Is it a breach of the DPA to allowed staff to login to the VLE from any IP address including from countries with little data protection and allow them to download pupil data  or should it be restricted to uk only ?

Borked Pseudo Mailed wrote:
> Is it a breach of the DPA to allowed staff to login to the VLE from any IP address including from countries with little data protection and allow them to download pupil data  or should it be restricted to uk only ?

Since it's pretty trivial to bypass any such blocks, I don't see the 
point in implementing them.

deKay
-- 
  Lofi Gaming - http://lofi-gaming.org.uk
  Gaming Diary - http://lofi-gaming.org.uk/diary
  Blog - http://lofi-gaming.org.uk/blog
  My computer runs at 3.5MHz and I'm proud of that

On 12 Jun, 20:57, Borked Pseudo Mailed 
wrote:
> Is it a breach of the DPA to allowed staff to login to the VLE from any IP address including from countries with little data protection and allow them to download pupil data  or should it be restricted to uk only ?

I would say yes, one of your responsibilities as a Data Collector is
to make sure it isnt used in countries outside of teh EU.

It doesnt really matter whether its easy to get round the security of
the VLE (actually a username and password is adequate security
anyway).

PW

Soni tempori elseu romani yeof helsforo nisson ol sefini ill des Fri, 13 Jun
2008 00:26:31 -0700 (PDT), sefini jorgo geanyet des mani yeof do
uk.education.schools-it, yawatina tan reek esk Phipper 
fornis do marikano es bono tan el:

>It doesnt really matter whether its easy to get round the security of
>the VLE (actually a username and password is adequate security
>anyway).

But since you can't successfully block access by IP address, what's the point
of doing it?

On Jun 13, 8:54 am, deKay  wrote:
> Soni tempori elseu romani yeof helsforo nisson ol sefini ill des Fri, 13 Jun
> 2008 00:26:31 -0700 (PDT), sefini jorgo geanyet des mani yeof do
> uk.education.schools-it, yawatina tan reek esk Phipper 
> fornis do marikano es bono tan el:
>
> >It doesnt really matter whether its easy to get round the security of
> >the VLE (actually a username and password is adequate security
> >anyway).
>
> But since you can't successfully block access by IP address, what's the point
> of doing it?

Isn't that the same as saying that people can pick locks, so what's
the point of locking my front door?

maffster wrote:
> On Jun 13, 8:54 am, deKay  wrote:
>> Soni tempori elseu romani yeof helsforo nisson ol sefini ill des Fri, 13 Jun
>> 2008 00:26:31 -0700 (PDT), sefini jorgo geanyet des mani yeof do
>> uk.education.schools-it, yawatina tan reek esk Phipper 
>> fornis do marikano es bono tan el:
>>
>>> It doesnt really matter whether its easy to get round the security of
>>> the VLE (actually a username and password is adequate security
>>> anyway).
>> But since you can't successfully block access by IP address, what's the point
>> of doing it?
> 
> Isn't that the same as saying that people can pick locks, so what's
> the point of locking my front door?

No, it's more like leaving the door unlocked but with a sign on it 
asking people not to break in.

deKay
-- 
  Lofi Gaming - http://lofi-gaming.org.uk
  Gaming Diary - http://lofi-gaming.org.uk/diary
  Blog - http://lofi-gaming.org.uk/blog
  My computer runs at 3.5MHz and I'm proud of that

On 15 Jun, 09:26, deKay <an...@deleteme.lofi-
gaming.nospam.org.uk.invalid> wrote:
> maffster wrote:
> > On Jun 13, 8:54 am, deKay  wrote:
> >> Soni tempori elseu romani yeof helsforo nisson ol sefini ill des Fri, 13 Jun
> >> 2008 00:26:31 -0700 (PDT), sefini jorgo geanyet des mani yeof do
> >> uk.education.schools-it, yawatina tan reek esk Phipper 
> >> fornis do marikano es bono tan el:
>
> >>> It doesnt really matter whether its easy to get round the security of
> >>> the VLE (actually a username and password is adequate security
> >>> anyway).
> >> But since you can't successfully block access by IP address, what's the point
> >> of doing it?
>
> > Isn't that the same as saying that people can pick locks, so what's
> > the point of locking my front door?
>
> No, it's more like leaving the door unlocked but with a sign on it
> asking people not to break in.
>
> deKay
> --


The original question was whether staff should be allowed to access
the vle from abroad.

Its not a security issue, online systems may always be hacked,
although its usually because of a slack user breaching guidelines.

Allowing staff to access the vle from abroad may open additional
vulnerabilities and if the data 'escapes' abroad it may not be covered
by legislation including the dpa


>   Lofi Gaming -http://lofi-gaming.org.uk
>   Gaming Diary -http://lofi-gaming.org.uk/diary
>   Blog -http://lofi-gaming.org.uk/blog
>   My computer runs at 3.5MHz and I'm proud of that

Phipper wrote:

> The original question was whether staff should be allowed to access
> the vle from abroad.

Well, our VLE is hosted in Norway, so technically *we're* abroad already...

deKay
-- 
  Lofi Gaming - http://lofi-gaming.org.uk
  Gaming Diary - http://lofi-gaming.org.uk/diary
  Blog - http://lofi-gaming.org.uk/blog
  My computer runs at 3.5MHz and I'm proud of that

On 12 Jun, 20:57, Borked Pseudo Mailed 
wrote:
> Is it a breach of the DPA to allowed staff to login to the VLE from any IP address including from countries with little data protection and allow them to download pupil data  or should it be restricted to uk only ?

The aspect of the Data Protection Principles is that of

[The data protection principles state ... ] that personal data will:
•	not be transferred to a country outside the European Economic Area,
unless that country has equivalent levels of protection for personal
data, except in specified circumstances.

This can be taken to mean that the data will not be stored or sent to
people outside the EEA. A teacher on a working holiday to Oz might
look at student data hosted at his school in London on his own machine
connected to an ISP. The issue is not with this but staff download
personal data in a cyber cafe and that is relevant in Norwich as much
as it is in Nigeria. The specified circumstances can include the use
of data by those entitle to do so on relevant hardware (usually owned
by the data user or by the data holder).

As with all things DPA a certain amount of common sense is available
here.

Tony Sheppard

Phipper  wrote:
> On 12 Jun, 20:57, Borked Pseudo Mailed 
> wrote:
> > Is it a breach of the DPA to allowed staff to login to the VLE from any IP address including from countries with little data protection and allow them to download pupil data ?or should it be restricted to uk only ?

> I would say yes, one of your responsibilities as a Data Collector is
> to make sure it isnt used in countries outside of teh EU.

It's more complex than that. Since there are non-EU countries which have
either compatable laws or treaty agreements with the UK.

> It doesnt really matter whether its easy to get round the security of
> the VLE (actually a username and password is adequate security
> anyway).

Unless you use purely HTTP or a badly designed HTTPS form which means
this information isn't remotely secure.

This is likely to be an issue with the likes of Sweden even though this
is an EU member state.

-- 
Mark Evans
St. Peter's CofE Aided School
Phone: +44 1392 204764 X241
Fax: +44 1392 204763