In today's digital landscape, protecting sensitive student and school data is more important than ever. To help you navigate the complexities of privacy and security we’ve put together this comprehensive guide to get you started.
Your Student Management System, whether you use Hero or another provider, is only one part of the security profile for your school. Schools have data in all sorts of forms, including paper, as well as digital systems. It is important to consider all types of data - where they're stored, how they're stored, and why they're stored.
The New Zealand Privacy Act (2020) governs how you should collect, handle and use personal information. A couple of important requirements from the Act include:
Some of these answers can be a little complicated for schools. For example, certain data is required by the Ministry of Education to be stored for a certain period of time.
One of the key responsibilities of your Privacy Officer is to look at what data you are collecting as a school, and get clear on: What is the point of this data? Do we really need it? What's its purpose? And if it is needed for a period of time, what is the process for destroying or deleting it?
Here’s how Hero meets each of these principles.
Every process and person within your school forms your privacy and security chain. Imagine one of those links in the chain is rusty - if it were a trailer, you'd fail your warrant. Each link in the chain needs to join together and be robust.
Let's dive into each link of the chain...
Privacy and security starts with people - all of this works only when people really understand what's going on.
Everyone is doing their best. But if they haven't been given the training and awareness on physical and cyber security, it can be hard to know the right things to do. For example:
Start by working out what you think the risks are, then implement a process for upskilling staff and mitigating these risks.
The Ministry of Education and CERT NZ have some great information, to get you started.
2. Device and network security
Maintaining robust device and network security is critical to protecting sensitive information within schools. Here’s what you need to know and the key questions to ask to ensure your school’s data remains secure.
The Ministry of Education funds antivirus software for all school devices, ensuring that each machine has basic protection against malware and other cyber threats. However, to maximise this protection:
With the type of data on school networks, segmenting access is important. Consider:
Device and network security require specialised knowledge. If you don’t have an internal IT team, it’s essential to engage with your IT provider or consultant to ensure all aspects of your security are up-to-date. Key questions include:
Smaller schools may not have an IT management team or provider in place. The MoE offers support around that, so if you're in that situation, we encourage you to reach out to your Ministry representative.
Running outdated software on school devices is a security risk. Unsupported operating systems and old applications can quickly become a target for malware and viruses. Updates are important, as once software is unsupported it stops receiving security updates. Vulnerabilities are found but not fixed which makes exploiting that software to cause mayhem easy.
Keep on top of software updates! Centralised management of devices makes it a lot easier, because you can run reports and have more visibility across this.
There’s little point having all the above without strong login practices, and with students and staff accessing various systems, ensuring secure, streamlined access is essential. Here’s how Single Sign-On (SSO), password management, and Multifactor Authentication (MFA) can help.
Passwords can be a burden. To reduce this and encourage good behaviour, set up SSO. This simplifies the login process by allowing users to access multiple systems with a single username and password.
Link together Microsoft and Google sign-ins so that if you're using both of those, you only need to login to one of them, and it will log you into the other one automatically.
Hero users have the option for SSO when logging into Hero. Encouraging everyone to use that rather than a username and password is a great option. A lot of other software platforms that teachers use allow you to sign in with Google.
Password managers are great. They generate unique, complex passwords, then store them securely. They can also ensure passwords aren't being reused across different sites. Password reuse is a major risk - imagine a scenario where your staff’s passwords are the same across Hero and other sites. If one of those other companies have a breach, a hacker, using automation, could log into Hero and other platforms.
Passwords should be complex and unguessable. If you can't remember it, then it's probably a good password - as long as you can remember the one to get into your password manager!
Consider using a ‘passphrase’ rather than trying to remember a word, i.e. having a phrase that you type as a sentence with spaces and capital letters. Something that is memorable to you, but no one is going to guess it.
If you are keeping passwords on the wall for students, don't! Hero has a solution for that - QR code login, which is far more secure. Our QR codes change regularly so only allow students to log in for a certain time frame. We spent a lot of time thinking about this for ease of use for students and teachers, but also from a security point of view as well.
MFA is a crucial security measure. In Hero, you can enable multifactor authentication for your school, requiring staff to input a code from their mobile phone when they log in. This simple act significantly reduces the risk of unauthorised access.
All of these things are undermined if you leave your laptop logged in and unlocked. Lock your machine, close it, and if it's a laptop, take it with you.
This is another area where centralised management of devices can be useful. You can enforce timeouts on screens, and make it so that passwords on these devices have to be strong.
When you're storing data in Hero, we're backing it up and making sure it's encrypted and stored in secure locations. Hero is designed for data storage and to have fine grain controls that help schools handle data and support streamlined workflows.
From its creation, Hero was designed so that the data sits with the child. This makes managing the lifecycle of that data easier for schools, as the child is firstly pre-enrolled, then joins the school and later leaves the school.
One challenge to data storage is legal requirements to keep certain data for seven years. We're working with schools in New South Wales where the legal requirement is 25 years.
Again, it begs the question of, What data should we keep for seven years? Do we really need to, for what purpose? Where are we storing it? It will be interesting to see how this changes over the next couple of years as well, as legislation is revisited, from a view of, do we need to keep this? Is it worth the risk?
It is better to keep data in a system, such as Hero, where it is controlled - rather than trying to move it into a Google drive or similar, where it's a lot harder to manage each individual student.
It is important to consider the on-premise data that you have. Here's a question to yourself, should you still have on-premise data? And the answer is… probably not.
Having rules for teachers and staff who are working with children, that any information that you have entered or downloaded onto your laptop, that is not in an online server, those files get deleted at the end of the day (and make sure you've emptied your trash!). It's about making sure that data doesn't hang around in there too long, because all you need is something to be compromised and then people can pull that data out.
The next link is looking at the access levels people are assigned. It’s easy to go in and give everyone ‘super admin’ access - but that's not a good idea!
Create a process by which a member of staff is given access to higher level data if they need it - maybe for a period of time and then it's removed. We recommend starting with granting virtually no access, then upgrading access as people need it - so it's essentially denied by default.
A lot of schools have integrations into their SMS. Hero has an API allowing other companies to link in, which is great!
Integrations are wonderful - they make life easier, but it’s important to understand the risks first. At Hero, we limit certain data from these companies, and have also created a deliberate process for Hero schools to activate integrations.
It is really important when you're engaging with any other companies that you make informed decisions. You need to look at what they're doing with the data and ask them difficult questions. The Safer Technologies for Schools (ST4S) badge is a great guideline that they really care about privacy and security. Attaining this badge involves a rigorous process, and it comes strongly recommended by the Ministry of Education.
When it comes to integrations: Ask. Work out what you're signing up for. Work out what they're going to do with your data. And if or when you do decide to leave, what happens to the data they've got?
Is your school monitoring for suspicious logins or emails? A lot of this is automated within Microsoft and Google’s admin consoles, they will notify you when dodgy emails are coming in, or when there are unusual login or device patterns, etc.
It's not the Principal's job to be monitoring these things, but it is to understand what they are so that you can ask the right questions to the right people. Ask your IT supplier, what are you doing in the way of monitoring our systems? Ask the Ministry, are there ways that you can help us do this?
Every school needs a well thought out incident response plan to handle potential data breaches or cybersecurity incidents. Having a clear plan in place ensures a faster, more organised response, minimising impact and helping protect sensitive information.
If your school does have a data breach, what are you going to do? Who do you need to call? How are you going to resolve things? Who is responsible for communications?
No one is completely perfect. Start by making sure that everything is good, first of all, and then start looking at how you can improve.
An example in a school might be, when Paul was a Principal, they had printed medical action plans for children on the wall in the staff room. And then realised, the staff room had windows that parents could see in - a breach of privacy for those children with medical action plans. The reason for having these plans on the wall was so that staff were all aware, which was important, but the way they were doing it was not secure.
They had to consider - could we do that in a different way? It might be a slight tweak, like we're going to put it on a different wall where it can't be viewed by parents. Or find another way to do it.
As a company where privacy and security is critical to us, we have a weekly security meeting, where we document what we discuss, review and continue to make improvements. We have a comprehensive information security management system.
It isn’t necessarily practical in a school to have that same level of documentation. But start down that road of having regular meetings around these topics, and take minutes so that you have an audit trail. Over time, you’ll continue to discover areas that can be improved.
We couldn’t sign off without reiterating the importance of the Safer Technologies for Schools (ST4S) badge. Hero has held this since 2020, and we are currently the only NZ SMS with the ST4S badge!
There are many technology services and platforms that schools can choose, and can see the value of using, but in virtually all cases, they will be collecting some sort of data. So it's really important to understand, how are they securing that?
The ST4S badge is an acknowledgement that a provider has all of their privacy and security systems and processes in place to make it as safe as possible. View the ST4S Product Badge Register here.
We know from experience that achieving the ST4S badge is a lengthy process. So if a supplier you are using doesn’t yet have the badge, it is worth asking them, are you working on this? How are you getting on with it?
For more detail about ST4S, dive into our recent blog about ST4S: What It Means and Why It Matters to You.