Information Security in childcare

This past year I have been lucky to work as a non-executive Director of the family business in Information Security, and as a new and active Director of the other family business in childcare. Not surprisingly I have found time to combine both interests, and have been privileged to work with talented MSc students from the University of Lancaster on dissertation projects looking into issues of Information Security in childcare.

The childcare sector - called Early Years in officialdom - is heavily regulated: not only the learning and development of young children, but their safeguarding, is laid down in depth and detail but also left to the responsibility of individual providers. The legislative and statutory guidance landscape is broad, with much overlap in requirements: at least five specific Acts of Parliament and Statutory Guidance, for example, set out legal requirements for Information Sharing.

The sector is also special for having very far-reaching information gathering and sharing needs. For a young child settling into nursery, a lot of personal and sensitive information is collected: their favourite toy, colour, activity to help their carers know them and help them to be happy; their allergies, medical needs, and food preferences so that they can be kept well; their special educational needs and disabilities so that appropriate support can be tailored; and sensitive family details and child protection information so they can be kept safe. This is already a wide spectrum of personal information: when confidentiality is breached, expect parents to be deluged with adverts for purple teddy bears, prescription medicines, and cheese puffs - and that is before we consider the very serious risks of a family's reputation being damaged or of an estranged parent gaining unlawful access to the child's information or to the child themselves.

The information gathering does not stop there: for parents to access government childcare funding, their own financial details must be shared: National Insurance details, financial circumstances, bank account details.

Some of this information - much of it - must legally be shared, sometimes without the parents' consent: financial circumstances with the local authorities who deliver funding; child protection concerns with the local safeguarding partners (local authority, police, and medical commissioners); learning and development assessments with the education authorities.

And last but most certainly not least, learning and development observations must be shared with parents and other carers, as must details of accidents, incidents, little and large concerns: a regular flow of formal and informal notes, pictures - happy moments, formal observations of developmental stages reached, notes on behaviour or problems - a detailed Learning Journey that documents the child's life at childcare.

So the information scope is wide, and the legislative landscape broad, with the requirements detailed, in depth but also fragmented over many pieces of legislation and guidance.

And the childcare sector is staffed by people who mainly went into childcare to look after children, not to look after computers or information. Most childcare providers are small - 35,000 of them in England, many single small settings in hired village halls or private houses. All have detailed and deep responsibilities for information security but few would claim real understanding of it.

As the sector develops, much of this information is moving from paper systems to cloud-based platforms specialised in Early Years. It is a big market with a large base of mostly small clients, and with most platform providers still relatively new to the sector. There are obvious benefits to the childcare provider in effectively off-loading the Information Security needs to the cloud platform provider. But Cyber Essentials - even IASME - are not really enough for safeguarding such a massive amount of incredibly sensitive and personal information. What is needed is an in depth, detailed, due diligence assessment of what legislation requires, what the sector needs, and how those needs may best be satisfied.

I will offer two examples of how a platform may not ensure proper safeguarding of information.

First, I mentioned that National Insurance numbers are needed to secure funding: but a child may have more than one registered carer - Granny, for example - and if by default a platform asks for the National Insurance number of all carers, that is information overreach - violating the requirement that the information gathered be the minimum really required for the purpose.

Second, and more serious, a Child Protection File is highly sensitive: there must be only one (the rule is based on paper systems) and it must be transferred securely - physically, by hand - and signed for. Local authorities may use encrypted file transfer to send such a file electronically: but then there are two copies, unless the system acts to delete one. Worse, it is not unknown for a Child Protection File - protected as mentioned by encryption when sent between safeguarding partners - to be sent out as open pdf attached to the email to each of the safeguarding partners invited to attend a Case Review Conference. I hope I don't have to explain to Information Security professionals just how bad that is.

One last complication. The childcare sector is mainly staffed by part time workers, with responsibilities often shared as needed: for instance a Designated Safeguarding Lead has special responsibilities and authorities, but in their absence a Deputy must take over or act on their behalf, and needs access to government and other agency systems for sensitive purposes. But those very systems often enforce security by single sign-in: one user, often now authenticated by 2FA. Clearly, this cannot continue in a world of effective job-sharing.

Lastly, the sector is not good at assessing the actual costs of information risks. Given the very broad range of potential risks that is not surprising, and the people working in the sector are child carers not risk assessors. What is the cost, for instance, of a breach of confidentiality that sees every child's full personal history dumped to online advertising? What is the cost to child, to their family? To the childcare provider, through reputational damage, or financial fines or claims? What is the cost of the integrity of medical information being lost, so that the wrong child is given the wrong medicine at the wrong time in the wrong dose? These are wide-ranging questions to which I thin the sector has no good answers yet.

Which is how I came to be working with 'my' three Lancaster students. Each has now submitted their dissertation, and I commend them to be read by anyone working in the sector. I am also happy to offer references for all three students, who worked with me diligently and well in a field that is neglected and fragmented. We had three projects:

• Secure File Transfer: looking at how to keep a file, such as a Child Protection File, that should be a singleton - meaning there is only one copy - as a single copy at all times while still providing access to those who need it.
• Access Control: looking at ways that access can be provided to part time workers, whose time is spent with children not at a computer, without the user name and password for the single-user access system being written on the whiteboard in the office.
• Business Costs of breaches: looking at ways we might try to assign risks and costs to potential breaches of confidentiality, integrity, availability of information so that we can focus our efforts at mitigating those that are most important.

Each of these will be published soon in a dissertation: and I hope to share each here, as well as in conversation with the students and stakeholders, because I think these represent significant and valuable contributions to knowledge in this niche but fascinating field.

More to follow: watch this space.