The ink wasn't dry on Chris Dawson's posts (Laptops for teachers and How about handhelds for teachers?) when yet another news report was brought forth admitting to the theft of yet another government-owned laptop containing tens of thousands of names of potential victims of identity theft. Well just how stupid can these people be?
When all of this technology was new, before Windows 2000, before WiFi and VPN, there might have been some reason why this data had to be stored locally to be useful but today there are many different ways to keep data secure yet make it available from pretty much anywhere in the world where those entrusted with that data might find themselves while performing their professional duties, so ... Is there any excuse whatsoever for allowing sensitive data to be stored on a mobile device? Nope. None. Nada.
While student records do not rise to the level of financial records (or even criminal records), before any teacher is issued a laptop or a handheld device, Education IT needs to establish guidelines for the prudent use of those tools, and clearly-defined sanctions for their misuse.
But first, here are just a few 'common sense' settings which education IT should include with a laptop or handheld:
These are technical characteristics and really need not apply to handhelds in most cases but any laptop without these services in place is at risk.
The data itself is another matter. Education IT should make sure that all student data is stored on a central server which is itself sitting behind a firewall -- in a secure "machine room". The data should be accessible only by a username and password known only to the individual seeking access. Web-based applications are most convenient for providing this access to the educator because it requires no special software on the laptop or handheld. Ideally, direct access to this data is blocked by your network firewall, requiring the educator who has been issued the laptop to use VPN when off-campus to gain access to the network where the data is stored. This is especially useful in a WiFi setting. If your local network has WiFi, you should even consider isolating your campus WiFi from your LAN and requiring VPN to get behind your network firewall. This makes it harder for someone lurking in your parking lot to gain access to your sensitive data.
And finally ... TRAINING, TRAINING, TRAINING!
Teach your educators how to use these mobile devices. If your educators understand why these safeguards are in place, they will be less likely to look for ways of bypassing them to save time. Let your educators know the perils of leaving student data they are working on unprotected on their laptops and handhelds. Stress that while these devices are incredibly useful for preparing and delivering curricula and lesson plans, they are not the best place to store data about students which could be used improperly by someone else.
Encourage your educators to rely on your servers for longer-term data storage by providing them personal space on your servers.
And of course, nobody wants to talk about sanctions -- especially when they involve honest mistakes, but ...
How often these days do well-intentioned individuals in an educational setting get publicly raked over the coals because they didn't know what others (mainly politicians) thought they should have known all along.
Our educators are not just 'disagreeable' users who are our adversaries. They are the people that Education IT is intended to serve -- so they can better server our students. We need to properly arm them with the tools they need to do their jobs the best that they can.
Where sensitive data is concerned, it is our job to provide safe and secure tools so that educators can do their jobs but is it also our job to set expectations for the proper use of those tools. Misuse needs to be addressed swiftly and fairly in order to avoid what starts out as a minor infraction turning into a full-blown incident involving the educator, the school district, and the legal system.