Dear Schoolbox community,
Due to recent changes to the privacy legislation laws, we thought it would be timely to give you an update on our policy regarding security and privacy of information, as it pertains to Schoolbox.
The new mandatory reporting law requires any unauthorised access of private information that may result in harm, to be reported to the parties impacted. As Schoolbox provides access to some private information, we are subject to this law.
Our existing incident reporting policy, which requires that all critical incidents are reported, covers the legal requirements of the new mandatory reporting laws. Our incident report includes information such as when the incident occurred, who was impacted and what information was compromised. We will continue to utilise this policy and ensure it includes references to unauthorised access of information as a potential incident.
Please be aware that we will not report directly to parents or students; any incidents will be reported to your key contacts, allowing you to first determine their harm and impact, before communicating any incident disclosures directly to parents.
For Alaress to assist you in understanding and managing your risk, as related to the privacy legislation, here is an up-to-date picture of private information that may be available in Schoolbox and who can access the information. Please note that the availability of this information depends on your SIS and your specific configuration. So we recommend you undertake your own review within your system to accurately understand the risk.
Personal Data |
Risk Factor |
Who is authorised |
Page |
Notes |
Student D.O.B |
Low |
All Staff, A Student’s Parents |
Profile |
|
Student Individual Needs Flag |
Medium |
All Staff |
Profile, Classlist |
|
Student Medical Alerts |
High |
All Staff |
Profile, Classlist |
|
Parent Names |
Low |
All Users |
Profile, Parent Directory, Homepages |
|
Parent Relationships and Status |
Medium |
All Staff |
Profile |
Includes marital status and contact alerts |
Parent Phone Numbers |
Medium |
All Staff, Other Parents |
Profile, Parent Directory |
Parent Directory can be restricted with ‘include in directory’ flags, ‘silent phone’ flags in SIS, prevent parents in other year levels from accessing |
Parent Emails |
Low |
All Staff |
Profile, Parent Directory, Homepages, Group Admin, Classlist |
Email All functionality on group members component may expose this to other users |
Parent Addresses |
High |
All Staff, Other Parents |
Parent Directory |
Removed from Student Profile in v18.0.0 can be restricted with ‘include in directory’ flags, ‘silent phone’ flags in SIS, prevent parents in other year levels from accessing |
Staff Names |
Low |
All Users |
Everywhere |
|
Staff Emails |
Medium |
All Users |
Everywhere |
|
Staff Phone Numbers |
Medium |
Staff |
Profile, Staff Directory |
In order to comply with new privacy regulations, we have audited our system for sensitive information that is not required for Schoolbox to function.
As a result of this audit, we decided not to display address information for parents in v18 on the student profile page. This information is not required for Schoolbox to function, so removing it increases privacy without decreasing the effectiveness of our system. If you believe other information should be removed from the system, or if you want to know more about this issue, we are happy to hear from you.
In addition to information that we provide access to, we also utilise several 3rd party services. In the process of using these services, we do provide some information so they can perform their function.
3rd Party |
Service Provided |
Data Provided |
Plagiarism scanning of student work |
Student Work, Student Name |
|
Annotations on student work |
Student Work, Teacher Name, Student Name |
|
Mobile App |
Name, Role |
|
Upload documents from Drive |
||
Upload documents from Onedrive |
||
LTI |
API for 3rd party learning tools |
Name, Email, Role Type |
Remote Services API |
SSO for 3rd party services |
External ID, Username |
Embedding 3rd party content |
URLs |
|
Monitoring of usage |
Role Type, School |
|
Error reporting |
The best protection from any incidents of course is a good defence. So, let’s quickly review the security practices and changes that we will be implementing this year.
-
In February, 2018, we introduced a CSRF protection system that will prevent 3rd parties forging requests to Schoolbox. This extra level of security will prevent malicious sites from potentially utilising a user’s session to execute actions in Schoolbox.
-
By July, 2018, we expect all customers to be running HTTPS everywhere. This will ensure all communication between the user and Schoolbox is encrypted. All new Schoolbox customers are already running HTTPS everywhere, and in the next few months we will migrate all customers that currently use HTTP to HTTPS everywhere.
-
We will be migrating from Ubuntu 14.04 to 18.04 later this year, across all servers, to ensure we maintain access to security patches going into 2019.
These improvements to our policies will complement our existing practices, which have ensured that we haven't had an incident in many years:
-
All output is escaped and cleaned to prevent XSS attacks.
-
All SQL is escaped or using prepared statements to avoid SQL Injection attacks.
-
All code is reviewed by senior developers to ensure security practices are maintained.
-
We frequently run pen-tests and invite schools to run pen-tests against our software.
-
We invite and recognise students that submit exploits against our system.
-
All servers are regularly patched and updated against all security issues.
Kind regards,
The Schoolbox team