Early Days In Early Years - Chris Bore

very much um my name is Chris I am 67 years old I have a senior citizen free bus pass and I I am in my first year as an apprentice as a preschool teacher preschool is teaching children from the ages of 2 till 5 or rather helping them learn and develop through play and I want to encourage you people to take the sector seriously in terms of the immense information security challenges that we face and the total absence of any engagement from the information security industry in taking that issue seriously um if your child joins a preschool at the age of two three or four we want to know a lot about them there's a good reason for that because

we want to help them to settle in they're going to be upset because it might be the first time they're separated from Mommy and Daddy they're going to have incidents where they're interacting with other children and they become upset we want to know how to calm them we want to know what they like uh what they enjoy doing how they enjoy being comforted so we'll ask questions like what's your favorite color what's your favorite toy this goes into a form that's called all about me and the title of that tells you something from the age of two we know all about you everything we know your allergies we know your medical history we know if there's any

family problems that of which we might be need to be aware we know if there's a problem with Auntie Mabel so she shouldn't be picking you up from preschool this is very far-reaching sensitive data and I'm just waiting for the day when everybody gets bombarded with individualized adverts for the purple teddy bear sweets that are glutenfree I think that's a serious threat that we don't actually take um very seriously at the moment we know a lot more about you though we have your birth certificate to prove that you are in fact the age you claim you are we have Mommy's birth certificate to prove that she's a British Citizen and is entitled to free child care we have her National

Insurance number and her bank details so that we can funnel the child care funding into her it can be problems as we move on to a computerized age we start to collect the data about all the people who are entitled to care for the child that is they might pick them up drop them off or there might be an emergency contact if mommy doesn't turn up who do we call probably daddy maybe auntie mael again maybe we might phone one of the two neighbors who've just been agreed to be emergency contacts we need mom's National Insurance and Bank details if a computer system asks for all the car's details we get those details for granny too and auntie mael

and we don't need it that's an example of massive data overreach which is completely unnecessary and the fact that it happens as we're moving to computerized systems tells us that the technical people who are supporting us do not understand the issues that we Face daily as preschools we've handled these things on paper perfectly well if someone turns up to pick up your child from preschool we already do three Factor authentication on them I will eyeball them at the gate I will check with shioon our manager that she recognizes them too if either of us have a doubt we will demand the password and the child will not go with them unless they can answer that question so we're

not stupid we're all on minimum wage including me or a tiny bit above but we're very experienced in looking after children but in this new era of information security that gets a little bit lost we also know all kinds of personal details I know every time your nappy was changed and whether it was dirty you might wonder why it's so I can protect myself so that later on in life you're not going to accuse me of abusing your child that data is going to be kept for 25 years sometimes 70 years I'm not sure how we're going to handle that that with the computerized systems cuz paper lasts that long but computers don't necessarily there are more serious

issues if we have a child protection case that's where a child is suspected of being at risk of harm and the word there is suspected then we know if Daddy has been accused of having a drink problem accused not having a drink problem we know if Mom was found at the station under the influence of drugs with you in her charge we know if an EST strange father has been alleged to be abusing the child we know if there's a criminal record all this data is incredibly sensitive and it follows the child it's called the child protection file the child protection file is a Singleton there's one of them the model is that it's on paper if I take a child

protection file as I did the other week over to another Nursery I take that paper in an envelope I hand it to this authorized designated safeguarding lead there that's my counterpart and I expect her or him to sign a form that says that it has been handed over if any of that information is duplicated I will shred it and burn the shreds that's a requirement we've got seven pieces of legislation that influen child care in terms of our information security posture not just the data protection act that's trivial by comparison we have laws that tell us what information we must share when we must tell the parents we're entitled to not tell the parents what information we must keep completely

confidential a lot of the stuff in that child protection file is not actually validated it may consist of an anonymous tip off from a neighbor who says they think Mom is running a drugs operation from home we don't know if that's true but it's in that file as that file becomes computerized it gets sent by computer local authorities usually mediate that they will insist that it be sent by encrypted email something like egress however that means we've got two copies of the file now the copy I had and the copy I sent to you I should destroy the copy I have or do I because maybe they're going to send it back to me modified with a new police report we

don't know I was at a child protection conference and they're now done by Zoom very often which is about as well there's a comment on society in there that we are faced face dealing with child protection conferences on Zoom um the child protection file was attached as an open PDF to an email that went to 12 recipients including our office manager it should have gone to me as the designated safeguarding lead and nobody else and it certainly shouldn't have been sent un encrypted there are now 12 copies of that file out in the wild and they have all the details of what has been alleged and what has actually happened to that child so so that's a

second classification of threat it's a very rare possibility for example a parent who is estranged may not be entitled to know where that child is going that detail is in that file if that leaks out that parent knows that if an allegation is made it might affect the parents eligibility for work because the suspicion is already out there we're a fragmented sector there are 35,000 Prov iders of early years care in England most of them have maybe six or 10 staff because they're small nurseries none of those staff are Information Security Professionals and they're occupied all of their time looking after children they're not allowed to have a mobile phone or a computer in the setting because that

might be used to send offensive child images to the internet however they are also required to keep in constant touch with Mommy and Daddy and to photograph the child achieving things that are part of the national curriculum so we have contradictions in the legislation that actually affects us that we can't resolve because when I talk to ofstead about them they say oh it seems like you got a fair point but I can't say ask the DFE and I asked the DFE and the DFE say oh sounds like you got a fair point why don't you talk to ofstead so we're caught in this dangerous bind where people don't really know what they're talking about if Phoebe's dad drops her

off at preschool and is worried about her cuz she seemed a bit sad he may send me a message I've got to receive that message somehow and it might say Chris I was worried about Phoebe I've been thinking about her all morning modern dads do that you know they're amazing as well as modern moms of course um and I will send them a picture of Phoebe smiling or playing with her friends and I mean required to do that the degree of communication two-way between a preschool and the parents is absolutely phenomenal it's a very rapid flow you're probably going to get one or two messages every day about your child and messages coming back on that

there are 30,000 providers 300,000 staff as I say most of us on minimum wage none of us with any experience in information security um there are 3 million children at any time in our child that's every child every single child in the country 98% of children take advantage of early years Child Care nowadays we're helped a bit by platform providers that are moving into this market and providing cloud-based Communications and data storage those providers are very useful to us because we can offload those responsibilities for information security or we could if we really trusted them now they're very good at keeping the data but things like the data overreach are massive all that all about me what questions do I really need

to know about little Johnny before he comes here do I really need to ask all the questions that come up by default is it going to default to grabbing everybody's Financial details asking for Granny's birth certificate as well as Mommy his birth certificate those providers tend to have cyber security qualifications cyber Essentials Iasi in my view as a simple old Apprentice early years practitioner that is wildly insufficient the degree of data we've got here on every child in the country is absolutely massive in its depth and its detail and its scope and it needs to be treated with more respect than just ticking boxes on a form to say yes you don't share your password with

people the market as I estimate it for those platforms currently is probably about 30 million might be 70 million might be about twice that it's not an insubstantial market and the ability to reach those seven or eight platform providers is much easier than reaching every one of the 30,000 child care providers so they're the people we need to talk to and I'm lucky that some of them are beginning to engage with it but even then I I don't think they really understand the the scope of the issue but I don't actually care about the market because what I actually care about is everything we ever get from the government on Child Care starts with something like every child is unique

every child matters yeah well tell me about it you know I've got 20 of them you know around my feet asking me to read a book to them or play with them in water or fill up the sand pit or something like that I know every child is unique I know every child matters but so does their information and I'm just asking you people as much as you can to raise that issue and take it up because I think it's one of the most serious issues that faces the country the youngest children here are having all of their data collected for justifiable reasons and nobody is telling us poor minimum wage practitioners how to handle

it thank

you any any questions yeah go

on I think there are two areas that need attention the first as I say is the platform providers many of them are new to the market and they're beginning to take it seriously but they don't understand my impression arrogant is that they are technically competent and so when I as a mere preschool practitioner raise the issue with them and they think you know they're they're above me in my expertise I would like for people to keep on pushing the issue because I think they will be recept and there's unique Market advantage in it if I'm a platform provider and I can take on board the issue of the child protection file then I've achieved something absolutely massive and it's a

unique selling point the second thing is that local authorities and governments are absolutely abysmally crap at information security so they give us they give us systems that have single user access only one person can access it for God's sake I'm in a sector where most of us part-time so if I'm the designated safeguarding leader I'm probably not in the deputy designated safeguarding leads need to be able to log on to the system but she can't and what I find is the solution is what what do you think the username and password is written on the Whiteboard why because the system makes us break the rules because otherwise we can't actually function County cils use encrypted data

encrypted email to send Child Protection files back and forth and then they allow the chairman of a child protection conference to attach it unencrypted why the hell didn't a dancing paperclip crop up and say hey looks like you're sending the most sensitive information you can possibly have about a child in an unencrypted email to 12 recipients you might want to reconsider that we have the technology to do it local authorities do not respond they are usually abysm I'm from s s child care has been inadequate for 12 years if they were a preschool they'd be shut down but somebody needs to take responsibility for it and it's government and local Authority that give us this culture that

they tell us what we must do they're great at that you know 550 pages of guidance I've had this year alone on information security in child care and they still can't bloody wellkeeper Child Protection file secret I mean we need someone to really engage at that level and I think also the Technical Solutions they're not complex somebody needs to say they are yes so there are lots of ways you can I would go in at governmental level first because they're the source of

it

[Music]

okay I'll do try