ADITS Managed IT ADITS Managed IT
Call Us 1300 361 984

Tag: education

Cyber Security in Education: Protecting Student Data in Australian’s Schools

Posted on by b2medeveloper

Cyber security for educational institutions is more crucial than ever with the ASD Cyber Threat Report 2022-2023 highlighting the education sector has being one of the prime targets for cyber crimes. Schools must therefore strengthen their security and compliance measures.

The Rising Threat Landscape in Education

In recent years, the education sector has become increasingly susceptible to cyber threats. Australia saw a 51% increase in cyber incidents reported by critical infrastructure organisations, including educational institutions. A Check Point Research study showed a weekly global average of 1,739 attacks per education or research organisation.

With 90% of data breaches due to phishing attacks worldwide, students, teachers, and staff are also often targeted through deceptive messages.

Cyber-attacks on the sector are not random. They are targeted and strategic, driven by the potential rewards and the relatively lower security defences compared to other sectors.

Reason #1: Valuable Data

Educational institutions hold a wealth of sensitive data, including personal information of students, staff, and parents, as well as financial records and intellectual property. This data can be highly valuable for cybercriminals seeking to sell it on the dark web or use it for identity theft.

Reason #2: Diverse User Base

Schools and universities have diverse populations of students, teachers, and staff with varying levels of IT expertise. Some are tech-savvy digital natives while others are still mastering computer basics. Everyone needs training and support to ensure each can confidently and securely collaborate better.

Reason #3: Limited IT Resources

Smaller schools often face resource constraints. Staff must juggle multiple responsibilities, including network maintenance, user support, and security. Tight budgets limit cyber security investment. Some could have aging hardware and limited bandwidth. Schools must therefore explore cost-effective cyber security solutions.

Reason #4: BYOD Risks

Bring your own device (BYOD) allows students and staff to use personal devices for learning, but also present security risks:

  • Personal devices may lack proper security measures.
  • Sensitive information can leak if devices are compromised.
  • Infected devices can spread malware within the school network.

Schools can manage BYOD risks by:

  1. Establishing clear policies and guidelines for acceptable device usage
  2. Implementing network segmentation, isolating BYOD devices from critical systems
  3. Adopting mobile device management (MDM) solutions to enforce security policies
  4. Enforcing regular audits to assess compliance and address vulnerabilities

Impact on the Sector

Successful attacks disrupt operations and put student data, including personal and academic records, at risk. This undermines privacy and trust, leading to potential identity theft, financial fraud, and emotional distress.

Technological Innovation in Education

The rapid shift to digital learning environments, especially during the COVID-19 pandemic, has increased the attack surface for cybercriminals. With more devices connected to school networks and the use of various online platforms, there are more opportunities for vulnerabilities making cyber security solutions an all-time priority.

Remote Learning Platforms

Online learning platforms have bridged geographical and time boundaries. Students in any location now have access to the same kind of education. There are live online sessions, shared cloud resources, and virtual interaction. Platforms like Microsoft Teams for Education are boosting collaboration and engagement.

Digital Learning Tools

The sector has also benefitted from the proliferation of digital tools. Interactive whiteboards are replacing traditional chalkboards, allowing dynamic lessons and easier understanding of complex concepts.

Adaptive learning software enable personalised learning pathways. They can analyse student performance and adjust content accordingly. Virtual reality (VR) and augmented reality (AR) are also transporting students beyond textbooks.

Increased Reliance on Technology

Technology has become integral to the educational journey. Laptops, tablets, and Wi-Fi are now lifelines for learning. Teachers are harnessing digital tools to create more engaging content and enhance teaching methodologies.

Educators have shifted from traditional lectures to student-centred learning – facilitating discussions, encouraging critical thinking, and guiding students. Students are empowered by technology to collaborate, create, and explore.

Australian Laws and Regulations

As schools chart a course toward safer digital horizons, they must also comply with relevant regulations.

The Privacy Act 1988

The Privacy Act covers private schools, except those that fall within the small business exemption or do not provide health services (e.g., physical education classes, nursing services). The Australian Privacy Principles (APPs) prescribe how schools must:

  • Have data privacy procedures, practices, and systems to ensure compliance
  • Handle personal data transparently, ensuring consent, accuracy, and security
  • Demonstrate accountability by promptly addressing queries and complaints

Apart from the Australian Capital Territory (ACT), government schools are not directly covered by the Privacy Act. They fall under state or territory privacy legislation or schemes. In Queensland, for example, the transfer of personal information between schools without consent is allowed before enrolment in a new school.

The Australian Education Act 2013

The Australian Education Act governs Commonwealth funding to both government and non-government schools. It specifies specific requirements to receive Australian Government funding for school education, covering student data protection, educational reforms, and financial accountability. Schools are required to manage student data prudently and proactively while fulfilling their educational mission.

Best Practices for Cyber Security in Schools

Safeguarding digital learning environments is highly important today. Educators are responsible for protecting their students, staff, and sensitive data from cyber threats. Below are some best practices:

Password Hygiene

Educate students, teachers, and administrators – everyone in your school community — to create strong, unique passwords.

  • Combine uppercase and lowercase letters, numbers, and special characters
  • Never reveal a password to anybody
  • Encourage regular password updates or implement a password expiration policy

Data Encryption

All sensitive information (e.g., student records, financial data, and research findings), must be encrypted. Encryption ensures that even if data falls into the wrong hands, it remains unreadable. Consult with your IT provider about the different industry-standard encryption methods such as Transport Layer Security (TLS), Full Disk Encryption (FDE) and File-Level Encryption.

Incident Response Plan

Swift action is crucial when a breach occurs. Handling security incidents starts with preparing a well-defined incident response plan, which should include:

  • Designated Incident Response Team: Identify key personnel responsible for handling incidents.
  • Communication Protocol: Establish clear lines of communication during an incident.
  • Containment and Recovery Steps: Consult with your IT support team to outline the steps to isolate the breach and restore normal operations in your school.
  • Legal and Reporting Obligations: Understand our legal responsibilities and reporting requirements.

These best practices can help schools in Brisbane, Townsville, and across Queensland become more cyber resilient. Remember, it’s not just about implementing the right technology but also about fostering a culture of vigilance and shared responsibility among staff and students.

Cyber Security Training for Education Sector Leaders

If you’re not sure where to start with fostering a cyber aware culture in your school or university, ADITS conducts tailored cyber security training sessions for boards and school executives. Kindly fill up the form below:

Understanding the Privacy Act Review: Its Impact on Nonprofits, Medical, and Education Sectors

Posted on by b2medeveloper

In February 2023, the Privacy Act Review Report was released after two years of extensive consultation and review of the Privacy Act 1988 (Cth). It included proposed reforms aimed at strengthening the protection of personal information and the control individuals have over their information.

But what does this actually mean for you?

Building on our previous discussion in the ‘Essential 8 vs. Privacy Act article’, we explore the nuances of the Privacy Act Review and its implications, particularly for the nonprofit, medical, and education sectors.

In This Article

 

What is the Privacy Act?

The Privacy Act review, initiated in Australia, was designed to update privacy laws in light of technological advancements. It focuses on data handling, individual rights, organisational accountability, and regulatory enforcement, ensuring that privacy laws stay relevant.

 

Report Definitions: “Agreed” vs “Agreed in Principle”

“Agreed” Proposals

When the government agrees to a proposal, it means that they have committed to developing legislative provisions for these measures. This agreement is more definitive, indicating a clear intention to enact the proposed changes.

“Agreed in Principle”

This indicates a provisional agreement subject to further engagement and analysis. It means that while the government supports the idea behind the proposal, it requires more detailed examination, impact analysis, and consultation with regulated entities. This is to ensure a balanced approach, considering both privacy benefits and the potential economic and regulatory impacts on entities.

 

Timeline and Next Steps

The review process involved evaluating the pros, cons, and costs of various proposals. This led to the modification of some proposals, the discontinuation of others, and the introduction of new ones. Some proposals haven’t been subject to stakeholder feedback yet and will need further discussions before they can be implemented. Considering the comprehensive steps of consultation, impact assessment, and legislative development, it’s anticipated that the actual implementation of these changes might not take place until late 2024 or later.

 

How the Privacy Act Review Affects Non-Profits

Here is a collection of principles that could impact non-profits and potential use cases:

Agreed In Full Agreed In Principle
Protection of De-identified Information (Proposal 21.4): A domestic violence support centre safeguards de-identified client data.

New Tiers of Civil Penalty Provisions (Proposal 25.1 & 25.2): A mental health service provider could face penalties for mishandling client data.

Consent for Geolocation Tracking Data (Proposal 4.10): An app by a homeless support organisation gets explicit consent for tracking location data.

Standard Contractual Clauses for Overseas Data Transfer (Proposal 23.3): Organisations ensure the protection of sensitive data when sharing with international partners.

 Sensitive Information: Support services dealing with genetic disorders must ensure robust consent processes and secure data handling.

Fair and Reasonable Information Handling: Charities must ensure the fair use of personal stories and data in campaigns.

Vulnerability Protections: Services supporting vulnerable groups like domestic violence survivors must handle data with additional care.

Organisational Accountability: A privacy officer is needed to ensure data protection and handle privacy inquiries or complaints.

 

How the Privacy Act Review Affects the Medical Industry

Here is a collection of principles that could impact medical and healthcare organisations and potential use cases:

Agreed In Full Agreed In Principle
Purpose Identification for Consent (Proposals 14.2 & 14.3): A clinic must transparently state why it’s collecting patient data, such as for treatment, billing, or sharing with specialists.

Amendment to Objects of the Act (Proposals 3.1 & 3.2): Healthcare providers must balance patient care with the individual’s right to privacy.

Protection of De-identified Information (Proposal 21.4): Hospitals protect de-identified patient data from potential misuse or re-identification.

Enhanced OAIC Guidance for Data Destruction and De-identification (Proposal 21.5): Medical practices follow detailed guidelines for destroying or de-identifying patient health records.

New Tiers of Civil Penalty Provisions (Proposal 25.1 & 25.2): Clinics could face penalties for improper handling of patient data or administrative breaches.

Consent for Geolocation Tracking Data (Proposal 4.10): Healthcare apps require explicit consent from users before tracking their precise location data.

Emergency Declarations and Information Disclosure (Proposal 5.4 & 5.5): In health crises, hospitals may need to disclose patient information to state authorities under emergency declarations.

Standard Contractual Clauses for Overseas Data Transfer (Proposal 23.3): Medical research institutes use standard contractual clauses when sharing patient data overseas.

Requirement for Redress in Privacy Breaches (Proposal 25.5 & 25.6): Healthcare facilities must provide redress for harm caused by data breaches, including mitigating any potential damage.

 Clarification of Personal Information: Hospitals must consider data like IP addresses from online consultations as personal information.

Sensitive Information: Genetic testing labs must implement heightened security measures, like encryption and strict access controls, for genomic data.

Small Business Exemption Removal: Small clinics will now need comprehensive privacy policies and data protection practices.

Fair and Reasonable Information Handling: Patient data used for research must be transparent and within ethical guidelines.

Enhanced Data Breach Obligations: Hospitals must report breaches within 72 hours to authorities and affected patients.

Organisational Accountability: A privacy officer in a healthcare provider must oversee data handling and staff training on privacy policies.

High Privacy Risk Activities: New patient data systems require Privacy Impact Assessments before use.

Automated Decision-Making (ADM) Policies: Telehealth apps using ADM must clearly disclose how decisions impact patient care.

Direct Marketing, Targeting, and Trading: Pharmaceutical companies must comply with strict rules for marketing based on healthcare professionals’ data.

Children’s Privacy: Paediatric services must ensure digital platforms comply with new rules on children’s data.

Vulnerability Protections: Hospitals need extra data protection measures for patients with mental health issues eg: encryption

Simplification of Terms and Obligations: Healthcare IT providers need clear distinctions in their roles as data processors or controllers.

Overseas Data Flow Regulations: Research firms must use standard contractual clauses for international data sharing.

Expanded Individual Rights: Patients can ask hospitals to delete or explain the use of their medical records.

 

How the Privacy Act Review Affects the Education Sector

Here is a collection of principles that could impact the education sector and potential use cases:

Agreed In Full Agreed In Principle
Purpose Identification for Consent (Proposals 14.2 & 14.3): A high school clearly states why it’s collecting personal information, like health records or educational support services.

Amendment to Objects of the Act (Proposals 3.1 & 3.2): A primary school ensures the protection of student and parent information, aligning educational needs with privacy rights.

Enhanced OAIC Guidance for Data Destruction and De-identification (Proposal 21.5): Schools adhere to guidelines on securely destroying or de-identifying records, such as counselling notes.

Emergency Declarations and Information Disclosure (Proposal 5.4 & 5.5): Schools may disclose student information to authorities in emergencies under specific conditions.

Requirement for Redress in Privacy Breaches (Proposal 25.5 & 25.6): Schools are required to identify, mitigate, and provide remedies for any harm caused by a data breach.

 Clarification of Personal Information: Schools handling online learning data must treat technical details, such as login information, as personal information.

Small Business Exemption Removal: Small tutoring services must ensure compliance with the Privacy Act, including data protection and breach notification.

Enhanced Data Breach Obligations: Schools must rapidly inform parents and authorities of any data breaches, adhering to the 72-hour notification rule.

High Privacy Risk Activities: Schools implementing student tracking systems must evaluate privacy risks beforehand.

Automated Decision-Making (ADM) Policies: Learning platforms using ADM for student paths need transparent data use policies.

Direct Marketing, Targeting, and Trading: Educational apps must adhere to new regulations on targeted advertising to students.

Children’s Privacy: Schools need to safeguard children’s data on educational platforms, avoiding improper collection or use.

Simplification of Terms and Obligations: Educational software companies must understand their data handling roles when providing services to schools.

Overseas Data Flow Regulations: Universities collaborating internationally must ensure appropriate data transfer agreements.

Expanded Individual Rights: Parents and students can request schools to delete or detail the use of their personal data.

 

Where to from here?

Understanding these changes and preparing for their implementation is crucial for non-profits, healthcare providers, and educational institutions. The Privacy Act also plays a vital role in cyber security, but it’s not often discussed as part of a robust cyber security strategy,

Unlike others who solely focus on the Australian Cyber Security Centre’s Essential 8 framework, our cyber security solution, CyberShield, goes above and beyond that framework. CyberShield is a unique offering focused on compliance and governance measures, coupled with robust security tools and managed IT Services. The solution is also tailored according to your industry requirements.

Discuss your industry requirements with our experts and book a consultation with the ADITS team today. Whether you’re in Brisbane, Townsville, or anywhere across Queensland, we’re here to provide tailored IT and cyber security solutions to meet your unique needs. Let’s work together to secure your organisation’s future.

CONTACT US

 

C-Suite & Board Training: Because it all starts at the top!

Take your first step towards a stronger, more secure and compliant business by registering your interest for our half-day certified C-Suite & Board training. We’ll cover:

  • Data security and privacy compliance
  • Potential risks to your business and how to address them
  • Personal liabilities
  • Reporting
  • Crisis management recommendations
  • Best practices for policies and procedures
  • And more!

 

Register Your Interest