School Information Security and Privacy in the Cloud

School Information Security and Privacy in the Cloud Information Sheet and FAQ s Staying competitive in today s digital world means using technology in ways that are innovative in scope and reach. The challenge is to reap the benefits of cloud computing and online applications, while still maintaining information privacy and data security. The information below examines the following questions: 1. Why should our school be concerned? 2. What are the issues and risks? 3. What current practices should our school be concerned about? 4. What does the law require? 5. What is BCE doing to assist schools? 6. Should our school stop using all other online tools and services? 7. What should our school consider before signing up to a service or entering into a contract? 8. What are the overall dos and don ts 9. Who can I contact for further information? 10. Definitions 1. Why should our school be concerned? As a result of changes to the Privacy Act, we must be more mindful of the kinds of personal student and parent information and school data being stored and exchanged through online services and devices. School communities today expect to transmit and store vast amounts of information instantly and access this information on PC s, tablets and mobile devices. To do this, many of our day to day learning, teaching and administrative activities take place in online, cloud based environments. These environments can provide access to the latest software applications, hardware and network pathways to store and process information. They offer 24/7 accessibility and involve less staff time maintaining on site servers and equipment. Along with these benefits however, come some serious challenges. In particular, these involve the potential for privacy breaches that accompany the transfer of personal information to public cloud based services and external service providers. But it s not just cloud based applications that need careful management. Onsite servers, housing local applications and files containing student and parent information, can also create opportunities for the unintentional release of personal data. These concerns are real and must be addressed by school communities. Copyright 2014 Catholic Education, Archdiocese of Brisbane Page 1

2. What are the issues and risks? As soon as student or parent information is transferred or stored in the public cloud, it is housed on shared systems operated by others. This means that the school does not have physical control over the data, and must entrust the service provider with the school s information. When data is extracted from a secure, identity managed BCE enterprise system and rehoused in a local application, file server or mobile device, it is also at risk of security breaches. The following potential issues may arise in these cases: Data loss by users or service providers who, knowingly or not, expose information by sharing or sending it Collection and aggregation of personally identifiable data for use by third parties Data breaches or content loss, caused by faulty server configuration, security setup, patching and updates, or by software viruses. Out of date data as a result of being exported from a BCE enterprise system and republished in a non supported application 3. What current practices should our school be concerned about? a. Storing enterprise data and resources in the public cloud. All data created by students, teachers and staff related to students, is an education record. Schools should retain control over such records by creating and storing the data onsite or in an enterprise system where possible, and not in a public cloud service. eg storing student and teacher work in Google Drive, Dropbox etc instead of in SharePoint School Portals or LIFE b. Exporting data and storing it on local servers or devices School servers and other external storage devices, that store exported student data in either files, folders or locally managed applications, must be regularly updated, securely managed and audited. Schools should also ensure that appropriate and ongoing network and server change management practices are in place. eg exporting student information from eminerva, saving it, and importing it into locally maintained student management systems c. Using Web 2.0 services with students and parents Schools are responsible for the privacy and security of personal student, parent and educational data in the cloud. This means that schools must fully understand the purpose for which any personal information or content is collected and how it is to be used or shared. They should also have investigated the service s Terms and Conditions and how the provider complies with the Privacy Act, before endorsing the use of a online, cloud based or Web 2.0 service with students. eg using externally hosted online services, which require students to sign up to gain access and result in student work being saved in a public cloud service d. Providing student information and educational data to external service providers Schools must ensure that parents are aware of the types of information that may be disclosed to third parties and external service providers and must enable them to opt out of such disclosures. They should also have investigated how the provider complies with the Privacy Act and inform users and parents if their personal information is to be sent offshore. eg providing student and parent information to online VET or learning management vendors Copyright 2014 Catholic Education, Archdiocese of Brisbane Page 2

4. What does the law require? Under the Privacy Act, a school that uses cloud computing facilities located offshore to store school data, will in many instances, be held responsible to the person whose personal information has been the subject of a data breach by the cloud service provider. Schools must not send personal information about an individual outside Australia without first obtaining their consent. This consent can be obtained by informing the individual at the time of the collection of the information, that the school may send the personal information offshore. When entering into a contract with a service provider, it is suggested that specialist advice is obtained prior to entering into contract with providers to determine if appropriate customer protection is provided to the school under the terms of the contract. 5. What is BCE doing to assist schools? BCE is working to protect student and parent privacy through the use of BCE enterprise systems, online tools and endorsed providers of cloud based and Web 2.0 services. Use of these systems and services will ensure that: Configuration and security setups are in place to protect student and parent privacy and organisational data Identity management and single sign on is available Ongoing maintenance and technical change management practices are in place Due diligence has been undertaken before terms and conditions are accepted or before a contract is entered into BCE also provides privacy and data collection information for use by schools and school communities through the following publications: BCE Information Collection Notice Media Consent forms Privacy Statement 6. Should our school stop using all other online tools and services? Not necessarily where a genuine gap in service or functionality is identified, schools may need to source their own solution. In the first instance however, schools should make use of BCE s enterprise systems and service providers. They should also talk with BCE about their needs and functional requirements in order to identify available solutions or to inform future system development and product acquisition. If schools have decided to go outside of the endorsed BCE suite of products, they should review the service by undertaking the following activities: Review the providers terms and conditions Ensure that the services comply with the Privacy Act Use services that allow the school to retain control over the data Request formal confirmation of the location in which the data will be stored Ensure ongoing ICT governance and technical change management practices and are clearly defined Consult and educate school communities, including parents, about the schools use of public cloud services Enter into a formal contract/service level agreement to ensure the items below are addressed and agreed to Seek advice from BCE s legal counsel team if in doubt Copyright 2014 Catholic Education, Archdiocese of Brisbane Page 3

7. What should our school consider before signing up to a service or entering into a contract? The following questions are part of the due diligence a school should undertake when considering cloudcomputing services or when working with an external service provider. Does the service provider comply with the Australian Privacy Principles in the Commonwealth Privacy Act? How does the service provider inform users of changes to their Terms and Conditions? Does the school have the right to audit the service provider to ensure it is complying with the Privacy Act? Who maintains data ownership? Where will the data be stored? (NB Some vendors, who may be locally based, rely on infrastructure for the hosting of services which may be offshore but do not disclose this in a transparent manner. If hosting services are located offshore, parents must be informed.) How is the security of the data maintained? What procedures will be followed in the case of potential security breaches? How is the data segregated from other customers? Who will have access to the data including system administrators and staff of the provider? Is the service provider owned or controlled by a foreign company? What are the ongoing service levels, back up, restore and support capabilities? What are the technical change management and maintenance activities? Does the provider agree not use or disclose personal information except for the limited purpose of storing and managing the data? What procedures exists to destroy or retrieve personal information, in compliance with the Privacy Act, when it is not longer needed or when the contract comes to an end? 8. What are the overall dos and don ts When investigating public cloud computing services and online school based applications, schools should consider the following dos and don ts. Do Use BCE Enterprise systems and service providers in the first instance Conduct a due diligence assessment of other cloud based services and online applications Contact BCE for support before entering into a contract Discuss privacy issues with staff students and parents/legal guardians Don t Store educational records or enterprise data in the public cloud Export data from enterprise systems before ensuring the necessary security is in place Ask students to sign up to Web 2.0 services before checking the terms and conditions Provide personal student or parent information to external service providers without checking their credentials and adherence to the conditions of the Privacy Act. 9. Who can I contact for further information? Please contact the BCE Service Desk to speak with a member of BCE s Legal Counsel or Information Services team. Copyright 2014 Catholic Education, Archdiocese of Brisbane Page 4

10. Definitions BCE Enterprise Systems a range of integrated technology systems and associated services endorsed by BCE for the whole of organisation use. These systems are secured, managed and maintained by BCE s Information Services team or by endorsed service providers. They make use of BCE identity management system and are hosted in a central data center or private cloud eg eminerva, Dynamics AX, LIFE, SRS, BI, SharePoint Portals and My Sites etc Educational Records written and electronic files containing data relating to a student s education. They may include interactions such as emails and other learning and teaching communications or educational files and documents created by students, teachers or administrators. Online or Cloud based a range of services, applications or data stores made available to schools via the Internet. Parents in the context of this document, the term parent refers to a person who has parental responsibility for a child on a day to day basis, including carers and legal guardians. Personal Information information or opinion about an individual where their identity is apparent, or where the information allows an individual to be identified. Privacy Act the Commonwealth Privacy Act 1988 and Privacy Amendment (Enhancing Privacy Protection) Act 2012 which came into operation in March 2014. A key component is the mandatory requirement for a school to comply with the Australian Privacy Principals (APPs). The APPs set minimum standards which relate to the collection, security, storage, use, correction and disclosure of personal information and access to that information. Private or Enterprise Cloud an isolated data center created, controlled and maintained by BCE or their endorsed service providers. Data and computing workloads are separated to ensure security. Public Cloud large data centers spanning multiple geographical areas running the workload of many customers at once. Managed and owned by the service provider. Security/Data Breach when personal information held by the school is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse. Service Providers external companies or vendors providing Internet based educational services or technical support. Copyright 2014 Catholic Education, Archdiocese of Brisbane Page 5