Just two weeks ago School Governance published three articles for Privacy Awareness Week (PAW) on the topic of trust, transparency and data security. Our most read article was New Mandatory Notification of Data Breaches – What does the scheme mean for schools?
Australian Privacy Principle (APP) 11 (security of information) is the most relevant consideration for schools when assessing how they manage and protect personal information. Under APP 11, schools are required to take reasonable measures to protect information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Additionally, with the upcoming Notifiable Data Breach (NDB) scheme coming into effect in February 2018, schools must also ensure their privacy policies and procedures are compliant with the new NDB requirements.
Victorian schools in the news
Two Victorian government schools have recently been reminded of the importance of protecting personal information. The Victorian Police are investigating privacy breaches in both schools which have attracted media attention. According to The Age, the common factor in both incidents was someone illegally accessing the schools’ online management system, Compass. In other words, they were hacked. Compass is a school administration management system used by schools to manage and streamline operations. The system allows schools to manage permission forms for events, organise payment of fees and access student progress and semester reports. All of these functions involve sharing personal information.
These breaches have presumably left parents feeling vulnerable and raised questions about how the Victorian Department of Education (DET) and the affected government schools are going to respond.
The Blackburn case
A government school in Blackburn, a suburb in Melbourne’s east, suffered a privacy breach when information was illegally obtained from the school’s online management system, Compass. Hoax emails were sent to parents by someone, requesting them to give their bank account details. The breach resulted in personal information of families, such as phone numbers, addresses and medical information being published online. It is also believed that some parents may have given their credit card details to scammers in response to the hoax email.
Even though state government entities, such as government schools, are not subject to the requirements of the Privacy Act 1988 (Cth) (the Act), this scenario is still easily relatable to non-government schools which are subject to the provisions of the Act. Government schools are subject to state/territory privacy legislation. In Victoria, the Privacy and Data Protection Act 2014 (Vic) applies.
The Camberwell case
The second privacy breach was at another Victorian government school in the neighbouring suburb of Camberwell. The DET was able to confirm that a student of the school gained unauthorised access to personal information of families through Compass. Luckily, in this instance, the information was only accessed and not published.
Student hackers do not have a definitive physical or psychological profile and come from many socio-economic, cultural or ethnic backgrounds. They normally commit these acts to gain attention or notoriety among friends. However, the Camberwell hacking incident does come with some possible serious consequences for the student. Under the section 477.1 of the Criminal Code Act 1995 (Cth), a person who gains unauthorised access to data on someone else's computer system could face the possibility of two years imprisonment. For more information, refer to our article: Privacy Update: student hackers.
Lessons to be learned: Hacking
School Governance has previously written about student hackers, refer to Schools in the digital era: 5 things schools need to know about cyber security. Although the Blackburn Case was not the work of a student, the information in the article is still relevant to that situation.
The hacking of a school system can involve several issues of which schools must be aware. Hacking is not only about unauthorised access to the computer network, but also the inconvenience caused by the act which could mean a school might be locked out of their system or even worse, as the above cases demonstrate, personal information is accessed or published on the internet.
Schools hold very important personal information about their students, their staff, volunteers (such as their Board members) and parents or carers which needs to be protected. Staff will need to be educated on the importance of cyber security to assist with reducing the risk of a hack. If school staff are aware of how a hack can occur they can, hopefully, help take steps to prevent a cyber attack. Methods of protecting schools against hacking and some basic tips that can keep school networks safe include:
- Passwords: use of complex passwords, changing them often, and do not share them or write them down. Schools should consider using password managers like LastPass or 1Password;
- Ensure staff do not leave personal computers unattended: if a staff member leaves a personal computer unattended for an extended period of time, they should log out or password lock the screen. Staff should set computers to automatically lock the screen after a period of inactivity;
- When a teacher leaves a classroom for a break or to attend another lesson, wherever possible, the teacher should take the laptop, tablet or other device with them; and
- Staff must not share or give access to their laptop, tablet, computer or other device to students for any matter at any time.
Along with these basic tips, and as a matter of best practice, schools should plan ahead and protect against a hacker by practicing and preparing. This can be done by stress testing your school's system to respond to a simulated hack or cyber attack. From February 2018, non-government schools will be subject to the NDB scheme and the loss or misuse of personal information may have to be reported to the Office of the Australian Information Commissioner and affected individuals.
Refer to our paper for more information: Privacy Update: Mandatory Notification of Data Breaches.
