Policy last updated
28 January 2025
Scope
- Schools
Policy
Policy
This policy defines the mandatory systems of record for student and school administration. It also outlines requirements for schools to use the Safer Technologies 4 Schools (ST4S) risk assessment reports for assessing both existing and new software and administration systems prior to use at a school.
Summary
- Schools must use the department-provided systems of record in accordance with their purpose and functions. If using administration systems not provided by the department, schools must ensure that any data used in these systems is exported into the relevant department-provided system of record.
- Prior to adopting new software or an administration system that is not provided by the department, schools must check if it has a Safer Technology 4 Schools (ST4S) assessment on the Arc catalogue and implement actions from the full ST4S report. If a report is not available schools must contact the department’s IT Security team for alternative assessment options.
- For all currently used software and administration systems not provided by the department, schools must complete the required actions outlined in this policy by the end of 2028.
Details
Scope
This policy applies to any software or administration systems that interact with or process personally identifiable, sensitive, health or important operational data (for example, a student management system accessed through a personal mobile).
For software or administration systems which do not process such information, this policy does not apply.
Systems of record
Schools must use the department-provided systems of record to record and maintain data, information and records, according to each system’s purpose and functions. A list of department-provided systems of record can be found in the Guidance tab.
Schools may procure and implement further administration systems which provide additional capabilities for student and school administration. Examples include online services for parents and carers, assessment or grading tools, financial services or banking services.
Where a school implements one or more administration systems that is not provided by the department, they must ensure that any data, information or records generated or maintained in these systems is exported into the relevant system of record.
Adopting software and administration systems not provided by the department
Schools must comply with the following requirements prior to adopting (that is, purchasing, subscribing, trialling or renewing) software and administration systems not provided by the department).
Check Arc Software Catalogue
Prior to adopting new software or an administration system that is not provided by the department, schools must first check if it is listed on the Arc catalogue and whether it has a Safer Technology for Schools (ST4S) risk assessment report.
Arc Software can be filtered by the school-procured category and further filtered by functionality or learning area/capability tags (Products that are provided by the department are listed on Arc as ‘Department provided’ which will not have an ST4S assessment and are covered in the ‘Department-provided software’ guidance tab).
Use Safer Technology 4 Schools assessments
Where a Safer Technology 4 Schools (ST4S) report is available, schools must review the summary ST4S risk assessment report and implement actions from the full ST4S report prior to using the software or administration system.
Schools must not use products with an overall ST4S rating of non-compliant, non-participating or high risk.
Refer to the Guidance tab for more information about ST4S assessments.
Request security assessments
Where an ST4S report is not available schools are encouraged to:
- search for alternative products that have been assessed which offer similar functionality as these represent a lower risk than unassessed products
- complete a privacy impact assessment (PIA). (Refer to guidance on privacy impact assessments within the Privacy and Information Sharing policy for more information).
Prior to using products which have not been fully assessed (as suitable alternative products may not always be available), schools must raise an assessment request with the department’s IT Security Team via the Service (staff login required) who will arrange for either an ST4S or other assessment to be conducted.
- Schools can use these products while this assessment is underway.
- Schools that have registered product assessment requests will be notified of the results.
- Pending the outcome of these assessments, schools may need to move to lower risk alternative products.
Using department contract template
Schools are strongly encouraged to use a department contract template when using software and administration systems to ensure compliance with department requirements. For more information refer to the systems and applications section of the Records Management .
Reviewing currently used software and administration systems
For all currently used software and administration systems, not provided by the department, schools must complete the following actions by the end of 2028:
- record an inventory of all the products they use (template in Resources tab)
- review any available ST4S assessment reports for these products
- implement actions from the full ST4S assessment reports for these products as soon as practicable; either 12 months after review, or by the end of 2028, whichever comes first.
Actions based on the software of administration system’s ST4S risk rating
Refer to the Guidance tab for more information about ST4S product risk ratings.
If a school identifies or becomes aware of products, not provided by the department, already in use in the school with an ST4S rating, they must take the following actions:
- for ratings of non-compliant or high risk, or an outcome of non-participating – schools must cease use of this product or migrate to a lower risk alternative as soon as practicable and within 12 months
- for ratings of medium risk, low risk, use with caution, or use responsibly – full ST4S assessment report actions are to be reviewed and implemented as soon as practicable; within 12 months or by the end of 2028, whichever comes first.
This timeline is aligned to the Technologies and ICT Services policy.
Definitions
Administration systems
Administration systems refer to digital technology-based systems and processes for collecting, maintaining and using records (including for students, staff, parents and others).
Safer Technologies 4 Schools
The Safer Technologies 4 Schools (ST4S) initiative is an independent national service administered by Education Services Australia that creates security, privacy and child safety reports for schools.
Software
The digital applications that support teaching, learning and other functions in a school, and which may complement administration systems and technologies and ICT services including: locally installed applications, web-based applications, websites, web browser extensions, collaboration platform add-ons.
Student and school administration
The processes and activities which enable the day to day running of a school. These include:
- school management – including finance and accounting, procurement, facilities and asset management, human resource management, risk management, and ancillary services
- student administration – including enrolments and transitions, attendance, student reporting and achievement, student and family profiles, health and wellbeing, events and consent).
Systems of record
The department-provided administration systems which are considered to contain data and records where the integrity, validity and security of this information is vital to deliver required reporting and school operational functions.
Technologies and ICT services
Technologies and ICT services refer to infrastructure and platforms that enable core school functions including: hardware, internet, network, cloud services, identity management, operating systems and collaboration platforms. Refer to Technologies and ICT Services.
Related policies
- CCTV in Schools – Installation and Management
- Child Safe Standards
- Digital Learning
- Digital Technologies – Responsible Use
- eduMail (employee email)
- Generative Artificial Intelligence
- Information Security
- Privacy and Information Sharing
- Records Management
- Schools' privacy
- Technologies and ICT Services
Relevant legislation
- Child Wellbeing and Safety Act 2005
- Freedom of Information Act 1982
- Health Records Act 2001
- Ministerial Order 1359 – Implementing the Child Safe Standards – Managing the risk of child abuse in schools
- Privacy and Data Protection Act 2014
- Public Records Act 1973
- Victorian Protective Data Security
Guidance
Guidance
Systems of record
By using the department-provided systems of record, schools can ensure that:
- information kept by schools is accurate, accessible, up to date and fit for purpose for decision-making
- the privacy, security and integrity of information is suitably protected and maintained
- key information can be shared with authorised parties from a reliable, authoritative source
- duplication and replication of information is reduced.
Below is a list of key department-provided systems of record and a summary of their main purpose and functions.
| System of record | Purpose/function | Further information |
|---|---|---|
| Computerised Administrative System Environment for Schools | Provides a standardised system to manage core school administrative and finance functions. | CASES21 and School Systems |
| Victorian Assessment Software System | Records student enrolment and results data of VCE and VET providers under the management of the Victorian Curriculum and Assessment Authority (VCAA). | Using the Victorian Assessment Software System |
| Insight Assessment | Helps teachers assess the progress of all learners and supports more targeted teaching practices with a collection of online diagnostic, formative and summative assessments including the English Online Interview (EOI). | English Online |
| Student Activity Locator | Records activities and excursions that happen outside school hours or school grounds. | Excursions: Student Activity Locator |
| eduSafe | Facilitates reporting of workplace incidents, injuries and hazards. | Occupational Health, Safety and Wellbeing Management in Schools: eduSafe Plus |
| Health Activity Reporting Tool (HART) | Records and reports cases for nurses. | HART |
| Student Online Case System (SOCS) | Records, manages and reports cases for student support services and visiting teachers. | Student Support Services: Accessing Student Support Services |
| Program for Students with Disabilities Management System | Facilitates applications and enrolment changes, budget management and reports for the Program for Students with Disabilities (PSD). | Students with Disability: Program for Students with Disabilities Management System |
| Student Resource Package (SRP) interactive | Provides access to SRP budget and planner reports for principals and delegates. | Student Resource Package: Overview |
| Strategic Planning Online Tool | Guides schools through the strategic planning process, with examples and resources to support them to complete their School Strategic Plan. | School Strategic Plan: Guidance |
| Schools Targeted Funding Governance (STFG) Portal | Facilitates the STFG process for program-related payments made directly to Victorian government school. | School Targeted Funding Governance (STFG) Document Library |
| Camps, Sports and Excursions Fund (CSEF) system | Facilitates the submission and management of CSEF applications. | Camps, Sports and Excursions Fund (CSEF): Submitting an application |
| Asset Information Management System | Provides access to asset information and facilitates planning, management and acquittal of school asset activities under the management of the Victorian School Building Authority (VSBA). | School Maintenance Plans and Rolling Facilities Evaluations: Resources |
| eduPay | Manages pay, leave and contact details for staff including the School Local Payroll (SLP) for locally paid staff. | eduPay and eduPay Help: Overview |
| Recruitment Online | Facilitates advertising, searching and applying for current job vacancies in schools. | Recruitment in Schools: Overview |
| School Conveyance Allowance System | Manages conveyance allowance applications, claim lodgement and payment reports. | Conveyance Allowance Program: Processing applications |
Department-provided software
The department provides a suite of software titles for schools, refer to Arc for a full list when filtered by ‘Department provided’. Each department-provided Arc Software listing includes specific information for parents and risk treatment actions for schools.
To be kept informed of upcoming training, including new features, schools can follow software providers on Arc . For Microsoft 365, schools can also join the department’s M365 Community to stay updated on the latest features.
Adopting software and administration systems not provided by the department
Using risk assessed software and administration systems in schools supports compliance with relevant legislation and security standards. This results in a safer environment for students, staff and the broader school community when engaging with products.
Safer Technologies 4 Schools is an independent national service administered by Education Services Australia that creates security, privacy and child safety reports for schools to:
- support informed school choice when selecting or reviewing a product or service
- provide details of key risks and treatments including security, privacy and child safety
- provide a common set of functionality tags, allowing schools to select and review alternative product choices which may be safer.
The department publishes the risk assessment reports as they become available on Arc . Each entry on Arc Software will typically include:
- a summary risk assessment report with an overall risk rating of one of the following
- non-compliant
- non-participating
- high
- medium
- low (including ratings 'use with caution' and 'use responsibly' for products that do not handle personally identifiable information)
- a full ST4S risk assessment report.
Full ST4S risk assessment reports are provided for many (but not all) products used in schools.
Summary risk assessment reports include a summary of risks across the areas of cyber security, privacy and child safety, and feature an overall risk rating.
As the ST4S assessment framework and processes continue to evolve, some risk areas, for example 'child safety', may not have been assessed at the time of the original assessment. The overall risk rating on the summary risk report is to be used when determining product suitability.
Risk assessment reports do not fully discharge a school’s obligations to assess products against business needs and specific implementation aspects which a PIA covers, but they help to reduce the effort required of schools to make such assessments.
By reviewing and actioning the risk assessment reports and supporting materials, schools will reduce the likelihood of a security, privacy or child safety incident (for example, a data breach, ransomware attack or inappropriate communications to students).
Product risk ratings
Non-compliant or high overall rated products, or non-participating products must not be purchased. Alternative lower risk products and services may be suitable for use and will be recommended if available. Schools are encouraged to search the library for similar products or services using the product tags (for example, educational games).
Medium risk overall rated products may be purchased or renewed. Schools must read the risks and ensure completion of any actions listed in the ST4S full assessment report prior to purchase or renewal. Schools are encouraged to use any provided template communications (refer to Notifications for online ) to parents, to ensure that families are aware of and understand the products being used by the school.
Low risk overall rated products, and those that have use with caution or use responsibly outcomes, can be used but schools must ensure completion of any actions from the ST4S full assessment report and PIA (if available) for that rating to be valid.
Resources
Resources
Arc Software Catalogue
Arc hosts a listof software titles provided by the department to schools and other software and administration systems that has been assessed in relation to ST4S.
Software inventory template
Software inventory template – a downloadable resource for schools to record details of currently used software, including license details, version information and ownership.
Systems of record
Refer to the Guidance tab ‘Systems of record’ for more details on each of the systems listed below:
- Computerised Administrative System Environment for Schools
- Victorian Assessment Software System
- Insight Assessment
- Student Activity Locator
- eduSafe
- Health Activity Reporting Tool (HART)
- Student Online Case System (SOCS)
- Program for Students with Disabilities Management System
- Student Resource Package (SRP) interactive
- Strategic Planning Online Tool
- Schools Targeted Funding Governance (STFG)
- Camps, Sports and Excursions Fund (CSEF)
- Asset Information Management System
- Recruitment Online
- School Conveyance Allowance System
Reviewed 24 January 2025