This article is part 1 of a 4 part series previously hosted on BBC.
Australian schools hold sensitive data on teachers, students and their families. Following best practices can help them keep it safe.
Whether it’s a sustained hacking assault, a mischievous teenager practising their coding skills, or simply a logged-in device left unattended, network security is a vital issue for any institution or organisation. And schools are no exception.
Education organisations typically hold reams of data on teachers, students and their families, and that goes well beyond grades and behaviour. “It might be that a student’s parents are separating. It might be that a student is caring for elderly parents at home,” says Dan Bowen, a former teacher who is now an education technology strategist at Microsoft. Teachers need to understand – and share their knowledge of – a student’s problems to help support that student, yet those problems also need to remain confidential.
Whether it’s physical disabilities, psychiatric issues, allergies or specific learning disabilities such as dyslexia, schools and teachers need to hold very sensitive information to perform their role correctly. “It’s really important for schools to have that information so that they can support their students,” Bowen says. “It’s not only about learning outcomes, but about their social wellbeing.”
And the data schools hold does not just relate to students but their families, and even to teachers and support staff. Educational organisations hold salary details, internal disciplinary records, the results of criminal record checks, and CVs packed with confidential information, all of which could prove highly valuable to a hacker. Schools are as vulnerable to financial fraud as other organisations.
While Australian schools do have to notify stakeholders if their data is lost, under the new Notifiable Data Breaches Scheme, there is very little data protection guidance at a federal level. Privacy regulations and requirements vary widely between territories and states, and even between private sector and public sector, says Bruce Baer Arnold of the Australian Privacy Foundation NGO.
Still, whether a school is private or public, in Canberra or the Northern Territory, administrators have to balance usability of networks and devices against potential privacy and security issues. Levels of digital literacy and security awareness vary widely across geographies, generations and individual users – and, as Arnold says: “Those networks are not necessarily very well-administered or very well-designed.”
One practical way schools can act to protect their stakeholders’ privacy is by ensuring rigorous network security. Bowen recommends strictly controlling network access rights, storing documents centrally rather than locally and enabling security features such as Microsoft’s drive encryption service Bitlocker. Rather than rely on passwords alone, Bowen favours multi-factor authentication to verify the user’s identity for login.
And, just as a burglar alarm is no use if you leave your front door unlocked, Bowen emphasises that users should keep their devices protected. “You can have all the security in the world, but if you leave your machine unlocked people can get into it,” Bowen says. He recommends ensuring all devices, including phones and tablets, are locked while users are away, and using biometric services such as Windows Hello for additional security.
Besides security, a well-maintained network helps protect privacy. Microsoft’s Intune for Education cloud IT solution enables IT managers to set privacy rules across networked devices. Using Office products such as Exchange Email, network administrators can create different classes of email for users to pick between, each with different levels of security and retention.
“If I’m an IT manager, I can set up rules at the central level to say that if anybody sends an email with the phrase ‘child protection’, that’s then retained forever,” Bowen says. “Or I can specify that a copy is sent to the child protection officer.”
Bowen recommends that schools audit their IT provision regularly. “They need to be thinking about key things specifically around identity: how users are logging in and what services those users access,” he says. “They also need to do due diligence around what tools they are using, and take an interest in what those companies are doing with their data and where that data is stored.”
Bowen hopes more schools will start to take their security and privacy responsibilities as seriously as other businesses do. “Schools really need to start thinking about the fact that they are enterprises,” he says. “They hold a lot of sensitive information and they need to be putting the practices in place that businesses do. It’s as simple as that.”