ICT Software in Schools – Risk Assessment

Policy

This policy outlines requirements for schools to use the Safer Technologies 4 Schools (ST4S) risk assessment reports prior to the purchase of or subscription to new ICT software, when renewing existing software contracts, and for existing software products in use at a school.

Summary

• Before purchasing or using a new ICT software product or service, or renewing the licence for an ICT software product or service already in use at the school, schools must:
  • check if the product is listed in the software section within ARC with an accompanying risk assessment report
  • review the summary ST4S risk assessment report for that product or service
  • implement applicable actions in the full ST4S assessment report for that product or service.
• Schools must not use new software products or renew software product licenses with an overall rating of non-compliant, non-participating or high.
• Schools may use new or renewed software products and services with an overall medium rating or lower. ST4S actions must be implemented prior to use when purchasing or renewing software products and services.
• If a school wishes to use a new or renewed product that has not been assessed by ST4S, schools must raise an assessment request with the department’s IT Security Team and are advised to complete a Privacy Impact Assessment (PIA). As the security assessment can take some time to complete, schools can use software products which have not been assessed but must note that a future assessment outcome may impact ongoing usage of the product – this may include moving to a lower risk alternative. Schools that have registered a product assessment request will be notified of the result.
• By the end of 2028, schools must inventory their currently used software products and review any available ST4S assessment reports, taking the applicable actions required based on the risk rating. Schools are encouraged to review the actions listed as soon as practicable, and must complete the actions 12 months after review, or by end of 2028, whichever comes first.
• Department-provided technologies, including those listed in ARC as ‘Department Provided’ or ‘Available on Request’, are excluded from this policy. For more information about department-provided technologies, refer to ARC software.

Details

Using risk assessed ICT software products in schools to assist with teaching, learning and administration improves data security and privacy and supports compliance with relevant legislation and security standards. This results in a safer environment for students, staff and the broader school community when engaging with ICT products. The assessment reports made available are sourced from an independent Australian national service which has developed a standardised, rigorous assessment process.

Scope

This policy applies to:

• any school products or services (including websites) that interact with or process school personally identifiable, sensitive, health or important operational data (for example, a student management system accessed through a personal mobile BYOD (bring your own device) which uses these types of data)
• principal class, school staff and students.

This policy does not apply to:

• software that is provided by the department
• other applications that do not interact with or process school personally identifiable, sensitive, health or important operational data (for example, a word guessing game on the same personal mobile device which doesn’t access school data)
• software products which are used by students for personal use, homework or learning which aren’t likely to access or process these types of data.

Questions regarding product scope can be directed to the ISS Team via the service desk: servicedesk@education.vic.gov.au

ST4S reports

Schools use a range of software products and services to support classroom learning activities, school operations and communications with parents and carers. External software products and services may pose various risks to schools across the areas of security, privacy and child safety. Schools have obligations under child safety laws and Victorian privacy law around how they collect, use and disclose personal information, and these obligations extend to when they engage third party software products to perform services or functions on their behalf.

Safer Technologies 4 Schools (ST4S) is an independent national service administered by Education Services Australia that creates security, privacy and child safety reports for schools to:

• support informed school choice when selecting or reviewing a product or service
• provide details of key risks and treatments including security, privacy and child safety
• provide a common set of functionality tags, allowing schools to select and review alternative product choices which may be safer.

The department will publish the risk assessment reports as they become available on ARC software. Each entry on ARC software will typically include:

• a summary risk assessment report with an overall risk rating of one of the following:
  • non-compliant
  • non-participating
  • high
  • medium
  • low (including 'use with caution' and 'use responsibly')
• a full ST4S risk assessment report
• a prepopulated Privacy Impact Assessment (PIA) if available.

Assessment reports marked as 'use with caution' or 'use responsibly' are outcomes from the national assessment service for software products which do not handle personally identifiable information. The department deems these products to be 'low' risk.

Full ST4S risk assessment reports are provided for many products used in schools, however not all products in existence have had a full ST4S risk assessment completed. Summary risk assessment reports include a breakdown of risks across the areas of cyber security, privacy and child safety, and feature an overall risk rating. The breakdowns of risk are provided for informational purposes only and schools are to use the overall risk rating when determining product suitability. In addition, as the assessment framework and process continues to evolve, some risk areas, for example 'child safety', may not have been assessed at the time of the original assessment. These ratings will be specified as 'not yet assessed'. The overall risk rating on the summary risk report is to be used when determining product suitability.

Risk assessment reports do not fully discharge a school’s obligations to assess software against business needs and specific implementation aspects which a PIA covers, but they help to reduce the effort required of schools to make such assessments.

Importantly for medium or low risk rated software, or software with use with caution or use responsibly outcomes, schools must review and undertake applicable actions in both the full ST4S risk assessment report (where available) and should also complete the actions in the pre-populated Privacy Impact Assessment (if available) in order for that rating to apply. See below for timeline requirements for these actions.

By reviewing and actioning the risk assessment reports and supporting materials, schools will reduce the likelihood of a security, privacy or child safety incident (for example, a data breach, ransomware attack or inappropriate communications to students). Over time, the department will progressively add assessment reports and supporting materials including appropriate draft communications to provide to families.

Using ST4S assessments

Schools must check the ST4S assessment library (accessed via ARC software) and review the available information for any software product which:

• is about to be purchased (a new purchase)
• is about to be used without payment (for example, free software products or products with a free trial period)
• is about to be renewed (products already in use in the school, 'renewed products').

Product ratings and required actions

Non-compliant or high overall rated software products, or non-participating products must not be purchased or renewed. Alternative lower risk products and services may be suitable for use and will be recommended if available. Schools are encouraged to search the library for similar products or services using the product tags (for example, educational games).

Medium risk overall rated software products may be purchased or renewed. Schools must read the risks and ensure completion of any actions listed in the ST4S full assessment report and it is recommended to also complete the actions in the PIA (if available) prior to purchase or renewal. They are also encouraged to use any templated communications to parents that are provided, to ensure that families are aware of and understand the software being used by the school. This reduces the likelihood of complaints from parents who feel inadequately informed.

Low risk overall rated software products, and those with use with caution or use responsibly outcomes, can be used but schools must ensure completion of any actions from the ST4S full assessment report and PIA (if available) for that rating to be valid.

Products already in use in the school and not due for renewal

By the end of 2028, schools must inventory their currently used software products and review any available ST4S assessment reports, taking the applicable actions required based on the risk rating. Schools are encouraged to review the actions listed as soon as practicable, and must complete the actions 12 months after review, or by end of 2028, whichever comes first.

Schools must not continue to use software products or services already in use in the school with an ST4S rating of non-compliant or high risk, or an outcome of non-participating. Schools must migrate to a lower risk alternative within 12 months of identification of a non-compliant, high risk or non-participating product.

Timeframe for required actions

The timeframe for taking required actions for medium risk, low risk, use with caution or use responsibly outcomes are as follows:

• for new products, actions are to be implemented before use
• for products already in use at the school, actions are to be reviewed and actioned 12 months from product review against the ST4S assessment or by the end of 2028, whichever comes first.

This timeline is aligned to the Technologies and ICT Services in Schools policy.

No assessment report available

Where a full ST4S assessment report is not available for a specific software product schools must contact the department’s IT Security Team via the Service Desk who will arrange for either an ST4S or other assessment to be conducted. Schools are also advised to complete a PIA. It is highly recommended that schools search for alternative products that have been assessed which offer similar functionality as these represent a lower risk than unassessed products. As suitable assessed alternative products may not always be available, schools may use software products which have not been fully assessed but may need to move to lower risk alternatives based on the future assessment outcome. Schools that have registered software product assessment requests will be notified of the results.

Related policies

• Child Safe Standards
• Cybersafety and Responsible Use of Digital Technologies
• Digital Learning in Schools
• Procurement – Schools
• Schools’ privacy policy
• Technologies and ICT Services in Schools

Relevant legislation

• Child Wellbeing and Safety Act 2005 (Vic)
• Health Records Act 2001 (Vic)
• Ministerial Order 1359 – Implementing the Child Safe Standards – Managing the risk of child abuse in schools (PDF)
• Privacy and Data Protection Act 2014 (Vic)
• Victorian Protective Data Security Framework