Tuesday 4 August 2015

Counter-Terrorism and Security Act 2015

Firstly, lets get a disclaimer out of the way: I am not a lawyer, none of this constitutes legal advice, etc.  I am also of the opinion that the threat of terrorism is minuscule and that if all the effort the government puts into anti-terrorism were instead put into road safety or health care, a lot more lives would be saved, but anyway...

It has come to my attention that one of our competitors has been engaging in a bit of scare mongering in an effort to sell their product.  The following email from them has been going around a number of schools:
As of July 2015, schools across the UK are subject to a duty under the Counter-Terrorism and Security Act in which they are required to have "due regard to the need to prevent people from being drawn into terrorism". This duty is known as The Prevent Duty.

[We have] been working with various governments around the world for over a decade, developing solutions to help schools and colleges protect their students from potentially harmful sites and information. All of our solutions have been developed purely for education, based on feedback from IT Staff, teachers and IT Professionals to ensure that they have the tools they need to prevent and report on dangerous activity.

Our Web Filter is a fully customisable, cloud based solution that allows granular filtering and reporting with great ease. The Web Filter includes Suspicious Search Engine Queries, Internet Lockouts and real time updates.

Click here to learn more or contact us directly.
The Counter-Terrorism and Security Act 2015 is a pretty long and convoluted bit of legislation, but thankfully there's a Prevent Duty Guidance document, which is significantly easier to read and provides more specific guidance on what institutions are actually expected to do.  The following is a brief analysis of the parts of the guidance that relate to ICT operations within schools - there are numerous non-ICT responsibilities listed in the guidance which I won't cover here.

The guidance immediately makes clear that no "new functions" are conferred upon a school (paragraph 4):  You don't have to do anything you weren't already doing, you're just expected to place an appropriate amount of weight on preventing people from being drawn into terrorism.

There is no specific mention of monitoring internet activity, although there are several suggestions that internet filtering should be considered (paragraphs 45, 71 and 97).

A passing mention to having "effective IT policies in place which ensure that [signs of radicalisation] can be recognised and responded to appropriately" is made (paragraph 79), but there are no specific policies suggested.  Institutions must have clear policies relating to the use of equipment, especially with regards to legitimate research into terrorism/counter-terrorism as part of learning (paragraphs 97-98).

Institutions should develop an action plan to set out any actions that they will take to mitigate the risks (paragraph 90).

In short, most schools already have an existing filtering solution and robust policies regarding the use of equipment, and that is really all that is required.  (And if they don't already have this, they should, for many reasons besides this legislation.)  There certainly seems to be no requirement to replace existing systems, unless they have unusually poor capabilities.

Comparing our Iceni product with the competitor's offering, we think our customers are actually in a better position to protect their students and staff than our competitor's customers.  Not just protecting them from being drawn into terrorism, but from many other risks too; and protection is surely far more important than just meeting the minimum requirements of the legislation.

It seems that only minimal work is required to comply with the legislation - e.g. the "action plan" for risk mitigation should be drawn up and probably include information about what reports the ICT staff should be running on a regular basis, and what they should do if they find anything concerning, etc.

As always, we're very happy to work with customers to resolve any concerns, to help investigate suspicious activity and even compile data for the police.