Skip to content
security

Navigating Privacy & Security - Essential Tips for NZ Schools

Paul Sibson (Hero Co-founder + Chief Innovation Officer) and Doug Hetherington (Chief Technical Officer), share insights on safeguarding school and student data, aligned with the NZ Privacy Act.

Navigating Privacy & Security - Hero's Essential Tips for NZ Schools

In today's digital landscape, protecting sensitive student and school data is more important than ever. To help you navigate the complexities of privacy and security we’ve put together this comprehensive guide to get you started.

Your Student Management System, whether you use Hero or another provider, is only one part of the security profile for your school. Schools have data in all sorts of forms, including paper, as well as digital systems. It is important to consider all types of data - where they're stored, how they're stored, and why they're stored.

Quick Tips: Top Takeaways for Your School

1. Consider your data lifecycle, and how you are storing data - digitally vs. physically (e.g. in filing cabinets, on walls).
  • How are you ensuring this data is protected from exposure?

  • Do you really need to be keeping this data?

  • Do you have visibility over what apps all staff are using, particularly apps they are inputting student and parent data into, and do they have permission to be doing this?

2. Choose apps and systems that have undergone rigorous privacy and security testing, such as Safer Technologies for Schools (ST4S).

3. Good systems and apps can help protect data, but it’s people that glue privacy and security together. Dedicate time to training and upskilling your team, and ensure they have the correct access levels to the apps they need.


The Starting Point: NZ Privacy Act

The New Zealand Privacy Act (2020) governs how you should collect, handle and use personal information. A couple of important requirements from the Act include:

  1. Have a Privacy Officer
    Every organisation in the country should have a Privacy Officer. In the case of a school, it could be the principal, but it doesn't have to be! It must be someone who has an oversight and understanding what privacy and security means for a school, what policies exist and how they're enacted within the school.
  2. Have a Privacy Policy
    It is a requirement to have a Privacy Policy, and like with all policies, they're only useful if people understand them. It's a challenge for all organisations to make sure that everyone knows what the policy is and that they are following it. We cover more about this in point 1 of the ‘Privacy and Security Chain’ below.
The 13 principles within the Privacy Act get us thinking about:
  • What data am I collecting?
  • Why am I collecting it?
  • Who am I collecting it from? Do they know I'm collecting it, and do they know what I’m using it for?
  • Can people update/correct or get their data back if they need it?

Some of these answers can be a little complicated for schools. For example, certain data is required by the Ministry of Education to be stored for a certain period of time.

One of the key responsibilities of your Privacy Officer is to look at what data you are collecting as a school, and get clear on: What is the point of this data? Do we really need it? What's its purpose? And if it is needed for a period of time, what is the process for destroying or deleting it?

Here’s how Hero meets each of these principles.

The Privacy & Security Chain

Every process and person within your school forms your privacy and security chain. Imagine one of those links in the chain is rusty - if it were a trailer, you'd fail your warrant. Each link in the chain needs to join together and be robust.

Hero privacy and security chain


Let's dive into each link of the chain...

1. Staff training

Privacy and security starts with people - all of this works only when people really understand what's going on.

Everyone is doing their best. But if they haven't been given the training and awareness on physical and cyber security, it can be hard to know the right things to do. For example:

  • If you walk away from your computer and have left it open and unlocked, someone could walk into the building and see everything on your screen. 
  • Having passwords in a viewable form (e.g. printed on the wall for students), or passwords that are too simplistic or easy to guess. 

Start by working out what you think the risks are, then implement a process for upskilling staff and mitigating these risks.

  • Physical item risks - e.g. data on display, staff machines at school and at home.
  • Cybersecurity risks - e.g. passwords, data handling, phishing, privacy training and having a plan if it does go wrong.

The Ministry of Education and CERT NZ have some great information, to get you started.

 

2. Device and network security

Maintaining robust device and network security is critical to protecting sensitive information within schools. Here’s what you need to know and the key questions to ask to ensure your school’s data remains secure.

Device security

The Ministry of Education funds antivirus software for all school devices, ensuring that each machine has basic protection against malware and other cyber threats. However, to maximise this protection:

  • Activate and update regularly: Check that antivirus software is active on all devices and updated frequently to defend against the latest security threats.
  • Monitor: Regularly verify that all school devices remain compliant and have the latest updates installed.
Network security

With the type of data on school networks, segmenting access is important. Consider:

  • Access segmentation: Separate networks for staff devices (especially those accessing high-sensitivity data) from other devices, such as student BYOD (Bring Your Own Device) equipment. This reduces the risk of unauthorised access to critical information.
  • BYOD policies: Ensure that any BYOD access is restricted and monitored, preventing possible vulnerabilities from personal devices on the school network.

Device and network security require specialised knowledge. If you don’t have an internal IT team, it’s essential to engage with your IT provider or consultant to ensure all aspects of your security are up-to-date. Key questions include:

  • What steps are we taking to ensure comprehensive security for our devices and network?
  • Do we have the proper segmentation in place to protect sensitive data?
  • How are we keeping our antivirus solutions updated and compliant with MoE guidelines?

Smaller schools may not have an IT management team or provider in place. The MoE offers support around that, so if you're in that situation, we encourage you to reach out to your Ministry representative. 

 

3. Keeping software and devices up to date

Running outdated software on school devices is a security risk. Unsupported operating systems and old applications can quickly become a target for malware and viruses. Updates are important, as once software is unsupported it stops receiving security updates. Vulnerabilities are found but not fixed which makes exploiting that software to cause mayhem easy.

Keep on top of software updates! Centralised management of devices makes it a lot easier, because you can run reports and have more visibility across this.

 

4. Single sign on, passwords and multifactor authentication

There’s little point having all the above without strong login practices, and with students and staff accessing various systems, ensuring secure, streamlined access is essential. Here’s how Single Sign-On (SSO), password management, and Multifactor Authentication (MFA) can help.

Single Sign-On (SSO)

Passwords can be a burden. To reduce this and encourage good behaviour, set up SSO. This simplifies the login process by allowing users to access multiple systems with a single username and password.

Link together Microsoft and Google sign-ins so that if you're using both of those, you only need to login to one of them, and it will log you into the other one automatically.  

Hero users have the option for SSO when logging into Hero. Encouraging everyone to use that rather than a username and password is a great option. A lot of other software platforms that teachers use allow you to sign in with Google.

Hero secure passwords

 

Password Managers

Password managers are great. They generate unique, complex passwords, then store them securely. They can also ensure passwords aren't being reused across different sites. Password reuse is a major risk - imagine a scenario where your staff’s passwords are the same across Hero and other sites. If one of those other companies have a breach, a hacker, using automation, could log into Hero and other platforms.

Passwords

Passwords should be complex and unguessable. If you can't remember it, then it's probably a good password - as long as you can remember the one to get into your password manager!

Consider using a ‘passphrase’ rather than trying to remember a word, i.e. having a phrase that you type as a sentence with spaces and capital letters. Something that is memorable to you, but no one is going to guess it.

If you are keeping passwords on the wall for students, don't! Hero has a solution for that - QR code login, which is far more secure. Our QR codes change regularly so only allow students to log in for a certain time frame. We spent a lot of time thinking about this for ease of use for students and teachers, but also from a security point of view as well.

Multifactor Authentication (MFA)

MFA is a crucial security measure. In Hero, you can enable multifactor authentication for your school, requiring staff to input a code from their mobile phone when they log in. This simple act significantly reduces the risk of unauthorised access.

Locking Devices

All of these things are undermined if you leave your laptop logged in and unlocked. Lock your machine, close it, and if it's a laptop, take it with you. 

This is another area where centralised management of devices can be useful. You can enforce timeouts on screens, and make it so that passwords on these devices have to be strong.

 

5. Data minimisation, storage, encryption and backup

When you're storing data in Hero, we're backing it up and making sure it's encrypted and stored in secure locations. Hero is designed for data storage and to have fine grain controls that help schools handle data and support streamlined workflows.

From its creation, Hero was designed so that the data sits with the child. This makes managing the lifecycle of that data easier for schools, as the child is firstly pre-enrolled, then joins the school and later leaves the school.

One challenge to data storage is legal requirements to keep certain data for seven years. We're working with schools in New South Wales where the legal requirement is 25 years. 

Again, it begs the question of, What data should we keep for seven years? Do we really need to, for what purpose? Where are we storing it? It will be interesting to see how this changes over the next couple of years as well, as legislation is revisited, from a view of, do we need to keep this? Is it worth the risk?

It is better to keep data in a system, such as Hero, where it is controlled - rather than trying to move it into a Google drive or similar, where it's a lot harder to manage each individual student.

It is important to consider the on-premise data that you have. Here's a question to yourself, should you still have on-premise data? And the answer is… probably not.

Having rules for teachers and staff who are working with children, that any information that you have entered or downloaded onto your laptop, that is not in an online server, those files get deleted at the end of the day (and make sure you've emptied your trash!). It's about making sure that data doesn't hang around in there too long, because all you need is something to be compromised and then people can pull that data out.

 

6. Software access levels

The next link is looking at the access levels people are assigned. It’s easy to go in and give everyone ‘super admin’ access - but that's not a good idea!

Create a process by which a member of staff is given access to higher level data if they need it - maybe for a period of time and then it's removed. We recommend starting with granting virtually no access, then upgrading access as people need it - so it's essentially denied by default.

 

7. Integrations & 3rd parties

A lot of schools have integrations into their SMS. Hero has an API allowing other companies to link in, which is great! 

Integrations are wonderful - they make life easier, but it’s important to understand the risks first. At Hero, we limit certain data from these companies, and have also created a deliberate process for Hero schools to activate integrations.

It is really important when you're engaging with any other companies that you make informed decisions. You need to look at what they're doing with the data and ask them difficult questions. The Safer Technologies for Schools (ST4S) badge is a great guideline that they really care about privacy and security. Attaining this badge involves a rigorous process, and it comes strongly recommended by the Ministry of Education.

When it comes to integrations: Ask. Work out what you're signing up for. Work out what they're going to do with your data. And if or when you do decide to leave, what happens to the data they've got?

 

8. Monitoring

Is your school monitoring for suspicious logins or emails? A lot of this is automated within Microsoft and Google’s admin consoles, they will notify you when dodgy emails are coming in, or when there are unusual login or device patterns, etc. 

It's not the Principal's job to be monitoring these things, but it is to understand what they are so that you can ask the right questions to the right people. Ask your IT supplier, what are you doing in the way of monitoring our systems? Ask the Ministry, are there ways that you can help us do this? 

 

9. Incident response plan

Every school needs a well thought out incident response plan to handle potential data breaches or cybersecurity incidents. Having a clear plan in place ensures a faster, more organised response, minimising impact and helping protect sensitive information.

If your school does have a data breach, what are you going to do? Who do you need to call? How are you going to resolve things? Who is responsible for communications? 

 

10. Continual improvement

No one is completely perfect. Start by making sure that everything is good, first of all, and then start looking at how you can improve.

An example in a school might be, when Paul was a Principal, they had printed medical action plans for children on the wall in the staff room. And then realised, the staff room had windows that parents could see in - a breach of privacy for those children with medical action plans. The reason for having these plans on the wall was so that staff were all aware, which was important, but the way they were doing it was not secure.

They had to consider - could we do that in a different way? It might be a slight tweak, like we're going to put it on a different wall where it can't be viewed by parents. Or find another way to do it.

The learning? Have a forum in which these things are discussed and documented. 

As a company where privacy and security is critical to us, we have a weekly security meeting, where we document what we discuss, review and continue to make improvements. We have a comprehensive information security management system. 

It isn’t necessarily practical in a school to have that same level of documentation. But start down that road of having regular meetings around these topics, and take minutes so that you have an audit trail. Over time, you’ll continue to discover areas that can be improved.

 

ST4S - What it means and why you should care

We couldn’t sign off without reiterating the importance of the Safer Technologies for Schools (ST4S) badge. Hero has held this since 2020, and we are currently the only NZ SMS with the ST4S badge!

Data Migration


There are many technology services and platforms that schools can choose, and can see the value of using, but in virtually all cases, they will be collecting some sort of data. So it's really important to understand, how are they securing that?

The ST4S badge is an acknowledgement that a provider has all of their privacy and security systems and processes in place to make it as safe as possible. View the ST4S Product Badge Register here.

We know from experience that achieving the ST4S badge is a lengthy process. So if a supplier you are using doesn’t yet have the badge, it is worth asking them, are you working on this? How are you getting on with it?

For more detail about ST4S, dive into our recent blog about ST4S: What It Means and Why It Matters to You.

 


 

Doug Hetherington

Doug Hetherington

As Chief Technical Officer, Doug oversees all technical operations, with a laser-focused lens on innovation, building efficiencies, and privacy & security. The man behind many cutting edge mobile products used daily by millions of people, Doug knows what it takes to get software soaring.

Latest Articles

Navigating Privacy & Security - Essential Tips for NZ Schools

Navigating Privacy & Security - Essential Tips for NZ Schools

Paul Sibson (Hero Co-founder + Chief Innovation Officer) and Doug Hetherington (Chief Technical Officer), share insights on safeguarding sc...

ST4S: What It Means and Why It Matters to You

ST4S: What It Means and Why It Matters to You

Understanding Safer Technologies for Schools (ST4S) is crucial for all school principals and Boards of Trustees, as it directly influences ...

Hero: A Game-Changer for Currabubula Public School

Hero: A Game-Changer for Currabubula Public School

Mark Stephens, Principal at Currabubula Public School, New South Wales, was seeking a solution to streamline data management and enhance co...