sensitive and I'm sure many would process that in separate processes and systems, but google-virtual tours? Again. Time will tell but some schools at least are sticking with Google or even switching to google. 

Technically speaking the USA-based schools are ahead of the EU with regards to cloud-based working and thinking. Notice the comments from some ed-tech people in this discussion https://community.spiceworks.com/topic/1430684-options-for-going-server-less-via-google-apps  which also shows that some districts and schools that use G-Suite simply use GAM and not AD. So they really separate employee/teacher-info from teaching/student info. 

A post like this one https://plus.google.com/103723674888705137050/posts/j5F3WxcD8aR  shows the 16 servers a group of 10 schools with 2500 pupils is donating to a technical college after moving their data into G Suite. If you have doubts about the provenance you can easily follow the posts of that same admin about their roll-out. 

So in fellow GDPR countries it is already being done (Going serverless). As you may imagine, the technology is fairly easy to understand, it is probably best to pay proper attention to the human side of things. Make a comparison with a onedrive based solution, for example, to compare risks and costs. 

 

--
--
You received this message because you are subscribed to the Google
Groups "CESI-list" group.
To post to this group, send email to cesi...@googlegroups.com

To unsubscribe from this group, send email to cesi-list+...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/cesi-list?hl=en-GB where all messages are archived and are publically available to non members of the list. Messages may also show up in search engines etc.
Visit the web site www.cesi.ie
Attempts to use the list for commercial purposes may result removal from the list.
---
You received this message because you are subscribed to the Google Groups "CESI-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cesi-list+...@googlegroups.com.

To post to this group, send email to cesi...@googlegroups.com.
Visit this group at https://groups.google.com/group/cesi-list.
For more options, visit https://groups.google.com/d/optout.

[Ray O'Brien]

Im going to make a stab here and address the question posed;

Question:

Are we in breach of GDPR if student generated data or outputs from school projects are not

protected from other students?

Answer:- Open to corrections.

Without more information, my answer will be "maybe".  GDPR is concerned with any information that can easily identify an individual. It does allow for recommending proper access controls to be in place and they really should be - where necessary.

The question can be answered more efficiently if you can shed light on the type of data being stored inside these network student folders.

Step One:  Know your data!

Step Two: Repeat step one!

For example, if your student folders are titled with the Students Name, this can easily identify a person/student.

The same, if a student submits an assignment with a coversheet containing their name or other information like date of birth, email address, home address, etc.

- i try to encourage schools to use a student number(maybe their Dept. ID or some other number sequence) opposed to the students name.  This obfuscates the identity of the user.  I also recommend access controls! i.e. everyone has their own account with their own secure folder.

How about, If the student stores correspondence in the folder - possibly from a guidance councillor  is it possible, the student may become embarrassed or compromised if another student takes information from one of these folders?  These documents may contain personal and possibly sensitive information.

Another Conversation Topic: Assignment Content:

The content of the assignment may come into question if the topic is "The family Tree" for example.  Has the Dept. offered any insight on how to deal

with posting assignments to students which request the student to reveal personal information on them and/or others to answer the assignment brief?

So.  Step One.  Know your data!  All other GDPR answers will fall into place after step one.

To unsubscribe from this group, send email to cesi-list+unsubscribe@googlegroups.com

For more options, visit this group at http://groups.google.com/group/cesi-list?hl=en-GB where all messages are archived and are publically available to non members of the list. Messages may also show up in search engines etc.
Visit the web site www.cesi.ie
Attempts to use the list for commercial purposes may result removal from the list.
---
You received this message because you are subscribed to the Google Groups "CESI-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cesi-list+unsubscribe@googlegroups.com.

To post to this group, send email to cesi...@googlegroups.com.
Visit this group at https://groups.google.com/group/cesi-list.
For more options, visit https://groups.google.com/d/optout.

--

Raymond O'Brien
ray.o...@gmail.com
http://www.rayobrien.com

[Hassan Dabbagh]

Hi, 

I've been keeping an eye on this thread because GDPR is something I'm thinking about a lot lately, in fact, I worried that we are all coming at this from different sides. 

1) student personal data

2)mailing list we use for students

3)students saved work

4)teachers doing corrections at home, were the student is identifiable by , name, email address OR image. ( over thinking again)

5)creating separate domains and ranges and lockdowns work work if a laptop that has access to these doesn't have a password on it, were I can pick up the phone  laptop and Identify a students name image or email address (NOW I'm really over thinking)

I really don't think G-Suite V Office 365 is an argument, I said I don't THINK it is. for example I use G-suite in all the schools I'm in as well as for the business and there are more like me across Europe. The server argument doesn't work anymore because that would mean we can't use WordPress, OR sign up to other edtech tools and apps. (I don't know and I think I'm over thinking it) 

I'm lucky enough to be going to BETT this year so I'll see if I can nail-down some experts and see what the story is.  I'll ask them and questions from this thread and the previous GDPR Thread. 

I realise this doesn't answer any questions. but in the mean time I asked Google about GDPR and this is what it said: 

https://www.google.com/cloud/security/gdpr/ 

and to be fail I asked Microsoft and this is what it said:

https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

[Chris Reina]

It would be difficult to see existing GSuite users change to MS on cost-only grounds… as Suite is free and MS has costs.

However, I know a few schools who have - not by choice - they were forced to… all ETB schools.

I can also assure you that they were extremely unhappy - in fact - 2 of the schools are fully MS schools… on the surface - while using GSuite in the background for file sharing, creation and storage. (confusion abounds!)

I was told (roughly) “I’m sure it contravenes something - but we just want to work simply. MS is too complicated.” This seems to me to be the crux of the matter… top-level people institute rules (often for good reasons) but schools, teachers and students on the ground just want to learn and work.

There are excellent reasons to keeping data out of servers overseas - but what of the other tools we use? Book Creator, IXL, Kahoot, DuoLingo, Scratch, Thinglink, etc., etc. Not to mention simple websites schools visit regularly as sources of information and learning.

Where are any of these servers based? When using Siri, Cortana, Alexa, or Assistant - those voice requests go to a server to check (often in the clear and certainly telemetry data is kept)

Just for the fun(?) of it - stick a website into this: https://check-host.net/

I think we as technical people have a responsibility to do the best we can to protect students (and ourselves!) but need to make sure it doesn’t prohibit learning.

Chris

To unsubscribe from this group, send email to cesi-list+...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/cesi-list?hl=en-GB where all messages are archived and are publically available to non members of the list. Messages may also show up in search engines etc.
Visit the web site www.cesi.ie
Attempts to use the list for commercial purposes may result removal from the list.
---
You received this message because you are subscribed to the Google Groups "CESI-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cesi-list+...@googlegroups.com.

[Chris Reina]

Great links Hass…

Do you think you’re overthinking the overthinking?

:-)

C

[Cathleen Hartnett QA Services]

Data Protection Training Workshops

These workshops may be of interest ..........

The Fundamentals of Data Protection Workshop

·        Wednesday 31 January, Cork Education Centre, Western Rd, Cork, 10am to 1pm

·        Wednesday 7 February, Guinness Enterprise Centre, Dublin 8, 10am to 1pm

2.    How to Design a Data Protection Policy  

(a basic knowledge of data protection legislation is required)

·        Wednesday 31 January, Cork Education Centre, Western Rd, Cork, 2pm to 6.00pm

·        Thursday 8 February, Guinness Enterprise Centre, Dublin 8, 10am to 2.30pm

We also deliver these workshops onsite for clients tailored to their specific needs. Please contact us if you would like information about customised training.

Book at http://qaservices.eventbrite.ie

[J Muller]

I have given your question with regards to account-sharing some more thought.

Account sharing and/or password sharing happens a lot. But fact remains it is a bad practice. Account sharing is a bad practice because it makes it unclear who owns and who last edited a file. Terms like non-repudiation, authentication/authorization etc. all go against the grain of password sharing. 

What cloud-alternatives are there? Shared folders. These require some getting used to, but they are widely used. It does no take highly educated users to use shared folders. 

is it possible to continue account/password sharing with cloud-storage? No. It will trigger all kinds of security alerts and can  get your account blocked. So, do not try to copy the current practice from the LAN to the cloud/G Suite, because it will give you heaps of problems if you try.

Would our current setup need a lot of work to go serverless? Well, even with shared folders you need to inform and train users to some extent. Flipside is that a lot of tech-admin related to owning/having a file-server gets eliminated. 

As domains and schools open up to access from the outside the problem of account-sharing will become more serious. If you cannot get rid of the practice, make sure you document it as a known risk. 

The same person responsible as per the GDPR would decide on what is OK and what can be documented & how. So ask them.  

I hope this helps. 

[J Muller]

The Danish Ministry of Justice has published:

http://hedskole.dk/datasikkerhed-i-g-suite-for-education-justitsministeriets-betaenkning-1565/   Google-translate gives a good enough translation.

"On December 8, 2017, the Data Protection Authority Hedensted Municipality granted permission to use Google Apps for Education (now called the same product G Suite for Education) to process personal data."

So the risks of GDPR for G Suite appear to be going down as slowly EU countries are starting to allow it.

[Donal O]

UK JISC positions and info on GDPR https://community.jisc.ac.uk/blogs/regulatory-developments?f%5B0%5D=im_field_tags%3A2705

Note: JISC is UK membership organisation, providing digital solutions for UK education and research.