Support Pack v3.0 20.10.21 Page | 1

Under the Schools Digital Strategy, panels of pre-qualified suppliers will be available for schools to engage

and use their products. Through this process many of the items in this document will be addressed and in

place for schools. These will be announced as they become available and include school administration and

online learning tools.

Schools may decide to use for free or procure additional external IT Services to meet their identified

educational or administrative needs. Clear educational or administrative benefits should be identified and

recorded in an appropriate document support the case to use non-departmental IT services.

Please contact the School ICT Support team through EDConnect to confirm if the product or service being

considered is already part of a Department Enterprise Agreement; if it is, contact the Procurement Directorate

directly to proceed with the engagement.

For all contracts with a valuation above $150,000 (Inc GST AUD), the Procurement Directorate must be approached for contract oversight and vendor engagement. Refer: https://education.nsw.gov.au/procurement/the-essentials/what-is-the-intended-value-of-your-

engagement/150-000-and-over

Principals have responsibility for the security of information and management of the associated risks for data

entered into or stored in systems not provided by the Department. Systems may be available from cloud

(servers hosted within Australia, off-shore) or servers within the school. Privacy and security of data are key

considerations in selecting and using such services.

The Department manages the requirements for information security and privacy in the systems and services it

provides to schools. Due diligence must be applied when selecting and using online applications outside of

those provided by the Department's IT Directorate to mitigate the risks associated with using such online

applications.

This document contains the following sections to guide Principals through the considerations:

Support for Principals in assessing IT service providers and products

Support Pack v3.0 20.10.21 Page | 2

1) Product / Service Selection – Due Diligence*, with emphasis on Information Privacy and Security

2) Contract/ Agreement Oversight

3) Additional Resources: Parent / Carer Consent Template.

*Refer to the ‘Due Diligence – Vendor Checklist’ available within the Principal Pack for a list of all items the

Vendor should to tick off on to qualify for consideration.

The following aspects must be thoroughly considered in conducting due diligence:

1) Privacy

2) Information security

3) Data Sovereignty

4) Third Party Integration (3PI)

5) Data Classification and Labelling

6) Support Services.

Each of these are detailed below.

1. Privacy

There are specific legislative requirements which must be addressed. The type of information to be protected

includes:

• personally identifiable information (Staff/Student or Parent)(Information / opinion about an individual from which the individual’s identity can reasonably beascertained: e.g. student name, age, address, email address, school, grade/class)

• student health information(Information / opinion about an individual’s physical or mental health or disability or health servicesprovided to an individual)

• student academic information (e.g. grades, results)• financial and legal information

If personal information is involved, schools can request an assessment from ITD’s Information Security Unit via EDConnect.

Why is Privacy Important?

Privacy legislation establishes safeguards to protect all personal and health information held by NSW

1. Product / Service Selection – ‘Due Diligence’

Support Pack v3.0 20.10.21 Page | 3

government agencies. These are referred to as Information Protection Principles (IPPs) and Health Privacy

Principles (HPPs). When data is stored in the cloud, the level of control is somewhat reduced. Regardless of the

security controls provided by the Service Provider (SP), the risk of unauthorised access to and disclosure of

personal and health information remains. The obligation to protect the privacy of people who use or whose

particulars are stored on the service still remains with the principal.

Managing Privacy:

Schools may use Service Providers for educational and administrative purposes. Before uploading an

individual's personal or health information to a SP, schools must be satisfied they have the person's consent to

do so. Where student information is involved, parent/carer consent will typically be required.

An example of a consent form can be found at the end of this document. Schools must not rely on the privacy notice or online services permission on page 13 of the Application to enrol as consent to disclose student, parent or other person's personal or health information to a Service Provider.

Further information on IPPs and HPPs are addressed on the Office of the Privacy Commissioner website: https://www.ipc.nsw.gov.au/privacy/nsw-privacy-laws/applying-law# and in the Department’s Privacy Code of

Practice: https://education.nsw.gov.au/about-us/rights-and-accountability/privacy/privacy-legislation

Privacy Management Plan: The department's Privacy Management Plan details the policies, practices and other resources that guide and

inform staff in meeting IPPs and HPPs.

https://education.nsw.gov.au/content/dam/main-education/about-us/rights-and-

accountability/media/documents/privacy-management-plan-march-2014.pdf

Further information about privacy is available on Legal Services' Privacy page on the intranet.

https://education.nsw.gov.au/inside-the-department/legal-services/legal-topics/governance-and-

commercial/privacy

2. Information security

Information Security requirements must be managed from the outset in considering external IT products and

services. The Department manages information security requirements for IT services it offers, which are not

automatically extended to services engaged by individual schools. In deciding to use a non-departmental IT

Service, the Principal is responsible for ensuring information security requirements are met and the following

are managed:

• Unauthorised access

• Unauthorised disclosure

• Data corruption/data loss

Support Pack v3.0 20.10.21 Page | 4

• Viruses and malicious software

• Denial of service attacks

• System outages.

Security – Confidentiality: Confidentiality is where information is only accessible to those authorised to have access. Confidentiality can

be achieved by encryption:

• Sensitive data/information must be encrypted at rest (when stored in the cloud). It is recommended torequest AES 128 or AES 256 encryption

• Sensitive data/information must be encrypted in motion (when accessed via the internet). It isrecommended to request HTTPS over TLS 1.2 encryption.

Back-up data must be encrypted by the Service Provider using AES 128 or AES 256 encryption.

Security – Integrity: Integrity is the accuracy and consistency of stored data. Integrity of data is achieved by:

• Data input validation (prevent corrupted data input)

• Access control (prevent sabotage/alteration)

• Data checking within application

• Logging - to audit user activity.

To ensure the department meets its Privacy requirements some personal information held by departmental

systems cannot be shared with third party service providers. Ask your IT Service Provider how they protect the

confidentiality and integrity of your data in writing before entering into a contract or agreement.

Security – Availability: Availability is the measure of system and data uptime. Availability can be impacted by:

• Power & communication outages

• Security incidents - virus outbreak or denial-of-service attack

• Hardware failure.

Availability is addressed by IT Service Providers using;

• Business continuity plan (get you up and running immediately - e.g. Diesel generator)

• Disaster recovery plan (addressing the actual disaster - e.g. restore all data from a back up).

It is important for schools to understand Service Level Agreements (SLAs) before committing to an IT service.

Service availability and reliability is a high priority and service providers need to be able to recover from a fault

or outage within an agreed and suitable timeframe for the use of the product in the school.

Support Pack v3.0 20.10.21 Page | 5

Information security certifications:Relevant industry certification in information security include:

• ISO 27001 and/or ISO 27017

• PCI DSS compliance for card payment/processing providers.

Vulnerability Management: Periodic maintenance of operating systems and applications should be performed to address new risks

identified. Ask the IT Service Provider if they use a calendar to schedule these so that you can plan it.

Threat Management: Ask the IT Service Provider if they actively monitor for threats such as viruses, network intrusion, denial‐of‐

service attack and unauthorised access.

Data Backups: Ensure that the regularity and scope of the backup is appropriate for the data held within the system. At a

minimum a daily incremental backup service should be available by the Service Provider.

Security Incident Notifications: High severity security incident notifications must be provided to the school.

Data Destruction: Upon termination of any contract or agreement, the data hosted in the service provider must be properly

destroyed by the service provider and a certificate of destruction provided to you.

Security Testing: Proactive management and early resolution of vulnerabilities reduces the Information Security risks. Schools

should:

• Ask the service provider if they undertake regular vulnerability scanning and penetration testing.

• Receive updates on vulnerability scans and the results.

Access Control: Proper management of who and how users and administrators of the service are managed is essential. It is

important to document a procedure that includes:

• The legitimate users of the system

• Roles a user can perform within the system (e.g. administrator, staff, teacher, student parent)

• Access and functionality granted when a User is assigned to various roles

• How access is granted/removed

• A requirement for periodic user list reviews - no less than 6 monthly.

• Remember the same password shouldn't be used for your DoE account and any other account.

Support Pack v3.0 20.10.21 Page | 6

Authentication: Users must be able to be uniquely identified and be able to securely access the application. It is important the

Service Provider documents how this is achieved in the system. At a minimum, ensure that all password

controls conform to the DoE Password Standard; If the system is not integrated with the department's Single-

Sign-On' system, passwords used in the service provider's system must be different to those used to access

portal or log in to you DoE network account. This will ensure that any breach of the service providers system

that exposes user passwords, does not provide passwords to access Departmental systems.

3. Data Sovereignty

Data sovereignty is identifying the geographic location in which the information will be stored by the Service

Provider; Systems servers may be hosted within Australia, off-shore or locally within your school. Australia has

strong data protection and data privacy laws therefore it is recommended the data is hosted within Australia.

This includes disaster recovery capabilities and data backups.

If the intended online / cloud service is hosted offshore, you should consider an alternative provider so that the

data remains in Australia. Information on where some third party vendor’s data is stored is available through

‘Going to a Public School’ Privacy Information page: https://education.nsw.gov.au/public-schools/going-to-a-

public-school/privacy-information

It is important to remember that the information you create, or upload is not stored in the department’s Data

Centre. Your data will be in a commercial, non-departmental system. The information may potentially be

accessible by non-DoE personnel and people outside Australia. On occasions, third party service providers

will request personal information relating to a student, staff or parent/carer that the department is unable to

provide. Schools are to ensure that:

a) The parent/carer has consented to personal information of a student and parent/carer being shared with a

third party service provider. Refer to Section 3 of this document

b) The parent/carer has provided a signed consent form acknowledging the storage location of the personal

information provided.

4. Third Party Integration (3PI)

Schools on-boarded to 3PI will need to advise ITD of their intention to change systems to schedule a migration

date. [Contact ITD’s 3PI Unit]. Please refer to: https://education.nsw.gov.au/technology/projects-and-

initiatives/third-party-integration

Support Pack v3.0 20.10.21 Page | 7

5. Data Classification and Labelling

Before committing to cloud services you will need to assess the sensitivity of the information, also known as

information classification and labelling.

For information on how to correctly label your information, please refer the Information Classification and

Labelling Guide: https://my.education.nsw.gov.au/inside-the-department/edconnect/corporate-

operations/compliance-records-and-audit/records-management/information-classification-and-labelling

Information Handling Policies are located on the DoE intranet:

https://education.nsw.gov.au/policy-management-schools/support-for-policy-managers/records-and-policy-

management

6. Support Services

The quality and scope of support services provided for the Service / Application should be assessed prior to

committing to use.

Important Footnote: If you sense that either Privacy or Information Security might be compromised, do not

proceed with the engagement until advice is sought and received from the Security Unit of the ITD Directorate.

Support Pack v3.0 20.10.21 Page | 8

School management of the following non-departmental IT services is to be carefully considered and planned

prior to accepting any agreement with a vendor or service provider. For all contracts with a valuation above engagement. Refer: https://education.nsw.gov.au/procurement/buying-goods-and-services/what-is-the-

intended-value-of-your-engagement

Educational and administration benefits

• Clear educational or administrative benefits should be identified and recorded prior to making the decisionto use non-departmental IT services

• These should be reviewed on a periodic basis to ensure that they are still current and relevant in meetingthe needs identified at the school

• Schools should also review the amount of time school staff are spending in managing and maintainingthese IT services including the management of information security and privacy.

Technical Support

Considerations to be made prior to accepting an agreement with a vendor or service provider should include:

1) The location from which support is provided? (Australia or overseas)

2) What after-hours support is available (e.g. Monday to Friday - 8am to 8pm) and at what cost?

3) How is support delivered? (Telephone, Website, Email remote connection or onsite personnel)

4) Are there limitations on support? (e.g. entitlement to a certain number of support calls per month)

5) Does support include access to software/hardware upgrades and software patches and the installation ofthese? What training or support of users is provided after an upgrade?

6) Has the vendor been on-boarded with Department of Education to ensure third party services align withdepartment privacy legislation?

Warranty

Should the product or service prove to be faulty or substandard in quality you should be aware of what service

levels or warranty is covered in your agreement including the following:

1) Review Terms & Conditions - raise all concerns in writing with the vendor or service provider.

2) Assess any additional expenses which may be charged for additional work not covered under warranty or

2. Contract Oversight

Support Pack v3.0 20.10.21 Page | 9

agreement including any training, integration or freight.

IT Services - Termination of Contract

If you decide to terminate your contract with a Service Provider you should know prior what options are

available to you for moving your information/data to another provider. Ask the Service Provider the following

questions:

1) Which data formats are available for data exporting?

2) Is there a cost involved with exporting data?

3) How long will the data remain available upon contract termination?

4) When will the service provider permanently remove all of your data from the service?

Termination of Contract - Third Party Integration (3PI)

If you decide to terminate your contract with a Service Provider and have been on-boarded to the 3PI service,

you should know prior what your options are for moving your information/data to another provider.

ITD will require notification of your intent to terminate your contract for the following reasons:

1) The school may be required to complete a checklist of processes within the third party application prior toterminating

2) The school may be required to complete a checklist of processes within the department’s enterprisesystem/s

3) A suitable time needs to be determined for schools to switch between third party systems to ensureintegrity of data.

For more information on 3PI requirements, refer to: https://education.nsw.gov.au/technology/projects-and-

initiatives/third-party-integration

IT Services - Business Continuity & Disaster RecoverySince all Service Providers are vulnerable to outages, ask them the following questions:

1) Can they give you a copy of their formal Business Continuity (BC) and Disaster Recovery (DR) plans?

2) How often do they test their BC and DR plans?

3) Will you be notified of an outage and restoration of the service?

Integration with ITD It's important to consider integration with ITD (IT Directorate) systems such as Simplified-Sign-On (SSO),

Student Portal, external access, etc. Some questions to consider:

Support Pack v3.0 20.10.21 Page | 10

1) Will the system require integration with ITD managed systems?

2) Will you require support from ITD?

3) Will you be required to import/export data regularly to meet Department of Education requirements?

4) Will you be required to double enter data as a result of the department’s privacy legislation? If so,

a) What staff member will be expected to double enter data?

b) Has the parent consented to their personal information being shared with a third party service

provider? Refer to Section 3 of this document

c) Has the parent signed the consent form acknowledging where their personal details will be stored.

Application / Platform ManagementMany systems provide for different levels of access and highly privileged accounts. Key considerations

include:

1) Who in the school will have access to the application for general administration? Who will have access tothe master administration account?

2) What controls are in place to monitor use and access of these administration accounts?

3) How will the departure of staff with these administration accounts be managed to ensure the continuity ofthe service and security of data?

4) Who in the school is responsible for managing access requests for general access to the service?

5) Is a school Technical Support Officer (TSO) available to assist with the setup and integration of

department enterprise systems with the third party application?

Vendor Management & Engagement A member of staff will need to be delegated as the central point of contact with the vendor to manage:

1) Helpdesk/Support inquiries.

2) Product upgrades / patches.

3) Engagement point for incidents (vendor advises of outages, etc.).

Contract Scope, Terms & Conditions It is important to assess the scope, terms and conditions prior to accepting any agreement. Considerations

include:

Support Pack v3.0 20.10.21 Page | 11

• Are the terms and conditions understood? Are there penalty clauses for early termination? Are therehidden costs during the life of contract?

• What is the scope of the agreement or contract you are entering? Are you entering the agreement orcontract on behalf of the school, the department or personally?

• If you are on-boarded to Third Party Integration (3PI), have you contacted ITD to understand restrictionsand limitations when exiting your third party application? For more information on 3PI, refer to:https://education.nsw.gov.au/technology/projects-and-initiatives/third-party-integration

Engage with the Procurement Directorate for further advice and guidance on signing the contract with the

Vendor. Please refer to: https://education.nsw.gov.au/procurement

Support Pack v3.0 20.10.21

Page | 12

Parental consent template can be found -

https://education.nsw.gov.au/content/dam/main-education/inside-the-department/legal-services/media/documents/legal-issues-bulletins/Permission-third-party-web-and-cloud-based-service-providers.docx

3. Additional ResourcesParent/caregiver consent template