Safeguarding Student Data Is As Important Today as Ever
Information security is rapidly becoming the number one global concern for cloud-based training and education software systems. There are 100 valid reasons why this is true, and they will be covered in later posts. But let’s start by focusing on the top issues that relate to your student data.
Does safeguarding student data really matter to you? Why is it your problem?
Firstly, you have a legal obligation under the Privacy and Data Protection Act. But the purpose of this blog is not to beat you over the head with the book of rules. What organisations like yours need more than anything are simple and practical how-to guides that help you adhere to those rules. And since most of the private student information you’re ever likely to capture resides in your student or learning management system, that’s exactly where we should start. But please be aware that’s not where it stops. Security is a whole-of-business concern. Your SMS can’t be responsible for all of it.
Even the big boys with deep pockets get caught out.
You may remember this one:
TELSTRA has been fined $10,200 and warned over privacy breaches after an information leak exposed almost 16,000 of its customers’ private data online.
Ref: The Australian – MITCHELL BINGEMANN - Mar 11th 2014 http://www.theaustralian.com.au/business/technology/telstra-fined-warned-after-new-privacy-breach/news-story/387583869765a666497863b3d6570aec
1. Personal Information
Your students have entrusted you with their personal information. They expect you to protect it and keep it safe. Safeguarding student data means your software needs to provide you with the tools to Capture, store and expose only the information that your people need to do their job. You need the ability to show/hide personal information according to user roles for only as long as that person needs access to the information.
This holds true for address details, email, phone, next of kin, USI, Tax File Numbers, and any information that could potentially put your students’ private information at risk.
If your software provides user portals for say Trainers, Corporate Clients and Students; keep in mind that access to private information may extend beyond your team. In fact, it is usually more important that the people representing your corporate clients have controlled and restricted access to any private information that you hold on their employees. You have no way of knowing what security clearance that person holds within your corporate client’s organisation.
As a general rule it is always safer to lock down access initially and progressively allow access only as and when required.
2. Authentication and Authorisation
Authentication is the process by which a web application identifies users who have some level of access to a web application, giving the user. Authorisation determines what level of access the user has. There are standards that define access security to a website, like OAuth 2.0 and Microsoft ASP.NET Identity framework. If your website does not adopt an industry standard authentication and authorisation standard your site is probably prone to unauthorised access which will make safeguarding your student data much more difficult.
3. Credit Cards
If your software accepts online payments for enrolment or purchase of resources, there is absolutely no reason why you should ever need to collect or store credit card details. In fact, it is illegal to do so. PCI DSS compliant payment gateways have been around since the early 90’s. A payment gateway interface is available for every bank and you can accept payment in any currency of your choice, very cost effectively, without ever having to capture or store your users credit card information. Yet some amateur solutions will still capture and store credit card details. As with the other points, safeguarding your student data is paramount. Make sure your software does.