Information Security

6. Third-party arrangements

Schools must effectively manage their relationships with locally engaged third parties to protect school information and systems and take steps to ensure school information is secure when facilities or ICT equipment are maintained or repaired.

When considering using a contract supplied by a service provider, schools must seek advice from the department’s Legal Division to ensure the contract includes adequate provisions for recordkeeping, privacy and information security.

When adopting new software or administration systems that are not provided by the department, schools are required to use the Safer Technologies 4 Schools (ST4S) risk assessment reports as per the Software and Administration Systems policy. In addition, schools are required to maintain an inventory of all third-party arrangements where a provider has access to school information and systems, using the software inventory template (DOCX).

When developing local level policies and procedures for managing visitors, schools must follow the Visitors in Schools policy and ensure these include:

• a process for granting, modifying, monitoring and revoking third-party access rights for school information and systems
• a process for securely storing paper records in accordance with the Records Management policy
• measures to protect data during maintenance and repair activities, including:
  • ensuring ICT devices are locked when not in use
  • limiting physical access to required areas only
  • removing school information from equipment before off-site repairs
• a process for maintaining logs of all maintenance and repair activities, including:
  • the date and time of the activity
  • the nature of the work performed
  • the individuals involved.

For additional details on entering and managing third-party arrangements, refer to the Technologies and ICT Services and Records Management policies.

Decommissioning systems or completing contracts with third-party suppliers

Upon system decommissioning or completion of a contract with locally engaged suppliers, schools must confirm that clauses relating to the following items have been actioned:

• ‘Time-expired’ records are destroyed by the supplier, in accordance with minimum record retention requirements, set out in the School records retention guide (XLSX) (staff login required)
• records that have not yet reached their minimum retention period are transferred to the school, in long-term sustainable formats, along with their associated metadata
• the supplier does not retain any copies of school records and data once records have been successfully migrated to their new location.

Example: A school contracts an external IT company for equipment maintenance

To protect school information and systems, schools are recommended to ensure:

• on-site technicians are appropriately supervised with access limited to essential areas only, with sensitive school information (for example, student records) out of view
• they remove or encrypt confidential data on devices before off-site repairs.