Where should kura and schools go to find impartial advice on whether software and technology products are secure? This Education Gazette article explains more.
It’s important to keep ākonga, and their data, safe within school and kura software and technology systems.
Software and technology can be a great enabler for learning outcomes and supporting kura and school operations. However, with so much information now stored online, personal information is often at risk. Schools are responsible for ensuring that children’s data is protected.
To add to the complexity is an education sector that is becoming increasingly targeted for malicious online activity.
Safer Technologies for Schools (ST4S) looks to provide a solution for kura and schools, by removing some of the guesswork when selecting software and technology.
ST4S provides an overview of digital products for use in kura and schools and offers guidance on whether these products meet privacy and security standards, by providing clear and consistent reports.
These confidential reports detail how software or technology performs against privacy and security criteria, and they are available through an online portal. The reports identify any risks associated with the product and advise as to how these risks might be mitigated.
To date, there are 120 ST4S reports on software and technology products available through the portal, and 28 include security and privacy protections for a New Zealand schooling context.
ST4S has a wide range of software product categories, which includes: curriculum resources, assessment and testing, library management, school administration and educational games.
Products that have a ‘low’ or ‘medium’ risk rating can apply for an ST4S badge. Suppliers can use these badges on their website and to generally promote their product. These suppliers commit to regularly confirming that they are compliant with security and privacy standards.
For Philip May, board chair for Clifton Terrace Model School in Wellington, security and privacy was a priority when selecting new software for their school.
“With so many important services now accessible from the internet it opens our school and our children’s data to theft by potentially millions of people who are looking to steal this data to make a buck, or even just disrupt service. As parents, teachers and board members the security of our children’s data has to be paramount,” he says.
Philip has recently used ST4S to purchase School Management software.
“We needed some assurance that the security of our preferred system met minimum standards and was subject to auditing. It’s easy for software vendors to say their products are ‘secure’ but without external validation and assessment we have no way of separating marketing speak from reality.”
When selecting this software for their school, it was important for them to know that the product is subject to security reviews, there were no glaring security flaws and two-factor authentication could be enforced for teachers and admin staff accessing children’s data.
Using ST4S also enabled Philip to have informed conversations with the software supplier. When reviewing ST4S reports Philip could see that their preferred vendor had not met the New Zealand ST4S standard which requires the use of two-factor authentication (2FA) in cloud systems.
Philip advised their preferred vendor they couldn’t use their service until they met this standard.
“Our vendor worked on this and 2FA became available a couple of months later, at which time we signed a contract with them.”
The assurance ST4S provided when making a software purchasing decision was of real benefit to Clifton Terrace Model School.
“We don’t have the time or resources to properly evaluate software systems that our school uses or procures. Having a service like ST4S is invaluable. You can get a high-level assessment result that gives you confidence to procure – or leverage to ask your vendor to improve.
“You can also be given access to more detailed assessments if you are technically inclined and wish to engage in more in-depth conversations with the Ministry or your software provider. I personally found the process very smooth,” says Philip.
ST4S assessment reports are available for authorised staff in state and state integrated schools and kura via the Taku portal.
An Education Sector Logon (ESL) account is required. If you need an ESL account, you can contact the Ministry of Education Service Desk on 0800 422 599(external link) or service.desk@education.govt.nz to arrange access. Alternative arrangements are available for independent schools.
A list of ST4S badged products is available on the ST4S website. Keep regularly checking the ST4S portal and website, as more reports and badged products will be added over time.
Kura and schools using software that does not have an ST4S badge, are well-positioned to help grow the ST4S service.
The Ministry of Education’s Digital Services team are working with EdTech suppliers to participate in the ST4S assessment process but need help to identify and prioritise products.
To recommend products for ST4S assessment, email digital.services@education.govt.nz.
For more information, visit st4s.educ.au(external link).
While usability and functionality is important when selecting software, it’s also important to consider security and privacy.
Here are some tips to consider prior to purchasing software for your kura or school:
The details provided in these statements should indicate their level of commitment to their customers’ security and privacy, including what standards they claim to meet, and how this is verified (e.g. via independent testing and/or certification). If no statement is provided – their commitment to privacy and security could be questionable.
ST4S provides guidance with security and privacy assessments. You may find other privacy or security assessments online, but bear in mind that these may not address the needs of New Zealand customers.
Is it for educational advertising, research, analytics or selling to third parties? If you determine that it’s unnecessary for them to collect this information, you may want to reconsider purchasing this software.
ST4S reports provide standardised descriptions of what categories of personal information are collected and highlight sensitive information.
ST4S reports provide standardised descriptions of these risks and recommended mitigations.
Check out CERT NZ website which outlines what to look for when purchasing Software as a Service products.
BY Education Gazette editors
Education Gazette | Tukutuku Kōrero, reporter@edgazette.govt.nz
Posted: 10:08 am, 25 January 2024
12 October 2022
Government education agencies are working on a new digital and data strategy outlining a shared view of digital education in Aotearoa the coming decade.
20 April 2023
The third in a series of Education Gazette articles on Cyber Security, we explore how Network for Learning (N4L) can support schools to keep ākonga safe.
5 October 2023
The Ministry of Education has commissioned N4L to deliver the Satellite for Schools programme
