In what has been an extremely turbulent year UCISA, through the work of its Executive, its Groups and the UCISA Office, has sought to address the needs of our community in these uncertain times. Brief highlights of this work are given below.
UCISA’s work continues to be cited and our expertise sought by others:
The report from the Science and Technology Committee of the House of Commons into the technology issues of the Investigatory Powers Bill reflected the concerns expressed in UCISA’s response about the scope and cost of implementation of the Bill. Now the Bill has been passed by both Houses of Parliament, UCISA will be looking at the implications for UK universities and colleges;
UCISA’s Model Regulations and suggested amendment to accommodate the Counter Terrorism legislation were referenced in the Advice Note accompanying HEFCE’s revised framework for monitoring the Prevent duty in higher education institutions in England. UCISA will continue to review guidance and recommendations to ensure that it meets the needs of both the legislation and the sector, and is effective and proportionate;
UCISA was represented on the Advisory Board for the Higher Education Data and Information Improvement Programme (HEDIIP) and is represented on both the Programme and Advisory Boards for the HESA Data Futures Programme;
UCISA continues to have representation on the UCAS Council.
We have provided advice and guidance to our members through:
The provision of an online Information Security Awareness Training course free to our Full members. The course can be downloaded free of charge from the UCISA website as a zipped SCORM 1.2 package which may then be imported into a VLE. We are currently reviewing an updated version of the course and expect to make an announcement on its availability early in the New Year;
The UK Higher Education Learning Space Toolkit, a collaboration between UCISA, AUDE and SCHOMS, our sister organisations for Directors of Estates and Media Services staff, was published in February. The Toolkit provides guidance for Audiovisual, IT and Estates teams and demonstrates why the provision of excellent learning spaces should be a strategic, institution wide concern. UCISA are collaborating further with SCHOMS, AUDE and a number of other organisations to develop case studies based on the Toolkit content;
The Government has advised that General Data Protection Regulation (GDPR) will become law in the UK in May 2018 as planned. We published a number of pieces on the regulation and will be publishing a briefing paper on the implementation of the GDPR in 2017.
In 2016, we have promoted the sharing of good practice through:
Running seven face to face events including five multiday conferences, all of which were fully booked. Every event, bar one, included participation from our corporate members through exhibition stands and presentations. 2016 saw the first conference organised jointly between the Corporate Information Systems Group and the Project and Change Management Group. Feedback from the event was extremely positive and highlighted the benefit of bringing different specialist groups together;
Running seven webinars covering topics as diverse as data security and cloud based applications. We recognise that not everyone can afford the time to travel and will be looking to continue offering occasional webinars throughout 2017.
Recognising the excellent work that takes place in our member institutions through the Award for Excellence. The Award always attracts entries covering a wide range of topics. 2016 was no different with the Award going to the University of St Andrews for their apprentice scheme;
Discussed ways of benchmarking IT departments in institutions internationally with our partner organisations across the globe.
The list above highlights just some of the work that our Committees and the UCISA Office has carried out on behalf of our members. A more formal annual report will be published in the New Year and presented at the Association’s AGM at the UCISA17 Conference at Celtic Manor on 9 March.
2017 promises to be another challenging year. The Government’s plans for Brexit will be published and the process to leave the EU will begin. UCISA will monitor developments and provide access to information and guidance as the process begins. The Higher Education and Research Bill will pass through Parliament and bring with it changes in the governance structure for higher education in England. UCISA will provide guidance for institutions beginning to implement the changes required for when the GDPR becomes law in the 2017-18 academic year. And that is all in addition to the normal tasks of deploying systems to enhance teaching and learning, to improve the student experience and to facilitate research and manage the data and outputs associated with it. We recognise that many of these challenges require a collaborative approach. We will continue to work with Jisc, with our sister professional associations both within the UK and abroad, and with our growing corporate membership.
I should like to take this opportunity to remind you that bookings are open for the UCISA17 Conference in March. Bookings are also open for three other events taking place in the first half of the year.
Finally, thank you for your support in 2016. I wish you, on behalf of the UCISA team, all the best for Christmas and the New Year.
Product Development Manager
Learning Innovation, Learning and Teaching Solutions,
The Open University
Cross-pond impressions from EDUCAUSE 2016
EDUCAUSE 2016 in Anaheim was a really valuable and thought provoking experience, especially as a stranger in a strange land. I’ve wanted to attend this conference for a long time – having been to ALT C a number of times and attended EDEN, this felt like it would provide me with a trifecta. Because of my role as a product development manager in Technology Enhanced Learning Innovation, I often find myself with a foot in both the technology camp and the pedagogy camp of learning and teaching (I don’t actually think they’re camps – I think they’re symbionts and crucial to students being successful in their higher education careers, but I digress).
I have attended other US-based conferences, and it’s always a bit of a culture shock. The sheer scale of EDUCAUSE was quite unnerving: 8000 colleagues from 1800 institutions across 46 countries. The queue for lunch was terrible.
The conference hashtag provided an invaluable backchannel for discussion and arguments, and is worth a visit (#EDU16). If you would like to see the day by day account of my experience, then do feel free to grab my notes. But this article is more a personal reflection on the three things that stood out for me from EDUCAUSE – where the US Higher Education sector is ahead, where the UK Higher Education sector is ahead, and where we are about level.
Where the US Higher Education sector is ahead
One of the most attended and talked about sessions was on ‘Why the blockchain will revolutionise credentials’. One of the speakers was Chris Jager from Learning Machine. A transcript is available from the link.
It struck me that the presentation and ensuing conversation about blockchain certifications was far more developed than the conversations that have happened locally to me at The Open University, or from what I have gathered in the UK sector. The work that the Knowledge Media Institute at the OU has been doing on blockchain is still in the realms of research and innovation, whereas the HE sector in the US appears to be already beginning to tackle the cultural shifts of implementation. The temperature on blockchain credentials in the sector is still lukewarm in places, with some claiming there is a fear that giving students control of their credentials may undermine those credentials. A more mercenary view is that HEIs are loathe to transition to blockchain certification as there is a market for transcripts and money to be made when students request theirs.
MIT’s Open Standards for Blockchain Certificates are being used, and the advent of interoperable standards represents a shift from idea to reality, and a new infrastructure of trust between students, institutions and employers. This is interesting when compared with criticism of the Open Badges movement, which employers have been fairly sceptical about. UK HEIs have made more use of badges, but predominantly in informal learning spaces or for soft skills.
Blockchain certification could be more compelling within the US HE sector, by virtue of its legacy of for-fee qualifications, and also the high degree of transfer between community, state and private colleges.
In the UK, with the recent advent of tuition fees, the onus has perhaps been less for more mainstream HEIs. However, The Open University has always charged a fee, and is also seeing an increase in student transfers both in and out of the institution. OU students are also more unconventional in routes through education and employment, and blockchain certifications could be a valuable string to the University’s bow.
In an article in the Times Higher Education magazine, Martin Hall points out that blockchain certifications ‘could be an effective way of providing Britain’s Advanced Apprenticeships, for which components of the programme have to be delivered by a number of organisations’. (THE, 28 November 2016)
In The Open University’s Innovating Pedagogy 2016 horizon scan, Blockchain has been identified as High Impact but with a long timescale (4 plus years). The US feels ahead in this particular game.
Full disclosure: I have become borderline obsessed with student engagement, partnership and co-creation this year. I have been co-administering and organising a student consultation and engagement panel, running Hack Days to get students involved in future developments, and generally trying to find ways to not only give our students more direct access to the creation of learning and teaching content and tools, but also to give the Open University’s academic and academic related staff more direct access to students eager to be involved in practical ways.
My colleague David Vince and I published a paper on our work on this in September, outlining our approach to involving students in Technology Enhanced Learning Innovation, referring to the key frameworks that underpin ‘student as partners’ and ‘students as change agents’ in UK HEIs, from Jisc, the Higher Education Academy, and covered in the Teaching Excellence Framework.
‘The Teaching Excellence Framework (TEF) is a catalyst to rethink the role of the student in modern Higher Education Institutions. The Higher Education Academy in the selection criteria for the National Teaching Fellowship defined personal excellence as ‘evidence of enhancing and transforming the student learning experience’ (HEA, 2015).
Part of teaching excellence should therefore be the proactive engagement of students in matters relating to their learning experience, beyond assessment outcomes. More recently within the higher education sector, engagement initiatives such as ‘students as partners’ and ‘students as change agents’ have emerged.
Students as partners is characterised by active student engagement and collaboration ‘[…] in which all involved – students, academics, professional services staff, senior managers, students’ unions and so on – are actively engaged in and stand to gain from the process of learning and working together. Partnership is essentially a process of engagement, not a product. It is a way of doing things, rather than an outcome in itself.’ (Healey et al., 2014)
Students as change agents sees students being actively involved in the change process. In 2015, Jisc launched the ‘Change Agents’ Network’ which is a ‘highly active community of staff and students working in partnership to support curriculum enhancement and innovation’. (Jisc, 2015)’
In two sessions during the conference where I would have expected a robust argument for the involvement of students in the design and implementation of educational technology, there was no mention from presenters, and even the floor seemed largely truculent about the idea when it was brought up.
‘Design Thinking Process: Edtech Adoption’, an otherwise useful session from Edsurge, didn’t refer at all to the importance of testing new tools and technologies with students in implementation, much less involve them during ideation.
It was a similar experience in the ‘Trends Spanning Education’ session, despite having a great quote – ‘Democratisation of education innovation, it’s starting to happen with people rather than to people’ – people in this sense appeared to be academic and institutional staff rather than students.
Several comments that emerged during out of conference conversations and the Twitter backchannel featured the kneejerk reaction of students not knowing what they need, a conversation that has evolved now in the UK to understanding the balance between need, want and institutional responsibility towards them.
Some US colleagues talked about consultancy processes that include students, but there does not appear yet to be the drive to formalise student partnership as an approach. The emphasis is on institutional collaboration and partnership for student success, rather than partnership in the sense of student engagement as co-creators and co-owners of their learning experiences.
Where the UK and US Higher Education sectors are about level
Almost as soon as I hit the pre-meetings and the Twitter backchannel at EDUCAUSE the term NGDLE started to permeate. Not a new term, certainly, but Next Generation Digital Learning Environments as a concept suddenly seemed to be everywhere. And then I returned home and almost immediately fell in with an online consultation activity being coordinated by Lawrie Phipps, senior co-design manager at Jisc, using a combination of Twitter and blogs, on what NGDLEs and by extension co-creation could mean for the future of learning and teaching.
It also corresponds closely with my work, which is focused heavily on digital learning environments, as well as student engagement in learning and teaching tools and platforms development.
The UK and US higher education sectors appear to be level on this concept, as the discussion moves further way from current vendors and current platforms and tools, and more towards the use of technology in its purest sense for the furthering of learning and teaching, and how students are both key users and contributors in that space.
The key questions for me around this important and innovative concept are:
What does next generation mean for online and distance education, and what does it require of it?
How can NGDLEs be a vehicle for the best parts of online and distance education: the open web, co-creation, student engagement, technology, and digital capability?
What does student success look like in a NGDLE?
What do NGDLEs signify about innovation in online education?
How is the Teaching Excellence Framework creating a space for NGDLEs and how is it restricting it?
None of which I have any answers for yet, but I’m enjoying the conversation, and it’s allowing me the space to stop and consider the opinions of colleagues, the layering of experiences over my own, and generally the ongoing realisation of that best part of attending conferences: being part of a community.
In his second post, Craig Clark, Information Security and Compliance Manager at the University of East London, looks at the interpretation of Article 83 of the General Data Protection Regulation.
GDPR – Understanding Penalties, Fines and Liabilities
The introduction of the General Data Protection Regulations (GDPR) has been dominated in the main by one topic – what fines organisations could face if they are found to have breached the GDPR by a supervising authority which in most cases for the UK will be the Information Commissioners Office (ICO).
Many media outlets have been quick to leap on the fact that the maximum fine for non-compliance is €20,000,000 or 4% of global annual turnover, whichever is higher. However in the haste to report this, many commentators have forgotten to clarify that this is the maximum fine. Below, I have attempted to breakdown the conditions for imposing administrative fines and show there is a bit more to it.
Understanding the Fining Structure
The GDPR has been designed to ensure that organisations take the appropriate measures to protect personal data against the risks of loss in the 21st Century. For organisations that fail to meet the requirements, the GDPR allows the supervising authority to take a range of actions including:
Order compliance with Data Subjects requests;
Communicate the Personal Data breach directly to the Data Subject.
In addition to the above the supervising authority have the power to impose administrative fines that will in each case be effective, proportionate, and dissuasive.
There are two tiers of administrative fine that can be imposed. The maximum fine for the first tier is €10,000,000 or in the case of an undertaking up to 2% of total annual global turnover (not profit) of the preceding financial year, whichever is greater. The second tier maximum is €20,000,000 or in the case of an undertaking up to 4% of total annual global turnover (not profit) for the preceding financial year whichever is greater. The fines within each tier relate to specific articles within the Regulation that the controller or processor has breached. As a general rule, breaches of an obligations by controllers or processors will result in a fine within tier one, while breaches of a data subjects rights and freedoms will result in a fine within tier two.
Question:Does your organisation understand what articles of the GDPR relate to a tier 1 or tier 2 fine?
How will Fines be Determined?
The GDPR is clear that in order to ensure any fine is proportionate, a range of factors will be assessed by supervisory authorities when investigating organisations that breach the GDPR.
Of key importance will be the nature, gravity, duration and the character of an infringement. It is also worth noting that actions taken by the controller or processor to mitigate any damage suffered by data subjects, along with the degree of responsibility for the technical and organisational measures implemented by Controllers and Processors to prevent the breach occurring will be considered during an investigation.
The Regulation also allows supervising authority to take on a holistic approach to an investigation and consider factors such as infringement history including previous correction notices, level of co-operation, the categories of personal data affected, the manner in which the breach became known and was reported, the level of adherence to approved codes of conduct or certification mechanisms and any other aggravating or mitigating factors.
It is logical to suggest that an organisation which demonstrates they have a positive approach to ensuring security, with a range of technical, management and operational controls will receive a lower fine then an organisation that takes no measures, or blatantly disregards its obligations under GDPR. It is also worth noting that the Information Commissioner has made it clear that in terms of incident reporting, organisations that proactively report breaches will be given more credit than organisations who do not report a breach that is then discovered by a 3rd party.
Question: Does your organisation currently document breaches? If they do, how are these reported?
In summary, organisations can significantly reduce the likelihood of receiving a maximum fine by establishing a culture that promotes information security best practices and an ethos centred on protecting personal information. As we have seen with the results of the TalkTalk breach, the ICO is now entering a new phase of exploring the upper limits of the monetary fines available to them. It is highly likely that this current trend will continue into 2018 meaning that GDPR compliance should be high on the list of 2017 objectives for organisations that fall within its scope.
Looking back at a number of the reviews of the political landscape that I’ve written over the years, the two phrases above appear with almost monotonous regularity. And they are just as appropriate today as they have been in previous years. However, what is new is that before both the direction of change and the reasons for the economic challenges were known. The big difference today is that result of the referendum on 23 June has thrown uncertainty into the mix. Uncertainty, not just in the higher education sector, but across the whole country as the process to leave the EU begins.
The Government have sought to reduce some of the uncertainty by guaranteeing that EU students that are currently studying in the UK and those that will begin their courses in the coming years will continue to receive funding for the duration of their courses. Similar guarantees have been made for Horizon 2020 research funding. However, what is not clear is what the impact of Brexit will be on the future recruitment of students from the EU or on research funding. It is unlikely to be good news.
The current analysis is that the Government appears to be favouring a hard Brexit with tighter controls on immigration. The dominance of immigration as an issue in the referendum campaign and subsequent policy has been reflected in the statements from the Home Office suggesting further clampdowns on international students. Regardless of the actual policy that emerges, the rhetoric is damaging – a fall of 10% in the numbers of Indian students is evidence of that. It was not by accident that the Indian Prime Minister linked trade agreements with relaxation of visa requirements but although Theresa May stated that talented workers would be welcome, her response regarding students was lukewarm at best. It would appear that the lady is not for turning.
This is all set against the rather gloomy background of HEFCE’s assessment of the financial health of English universities released this week. The picture is likely to be similar in universities in the other countries of the UK. The forecast, made before the referendum, suggests falling levels of surpluses (and in some cases significant deficits), more borrowing and falling levels of cash reserves. The report notes that universities were looking for an increase of fee income from overseas students (of close to 30%), and for growth in home and EU students of over ten per cent by the 2018/19 session. In the current circumstances it is unlikely that either will materialise; a period of budgetary constraint will be the consequence. This will place an even greater emphasis on efficiencies and effective use of data in planning.
The Higher Education and Research Bill (HERB) is entering the Report stage before its third reading in the House of Commons. The Bill has seen a number of amendments as it has passed through the Committee stage but these have not radically changed the direction of the Bill. The Bill advocates the abolition of the English Funding Council (HEFCE) and the establishment of the Office for Students (OfS). The importance of the role HEFCE play in monitoring the financial health of the sector has been recognised in an amendment that proposes this role transfers to the OfS.
There is a great deal of focus on the Teaching Excellence Framework (TEF), particularly the link to fee increases. Although the TEF will initially apply to English universities, similar measures in the past have been adopted by the other countries in the UK so it would not be a surprise if in future years the TEF becomes applicable to all UK institutions.
The governance arrangements for higher education are also changing. In addition to HEFCE’s transformation into the Office for Students (and universities moving under the Department for Education), there are reports of the Welsh funding council being absorbed into a new Tertiary Education Authority and of the Scottish Funding Council being merged into a ‘super-quango’ with a number of other bodies. Both add to the uncertainty in the sector.
Finally one change that we do know about is that the UK will be implementing the EU General Data Protection Regulation before we leave the EU. Although much of the focus has been on the scale of the fines for breaches, GDPR represents an opportunity for organisations to improve their data and its management. UCISA has set up a website to highlight resources and activities that inform and support our members in their implementation of the Regulation.
There are difficult and challenging times ahead. Universities will need to make good use of the data they have to try and predict the effect of changes and plan accordingly. They will need be more agile to deal with the changes that are known as well as those that are yet to emerge. The sector has been resilient at times of uncertainty in the past and many will see opportunities to reshape their offering and operating model to adapt to the new environment. IT will be at the hub of that change.
Next up was Adrian Reed, President of the UK chapter of the International Institute of Business Analysis who gave a fun talk on what Business Analysts can learn from the world of magic. The talk even included a couple of successfully pulled off magic tricks from Adrian himself. Adrian questioned whether as Business Analysts we too often focus our efforts on reaching the end goal successfully and forget about the journey we take both ourselves and our stakeholders on to get there. He asked us to consider the whole performance and not just the “wow” of the trick at the end. If we involve our stakeholders in the journey every step of the way, then we will reach the end together, and even if the end isn’t quite as planned, the stakeholders will be comfortable with the process and come back to work with us time and time again. He reminded us of this by saying, “You can deliver the best system in the world but if you deliver it in a bad way then users will hate it forever.”
To finish the morning off, I attended a talk from Allianz on the IT BA and Business BA. The speakers discussed how, at Allianz, the IT and Business BAs successfully worked together to eliver solutions. During the lunch session Lucy Ireland from the British Computer Society and Stephen Ashworth from the IIBA gave a fireside chat on how the BCS and IIBA want to work together in the future. One of the main questions from the floor was how as Business Analysts we decide on which, out of the qualifications they both offer, we should do, and whether we see a time when they will bring the two together? The response was that they felt both offered and suited a different set of skills and experiences, that for the time being they would stay on separate paths, and that you, as a Business Analyst, would have to decide which route to take.
Nigel Risner kicked off the afternoon session with a very lively presentation titled How to create massive impact and be an effective zookeeper. Nigel’s presentation style was a cross between Michael McIntyre and Alan Sugar. It certainly revitalized the audience and woke us up for the last afternoon of the conference. Nigel gave two key pieces of advice:
1) If you are in the room be in the room. Give whoever you are speaking to your full attention as, for that moment in time, they are the most important person in your life.
2) You can spend all the time in the world analysing who you are and what type of person you are but in business it doesn’t really matter. What matters is walking into a room of stakeholders and quickly being able to recognise what type of person they are and how to communicate with them in a style that will suit them.
Nigel breaks people down into four categories;
The visionary, single-minded lion
The playful, extroverted monkey
The careful, analytical elephant
The caring, supportive dolphin
Next up was Ryan Folster from Britehouse who talked about being The indispensable BA This was another talk about how as Business Analysts we often reach for solutions without fully understanding the requirements, which just goes to show what an important topic it is for the community.
To finish off the conference I attended a talk by Simon Lynch from Aviva Health on Impact Mapping. Simon’s talk was agile focused, explaining how before creating your epics and then breaking those down into stories, you should start with a session impact mapping. The impact maps should show why you want to do something, how it will impact a stakeholder and what you want to achieve. Simon explained that while this had taken them awhile to get the hang of, it has really helped them when creating the epics and user stories to consider all aspects of the impact.
And that was the end of my first ever IIBA Business Analysis conference. I have thoroughly enjoyed the whole experience of attending the conference from meeting other Business Analysts to hearing all the interesting and somewhat rather lively presentations. I can thoroughly recommend attending this conference to any fellow Business Analyst, and if you get the chance to apply for the UCISA Bursary, it is well worth the effort. I hope I will be able to attend in future years and may even pluck up the courage to speak and share a story of my own to a future audience.
As a UCISA bursary winner for 2016 I attended the Business Analysis Conference 2016 hosted by IRM. The conference was attended by over three hundred and fifty Business Analysts from a diverse range of industries: there was a mixture of experienced Business Analysts and people fresh to the industry. As a Business Analyst with over ten years’ experience in the HE sector, I often get to meet colleagues from other institutions to share knowledge, different experiences and best practice. This conference, however, gave me a chance to meet analysts from outside my peer group. I really enjoyed hearing about the projects they were working on and what they consider to be their best practices, as well as the usual horror stories of being bought onto a project too late in the day and customers’ requirements changing part way through a project. The benefits from these opportunities to chat with other attendees between sessions are hard to quantify, but I personally find them one of these best parts of attending a conference.
The conference was opened by keynote speaker Gavin Esler.
Gavin is an award-winning broadcaster, author and journalist and gave an engaging speech about ‘trust’. Trust is something we give to people every day, whether it be in our personal or professional lives. We place trust in leaders who tell us what is in our best interests using facts and figures to back up their arguments. The question is why do we place our trust in some people and not in others? Why as Business Analysts should we expect our customers to trust us when presenting our results and analysis? As Gavin said, “If facts were king, then Spock would have been captain of the Enterprise.” How we deliver a message is just as important as the analysis and facts of our case. As great leaders have shown us we need to become storytellers when presenting our case to the business, so we connect with our audience and gain their trust.
Virgin Media presented the next session titled Share Knowledge, Perform Stronger, Better Together – Evolving a BA practice.They explained how they had developed their BA practice over the years and survived several organisational restructures and rebrands. They had developed a BA toolkit which included templates, tools and techniques that supported their delivery framework as well as also utilising the SFIAcapability model for developing their team.
Next up was Mohamed Bray from Saratoga Software who came all the way from South Africa. Mohamed’s talk was titled Think like an Analyst, Act like a Consultant. Mohamed was an engaging speaker who told us a real life story of when he failed to think about the customer needs first; how he had assumed what they wanted and what he had learned from this experience. As Business Analysts we often fall into the trap of thinking of solutions before we really understand what the problem is and what the customers’ needs are. Often we jump to a technology that we think will solve a problem when technology should only ever be the enabler of a solution, and not the solution itself. If we fail to listen to our customers and truly understand their problem, we will fail to engage them in our solutions. By actively listening to their problem the customer will become the co-creator of the solution taking ownership of the change and become the catalyst driving it forward in the organisation.
After a very tasty lunch, we were welcomed to the afternoon session by a keynote from Kim Bray from Nationwide. Kim took us through her thirty-year career as a Business Analyst. Kim explained how she may not have always held the job title of Business Analyst, but that did not stop her from undertaking business analysis activities for her organisation. Kim described herself as being ‘professionally nosey’ and at the start of her career her naturally inquisitive nature meant she was capturing information on issues and analysing the data before presenting solutions to her organisation without even knowing what a Business Analyst role was. However, one of the key messages Kim left me with was ‘You don’t get something if you don’t ask.’ How often in both our professional and personal lives do we not pluck up the courage to ask for something we want or need simply because we are scared of hearing the answer ‘No!’
The afternoon session was, for me, dominated by Agile. I attended a talk from Ashley Watson of the NHS Blood Transplant service and Menaka Priya Shanmugavadivelu from Aviva. Ashley talked about UAT and Menaka talked about delivering Agile development when your customers, business, Business Analysts and developers are spread across the globe. Menaka stressed the importance of visiting your dispersed teams to get to know them and build relationships, finding common ground and continuing to build on the relationship after your return back to base.
IT Skills Development Advisor
Cardiff Metropolitan University
The autumn IT training schedule at Cardiff Met includes a Working with Windows 10 course. It doesn’t need to. We have never run training sessions for operating systems before, so why should Windows 10 be any different?
In many ways there isn’t any need for Windows 10 training; it is easy and intuitive to use. Unlike its predecessor, Windows 8, the Windows 10 user experience is good. The attempt to unify tablet and desktop UIs has largely been abandoned – there are no more hidden menus, windows are back to being windows that can be moved and resized and, most importantly, the Start menu is back.
The Windows 10 Start menu at Cardiff Met
The Windows 10 Start menu does look different to the Windows 7 version, it incorporates live tiles for example, but it will be familiar to a Windows 7 user. The Start menu “skills” (perhaps muscle memory would be a better description) developed when using Windows 7 will be transferable to Windows 10. The same applies throughout the operating system. Windows Explorer is now File Explorer. Windows Favorites have been replaced with Quick Access. They look and behave differently, but they feel the same.
So why are we running a Windows 10 course? Firstly, there are some features of Windows 10 that will help users work a bit more efficiently that are not easy to discover. Jump Lists, for example. Jump Lists provide shortcuts to recent documents and sometimes also include other actions associated with that program (e.g. Internet Explorer includes Open New Tab). Jump Lists are accessed by right-clicking on a tile on the Start menu or Taskbar and can save users a few seconds when opening documents (the cumulative effect of which is considerable). But few users are aware that they exist, our training course will remedy that.
Secondly the course will give Cardiff Met staff time to acclimatise to, and build confidence in, the new OS. Frequently we use new software similarly to the old version. We proceed in the way we also have, because we don’t have time to step back to see if there is a better way to do it. The Working with Windows 10 course will hopefully give staff the time they need, with help available if they have any questions.
OneDrive for Business is part of the Windows 10 upgrade at Cardiff Met
The third reason for developing a course is that our Windows 10 software “build” includes new software and services, so the training is not just about Windows 10. We are offering Skype for Business for the first time, Office 2013 has become Office 2016 and, crucially, OneDrive for Business replaces SharePoint My Sites. Our training course includes all these elements and allows staff to see how these new services work together in the Windows 10 environment.
The course also addresses one of our long-standing goals, sharing IT “Best Practice” with existing staff. Our IT induction programme achieves this for new starters; we advise them where to store documents, alert them to issues around account security and share practical tips for managing email. But up until now there has been no avenue for sharing this advice with existing staff – Working with Windows 10 allows us to do that. Hopefully staff will view the software upgrade as an opportunity to adopt Best Practice, and will finally find time to move their documents from hard drives to OneDrives!
The training will be available as an e-learning module, created using the excellent Adapt Builder and as a face-to-face course. Staff will be required to complete one form of training as part of their upgrade to Windows 10.
If you are interested in finding out how the training is received, I’ll be running a webinar for the community towards the end of the year, keep an eye on the Events page for details. In the meantime if you have any thoughts or comments, please share them below or catch me on Twitter @GarethPJohns
Product Development Manager
Learning Innovation, Learning and Teaching Solutions,
The Open University
So, here I am, in a hotel in Anaheim, California, getting into the zone for my first Educause experience. To say that Educause has been a bit of a holy grail for me conference-wise would be an understatement. All the information I’ve received about the conference from colleagues who have attended before has been that it is a unique intersection between edtech, IT, and learning and teaching practice.
that I’m going to focus on and which have the most immediate relevance to my work. I’m hoping to bounce between ‘Driving Innovation in Teaching and Learning’ and ‘Transforming the Student Experience’. As a product development manager in Learning Innovation/Technology Enhanced Learning at The Open University, you get used to having to slightly squint to see the direct relevance of approaches, methods, and findings to your own situation. But increasingly over the last few years, that squinting has had to become less and less as the sector has moved more into the OU’s realm of Supported Online Learning (SOL). So, I’m very much looking forward to seeing what the sessions have to offer.
My work in particular over the last year has come to focus not just on the development of new tools and technologies for our students to use, but also on new methods to involve them in that process, in an appreciative and empathetic way.
Perhaps the most challenging part of these types of events is running the vendor gauntlet. But this time I’ve come prepared, and have put some thought into the sorts of criteria I can use to make assessing new technologies more useful over the long term (and also make reporting back to my colleagues more helpful).
Is this technology a disruptive or incremental innovation
Does this technology support:
Participative learning (students contributing in non-assessment ways)
Learning to learn (students becoming more digitally confidence and creative)
Deeper engagement with learning materials (new strategies for immersive learning)
Collaborative learning (the ongoing curse and joy of group work)
Does this technology demonstrate:
Improvements in student attainment
Improvements in student progression
Improvement in student retention
At the very least, it will hopefully spark a useful conversation or two.
The General Data Protection Regulation is scheduled to come into force in May 2018. As it will be EU Law before the process to leave the EU is completed, it will be one of the pieces of legislation that will roll over into UK law. In this article that was first published on LinkedIn, Craig Clark, Information Security and Compliance Manager at the University of East London, highlights the opportunities GDPR presents.
For those that have worked in privacy for a long time, the path towards the final draft of the General Data Protection Regulation has been incredibly long (2011) and at times frustrating. Now that the count down is well underway, CIO’s, Information Security types and those in IT or legal functions seemingly can’t escape the barrage of GDPR related content on their news feeds and meeting agendas.
I have kept a close eye on how the GDPR compliance issue is being pitched by vendors, lawyers and GRC consultants and in an overwhelming number of cases the key point they want to drive home is the increased penalties for non compliance – usually with a headline similar to : IF YOUR ORGANISATION DOES NOT COMPLY WITH THE GDPR THEY COULD BE FINED €20 MILLION!
While this is technically correct it is entirely misleading, not least because the next line should read (or 4% of annual global turnover, whichever is higher). The GDPR is about much more then penalties, fines and liabilities. While one of the core aims is to enhance the protection of Data Subjects with an significant increase in their rights, there are many potential benefits for organisations. The problem is that by leading with a large negative, there is a serious risk that the advantages the Regulation offers are going to be overlooked.
Lets take a look at some key advantages:
Improved Records Management
Perhaps the most obvious benefit is that the GDPR presents an opportunity to explore and refresh how you gather, store, and use and delete data. This is a chance to unleash real business value out of all that personal information you currently curate, often, at the moment, for no other reason than because it is there. This leads to huge costs of storing unnecessary data and the complex challenge of now trying to unravel what they need to store for business purposes. By employing data minimisation, and ensuring that data subjects data can be kept up to date as a matter of design, organisations could benefit from:
improved efficiency in customer interactions
reduced data storage costs (electronically and physically)
less wasteful marketing campaigns that use out of date information
lower security risk due to less personal data on file
lower likelihood of regulatory intervention
Development of Trust
For many organisations trust is the hardest virtue to instil in its customers and the first thing to be lost when things go wrong. If we take the TalkTalk data breach as a classic example, their customer base significantly reduced in the immediate aftermath of the data breach and despite major changes to their Information Security practices, this has had a significant impact on their customer numbers and subsequently the forecasts they can make about future performance. Quite simply people no longer trust them.
By mandating the need for improved security and reporting organisations have the opportunity to show that they take the security of customers data seriously. After all without that data, what would the business be? By actively demonstrating a willingness to comply with and embrace GDPR organisations will demonstrate a strong commitment to their customers and keep them coming back, protecting and growing the organisational brand.
Improved Operational Effectiveness
One of the most positive aspects that can be taken from GDPR is that it allows business to fully champion a risk-based approach to Information management. This means that whilst the rules are the same for everyone, how these rules are applied will largely be up to the organisation to decide depending on the level of risk that a given data activity presents for people’s privacy. Many of the obligations in the GDPR can be implemented in varying degrees depending on the risk appetite. This means that organisations can choose to implement procedures and practices based on their business and the level of privacy they need to provide, rather then implementing procedures for the sake of it. This could be regarded as a source of uncertainty for the C-Suite but in practice, the risk-based approach is what will make the GDPR not only effective but fair.
Pulling it Together
Once an organisation has looked past the headlines and begins to scope out how they are going to achieve compliance, the obvious question is “Where do I start?” Make no mistake, GDPR compliance will be complex for medium to large enterprises but there is a path through it. One of the first things organisations should look at is the ICO document 12 steps to take now. This guide will allow organisations to being planning and feeding in their specific requirements. Once the initial plan is outlined it is my view that the smoothest path to compliance is to integrate a Personal Information Management System (PIMS) into the current business model. For organisations that utilise an Information Management System (ISMS) such as ISO27001 this will be familiar territory. For those that do not, the current PIMS standard in the UK is BS10012:2009 however BS10012:2016 is being rewritten to include the requirements of the GDPR. Implementing this standard will allow an organisation to benchmark personal information management practices with recognised best practice. Crucially, it will also allow organisations to produce auditable evidence on their data privacy practices and go a long way to satisfying the Information Commissioners Office that organisations take on board that data privacy is no longer ‘best efforts’.
Last month saw HEFCE issue a revision of their framework for monitoring of the Prevent duty in higher education institutions in England. The revised framework places a clear onus on institutions to evidence that they have followed due process when considering their Prevent duty. Further it is worth considering the Prevent duty and the implications of the monitoring requirements when reviewing institutional policies.
Although the HEFCE Framework has been updated, the Home Office guidance underpinning it has not altered since the initial framework was published. Paragraph 27 of Home Office guidance states the there is an “expectation that institutions will have policies around general usage […] we would expect these to contain specific reference the statutory duty”. It is pleasing to see that the Advice note (also updated) that accompanies the updated Prevent monitoring framework points to the UCISA Model Regulations and the suggested amendment to accommodate the Counter Terrorism legislation.
Paragraph 27 goes on to state that institutions “should consider the use of filters” as part of their overall strategy to prevent people from being drawn into terrorism. The HEFCE framework places more emphasis on the need “to consider” by directing providers to provide specific comment on “their approach to web filtering in relation to the Prevent duty, particularly where a decision has yet to be taken at the time of the provider’s previous submission to HEFCE”. The Advice note asks “What factors were taken into account when considering whether and how to use filtering to limit access to harmful content? Has a final decision been taken on web-filtering and how has this been reflected in IT policies and communicated to staff?” (interestingly the framework doesn’t ask for evidence on how it has been communicated to students). What is important is that institutions should take a risk based approach to assessing whether or not they should implement filtering and use the conclusion from those discussions in their evidence to HEFCE.
So what are the potential impacts on policies (and in this regards, the regulations on the use of IT facilities and the network should be regarded as policy)? If there is no filtering then it needs to be clear in the regulations (for both staff and students) that the network is monitored and that any research that may access material of an extremist nature will require specific approval (for example, through a research ethics committee). That approval is still needed if filtering is in place but in that instance it will be required in order for IT service departments to have authority to turn filtering off for given individuals or research groups. There remains a concern that if there is a public statement to the effect that filtering has been turned on, those of inquisitive mind will look at ways of circumventing it and those who are at risk of being drawn into extremist activities will seek other ways of accessing such material.
Finally the Advice note suggests that HEFCE is looking for further evidence of IT policies to provide oversight of websites and social media output across the institution, asking about arrangements for managing both institution’s ‘branded’ websites and social media and for student union (and their societies) websites and social media to ensure that they are not used to promote extremist materials or activities. A blend of approaches is probably needed here. The regulations for use of institutional IT facilities should give adequate coverage for institutional websites – they are likely to be established using institutional resources and maintained by institutional staff. If not, then it may be necessary to include specific Prevent related conditions into contracts where website content is maintained externally. There need to be named individuals (or groups of individuals) with responsibility for officially sanctioned social media accounts who will be bound by the regulations (as outlined in the Social media for staff legal checklist published by Jisc and included in the UCISA Social Media Toolkit). It may be necessary to come to separate arrangements for Students’ Union – they are often separate legal entities and their services may not be hosted by the institution. In these instances, there may be reliance on clauses relating to bringing the institution into disrepute to take action against an individual (which may or may not be an IT regulation issue) or specific agreement (such as within a tenancy agreement) with the Student Union to ensure monitoring takes place.