Information Security

2. Information access

Schools must implement access controls to information (for example, access to school systems, key management, swipe card access, visitor processes) and review these procedures at least annually.

To ensure that access is appropriately authorised and updated when needed, timeframes relating to the specific access controls activities are detailed in the following sections.

ICT access

Individuals must only have access to information that is necessary to perform their role or they otherwise have a right to access. Failure to assign the right level of access to the right role may result in an information security or privacy breach.

Schools can effectively manage access to information by:

• establishing role-based access for school information and information and communications technology (ICT) systems
• strictly controlling all system administrator accounts and restricting access to ICT systems and equipment to authorised staff and specialist technicians.

ICT access – review and update

Schools should review and update access to their physical and ICT systems, as part of their offboarding processes, including:

• updating, suspending or removing physical and digital access to school information, for example, key and swipe card access, ICT systems and applications
• requesting return of keys and swipe cards if not needed to perform new role, or the individual is no longer engaged by the school.

The end of all term checklist (staff login required) outlines that schools should review and update access to their physical and ICT systems, ideally at the end of each term, including validating the need for system administrator access.

Schools are strongly encouraged to document access changes to physical and ICT systems, as a result of personnel departures and change of role, in an access rights change register (DOCX) or a similar document.

Storage

• Store electronic information in secure department-managed and authorised ICT systems in line with the Technologies and ICT Services and Software and Administration Systems policies.
• Identify secure storage locations with appropriate access controls for school information (both digital and physical), for example, lockable filing cabinets and access-controlled storage areas.
• Store hardcopy information in secure locations, for example, lockable filing cabinet or storage area with restricted access.
• Use key and swipe card systems and issue visitor passes.

Information sharing

• Use school or department-approved tools and software for sharing school information by following the Technologies and ICT Services policy.
• Follow department policies when sharing information externally, for example, Requests for Information about Students.

eduPass

The department has implemented eduPass to manage access to department information and communications technology (ICT) systems used by schools such as CASES21, eduPay, Career ePortfolio, Adobe Creative Cloud, Webex, and department-managed Microsoft 365 and Google Workspace for Education.

Schools are strongly encouraged to use eduPass to manage access to ICT systems and seek department support for implementing multi-factor authentication.
Where a school has elected not to use eduPass for controlling access to school ICT systems, the solution the school uses must conform to the following requirements:

• access must be fully compliant with this policy
• delegations of authority for managing access controls must be equivalent to those implemented with eduPass, as documented in the section ‘eduPass – Delegations of authority’ outlined below
• the access control solution is kept both current and patched in a timely manner, to minimise known vulnerabilities
• where the access control solution has fallen out of vendor support, it must be upgraded or replaced.

Future implementations of centrally provided applications will use eduPass for identity and access management.

For advice and support for migrating an existing solution to eduPass, log a request through the department’s Services Portal (staff login required).

eduPass – delegations of authority

Principals are responsible for using eduPass to manage staff and student accounts. They may delegate the management of staff and student accounts to another member of staff.

Principals or their delegate use eduPass to manage staff accounts, including to:

• reset passwords
• unlock accounts
• add and remove staff from the school email distribution list.

Principals or their delegate use eduPass to manage student accounts, including to:

• create student accounts
• reset student passwords
• enable and disable accounts
• unlock student accounts
• manage student usernames.

Staff use eduPass to:

• manage their password
• set-up and manage remote access.

School staff are expected to take reasonable steps to securely manage the use of staff and student passwords in accordance with the Acceptable Use Policy for ICT Resources.

Changing a student’s eduPass identity

The change of a student’s eduPass identity can be requested by a parent, carer or mature minor student, or requested by teachers where there is a concern for the student’s safety or wellbeing.

Principals or their delegates may change a student’s eduPass identity to protect a student’s safety or wellbeing.

Acceptable reasons for changing a student eduPass identity include:

• misspelling of the student’s name
• change of the student’s legal name
• change of the student’s family circumstances
• change of the student’s gender identity
• online harassment, cyberbullying or grooming
• compromise of the student’s eduPass identity by a third party
• any other concern for the student’s safety or wellbeing (for example, family violence)
• any other reason as approved by the school principal.

Principals or their delegates may reject a request to change a student eduPass identity if they have not been provided with an acceptable reason to do so.

A principal or their delegate must:

• treat the student’s safety and welfare as the prime objective when assessing the need to change a student eduPass identity
• consider factors such as the impact on the student’s learning, safety and wellbeing, and their individual family situation
• use discretion when advising parents or carers of any change of a student eduPass identity, depending on the circumstances of the student, where advising the parent or carer of the change may adversely impact on the safety or wellbeing of the student.

Where parents or carers seek to make changes to a student’s eduPass identity due to changes in family circumstances, or disputes arise between separated parents or carers about the student’s identity, principals must act in the best interests of the student in deciding how a student should be identified. Principals should also be aware that whenever faced with disputes between parents or carers, principals must try to avoid becoming involved, avoid attempting to determine the dispute and act neutrally and not adopt sides. Further information can be found in the Decision Making Responsibilities for Students policy.

If the request to change a student’s eduPass identity is accompanied by a request to change the student’s enrolment name, staff should also refer to the following:

• CASES21 User Guide – Chapter 02 Enrolment – Manual Entry (PDF) (refer to page 75 ‘Modify a student’s name’)
• Enrolment policy guidance – Processing enrolment forms and supporting documentation (refer to heading ‘Changing enrolment name’).

The name used for a student eduPass identity must not be:

• obscene or offensive
• impractical (for example, a name that is not supported by the department’s systems due to length or other factors, or contains symbols, special characters or accented letters).

Any request to change a student's eduPass identity must be accompanied by appropriate evidence, as determined by the principal or their delegate. This evidence is used to assess the need to change a student eduPass identity.

Example scenario

The following scenario is an example of when a student’s eduPass identity might need to be changed.

The widowed mother of Student A has remarried and has asked the principal to change Student A’s eduPass identity to reflect the change in the family’s surname. Student A has assured the principal that they are supportive of the change. After consideration of the facts, including a legally changed birth certificate, the principal has agreed that Student A’s eduPass identity should be changed.

On consulting with Student A’s teachers and considering that a substantial proportion of the school year has already passed, the principal has determined that changing the eduPass identity may disrupt Student A’s learning this year due to potential loss of progress data in a critical learning system.

The principal advises the mother of this concern and suggests that the change could be deferred until the end of the school year, after all assessment tasks have been completed. Subsequently, the mother agrees that the change in Student A’s eduPass identity can be deferred until the end of the school year.

As agreed, the principal changes Student A’s eduPass identity at the end of the school year.

Impact of the change on school systems

A student’s eduPass identity provides access to a wide range of online applications and resources. Changing a student’s eduPass identity may:

• require the re-registration of the student in CASES21 and other administrative systems at the school such as student management, timetabling
• not be supported in some third-party applications that rely on a username or email address. Consequently, some previous data may not be accessible by the new identity. In these circumstances it is recommended that the school extracts data if possible and a new account created to match the new student identity, reloading the extracted data as required
• result in the loss of individual achievement or progression data (for example, progress through a learning sequence in a third-party online application)
• result in the loss of current or historical files stored online (for example, files stored on Microsoft OneDrive or Google Drive)
• require the school and/or the student to create new user profiles for learning applications used by the school (for example, Google Suite, Microsoft 365, Adobe).

It is the responsibility of the school to manage data and access to third-party applications not provided by the department. Where data must be extracted or backed up, it is recommended that the school system administrators work with the student to extract any data required prior to a change in a student’s eduPass identity.

Multi-Factor Authentication for student management systems

In certain applications and circumstances, Multi-Factor Authentication (MFA) is an important strategy for protecting personal information and student safety. MFA provides added security beyond username and password, by requiring staff to also login each day with an access code sent via the Microsoft Authenticator app or text message.

Schools are strongly recommended to activate MFA for student management systems (for example, Compass, Xuno and Sentral). Once activated, staff will be required to use MFA once a day when logging into their school’s student management system, whether using a personal or school provided device. This only applies to staff (not students or families), and only when they use student management systems.

How to activate MFA for the student management system

School technology leaders seeking to activate MFA for the student management system in their school should discuss an activation plan with the Securing Connected Learners Program (staff login required) who will then work with the school.

How to set up MFA

In preparation for MFA being activated in their school, staff must follow these steps to setup MFA on their device:

1. On mobile phone: download and install the Microsoft Authenticator app
2. On laptop visit https://mysignins.microsoft.com/security-info
3. Select ‘+Add Method’
4. Select method, for example: phone (text), Authenticator App
5. Click next and follow the prompts to completion.

MFA exemptions

Currently, MFA options for school staff are limited to personal mobile phones. This MFA approach also only applies to student management systems configured for staff to log in using their eduPass credentials (single sign-on). Individuals exempt from MFA include students, short-term casual relief teachers, pre-service teachers, parents, guardians, and staff without access to a mobile phone. Over time, MFA solutions will be developed to accommodate all staff users of all student management systems.

As of December 2024, work is underway to provide MFA options that do not rely on personal mobile phones. Staff members who are unable or unwilling to use a personal mobile phone for MFA can request a temporary exemption by completing the online MFA exemption form or calling the Service Desk (1800 641 943).

Where to get help with MFA

Initially, speak to your school specialist technician or other technology staff. Additional support is available through the Services Portal online MFA support form or by calling the Service Desk on 1800 641 943.