Software and technology can be a great enabler for learning outcomes and supporting kura and school operations. However, with so much of our information now stored online, our personal information is often at risk. Play it safe by selecting secure software for your school with ST4S.

Schools are responsible for ensuring that children’s data is protected. To add to the complexity is an education sector that is becoming increasingly targeted for malicious online activity. So where should kura and schools go to find impartial advice on whether software and technology products are secure? Safer Technologies for Schools (ST4S) looks to provide an answer, by removing some of the guesswork for schools when selecting software and technology.

What is ST4S?
ST4S provides an overview of digital products for use in kura and schools and offers guidance on whether these products meet privacy and security standards. By providing clear, consistent reports ST4S helps kura and schools to select secure software and tech products.

Confidential reports which detail how software or technology performs against privacy and security criteria, are available to schools through an online portal. The reports identify any risks associated with the product and advise as to how these risks might be mitigated.

To date, there are 120 ST4S reports on software and technology products available through the portal; 28 of these reports include security and privacy protections for a New Zealand schooling context. ST4S has a wide range of software product categories, which includes: curriculum resources, assessment and testing, library management, school administration and educational games.

Products that have a ‘low’ or ‘medium’ risk rating can apply for an ST4S badge. Suppliers can use these badges on their website and to generally promote their product. These suppliers commit to regularly confirming that they are compliant with security and privacy standards.  

ST4S in action

For Philip May, Board of Trustees Chair for Clifton Terrace Model School, security and privacy was a priority when selecting new software for their school.

“With so many important services now accessible from the internet it opens our school and our children’s data to theft by potentially millions of people who are looking to steal this data to make a buck, or even just disrupt service. As parents, teachers and board members the security of our children’s data has to be paramount,” he said.

Philip has recently used ST4S to purchase school management software.

“We needed some assurance that the security of our preferred system met minimum standards and was subject to auditing. It’s easy for software vendors to say their products are ‘secure’ but without external validation and assessment we have no way of separating marketing speak from reality.”

When selecting this software for their school, it was important for them to know that the product is subject to security reviews, there were no glaring security flaws and two-factor authentication could be enforced for teachers and admin staff accessing children’s data.

Using ST4S also enabled Philip to have informed conversations with the software supplier. When reviewing ST4S reports Philip could see that their preferred vendor had not met the New Zealand ST4S standard which requires the use of two-factor authentication (2FA) in cloud systems. Philip advised their preferred vendor they couldn’t use their service until they met this standard. “Our vendor worked on this and 2FA became available a couple of months later, at which time we signed a contract with them,” he said.

Real benefits of ST4S

The assurance ST4S provided when making a software purchasing decision was of real benefit to Clifton Terrace Model School.

“We don’t have the time or resources to properly evaluate software systems that our school uses or procures. Having a service like ST4S is absolutely invaluable for schools. You can get a high-level assessment result that gives you confidence to procure – or leverage to ask your vendor to improve. You can also be given access to more detailed assessments if you are technically inclined and wish to engage in more in-depth conversations with the Ministry or your software provider. I personally found the process very smooth,” added Philip.

Kura and schools are encouraged to continue checking the ST4S portal and website as new reports and badged products will continue to be added. In time, the Ministry of Education hope to see more kura and schools prioritising the use of ST4S approved products, which will offer greater protections to rangatahi and staff.

Using software without an ST4S badge?

Kura and schools using software that does not have an ST4S badge, are well-positioned to help grow the ST4S service. The Ministry of Education’s Digital Services team are working with EdTech suppliers to participate in the ST4S assessment process, but need help to identify and prioritise products. To recommend products for ST4S assessment, you can contact the team at digital.services@education.govt.nz

Article supplied by the Ministry of Education’s Digital Services Team.

Access ST4S reports

ST4S assessment reports are available for authorised staff in state and state-integrated schools and kura via the Taku portal at takueducationnz.my.site.com

An Education Sector Logon (ESL) account is required. If you need an ESL account, you can contact the Ministry of Education Service Desk on 0800 422 599 or service.desk@education.govt.nz to arrange access. Alternative arrangements are available for independent schools.

Access badged products
A list of ST4S badged products is available at st4s.edu.au/verify-a-badge/. Keep regularly checking the ST4S portal and website, as more reports and badged products will be added over time.

Tips for selecting software for your kura or school

1. Supplier security and privacy statements

ACTION: Check whether the supplier has both on their website.

The details provided in these statements should indicate their level of commitment to their customers’ security and privacy. Including what standards they claim to meet, and how this is verified (such as  via independent testing and/or certification).

If no statement is provided – their commitment to privacy and security could be questionable.

ST4S support: ST4S provides guidance with security and privacy assessments. Please note: You may find other privacy and security assessments online but they may not address the needs of New Zealand customers.

2. Collection of personal information

ACTION: Check what is the purpose of collecting personal information in the product.

Is it for educational advertising, research, analytics or selling to third parties. If you determine that it’s unnecessary for them to collect this information – you may want to reconsider purchasing this software.

ST4S Support: ST4S reports provide standardised descriptions of what categories of personal information is collected and highlights sensitive information.

3. Managing risks of software

ACTION: Consider what risks you will need to manage when using the software in your school or kura, and how you might mitigate these.

ST4S Support: ST4S reports provides standardised descriptions of these risks and recommended mitigations

For more advice, check out CERT NZ Software as a Service information, cert.govt.nz/business/guides/software-as-a-service/, which outlines what to look for when purchasing these products.

INTERFACE November 2023