New Privacy Legislation and the Impacts on Schoolbox

By James Leckie in General

Dear Schoolbox community,

Due to recent changes to the privacy legislation laws, we thought it would be timely to give you an update on our policy regarding security and privacy of information, as it pertains to Schoolbox.

The new mandatory reporting law requires any unauthorised access of private information that may result in harm, to be reported to the parties impacted. As Schoolbox provides access to some private information, we are subject to this law.

Our existing incident reporting policy, which requires that all critical incidents are reported, covers the legal requirements of the new mandatory reporting laws. Our incident report includes information such as when the incident occurred, who was impacted and what information was compromised. We will continue to utilise this policy and ensure it includes references to unauthorised access of information as a potential incident.

Please be aware that we will not report directly to parents or students; any incidents will be reported to your key contacts, allowing you to first determine their harm and impact, before communicating any incident disclosures directly to parents.

For Alaress to assist you in understanding and managing your risk, as related to the privacy legislation, here is an up-to-date picture of private information that may be available in Schoolbox and who can access the information. Please note that the availability of this information depends on your SIS and your specific configuration. So we recommend you undertake your own review within your system to accurately understand the risk.

Personal Data

Risk Factor

Who is authorised

Page

Notes

Student D.O.B

Low

All Staff, A Student’s Parents

Profile

 

Student Individual Needs Flag

Medium

All Staff

Profile, Classlist

 

Student Medical Alerts

High

All Staff

Profile, Classlist

 

Parent Names

Low

All Users

Profile, Parent Directory, Homepages

 

Parent Relationships and Status

Medium

All Staff

Profile

Includes marital status and contact alerts

Parent Phone Numbers

Medium

All Staff, Other Parents

Profile, Parent Directory

Parent Directory

can be restricted with ‘include in directory’ flags, ‘silent phone’ flags in SIS, prevent parents in other year levels from accessing

Parent Emails

Low

All Staff

Profile, Parent Directory, Homepages, Group Admin, Classlist

Email All functionality on group members component may expose this to other users

Parent Addresses

High

All Staff, Other Parents

Parent Directory

Removed from Student Profile in v18.0.0

Parent Directory

can be restricted with ‘include in directory’ flags, ‘silent phone’ flags in SIS, prevent parents in other year levels from accessing

Staff Names

Low

All Users

Everywhere

 

Staff Emails

Medium

All Users

Everywhere

 

Staff Phone Numbers

Medium

Staff

Profile, Staff Directory

 

 

In order to comply with new privacy regulations, we have audited our system for sensitive information that is not required for Schoolbox to function.

As a result of this audit, we decided not to display address information for parents in v18 on the student profile page. This information is not required for Schoolbox to function, so removing it increases privacy without decreasing the effectiveness of our system. If you believe other information should be removed from the system, or if you want to know more about this issue, we are happy to hear from you.

In addition to information that we provide access to, we also utilise several 3rd party services. In the process of using these services, we do provide some information so they can perform their function.

 

3rd Party

Service Provided

Data Provided

Plagscan

Plagiarism scanning of student work

Student Work, Student Name

Kami

Annotations on student work

Student Work, Teacher Name, Student Name

Digistorm

Mobile App

Name, Role

Google Drive

Upload documents from Drive

 

Office 365

Upload documents from Onedrive

 

LTI

API for 3rd party learning tools

Name, Email, Role Type

Remote Services API

SSO for 3rd party services

External ID, Username

iFramely

Embedding 3rd party content

URLs

Google Analytics

Monitoring of usage

Role Type, School

Sentry

Error reporting

 

 

The best protection from any incidents of course is a good defence. So, let’s quickly review the security practices and changes that we will be implementing this year.

  1. In February, 2018, we introduced a CSRF protection system that will prevent 3rd parties forging requests to Schoolbox. This extra level of security will prevent malicious sites from potentially utilising a user’s session to execute actions in Schoolbox.

  2. By July, 2018, we expect all customers to be running HTTPS everywhere. This will ensure all communication between the user and Schoolbox is encrypted. All new Schoolbox customers are already running HTTPS everywhere, and in the next few months we will migrate all customers that currently use HTTP to HTTPS everywhere.

  3. We will be migrating from Ubuntu 14.04 to 18.04 later this year, across all servers, to ensure we maintain access to security patches going into 2019.

These improvements to our policies will complement our existing practices, which have ensured that we haven't had an incident in many years:

  • All output is escaped and cleaned to prevent XSS attacks.

  • All SQL is escaped or using prepared statements to avoid SQL Injection attacks.

  • All code is reviewed by senior developers to ensure security practices are maintained.

  • We frequently run pen-tests and invite schools to run pen-tests against our software.

  • We invite and recognise students that submit exploits against our system.

  • All servers are regularly patched and updated against all security issues.

Kind regards,
The Schoolbox team

×