The risks we may be unaware of or not quite prepared for when we talk about children, safety and the digital world: Part I of a series on cybersecurity in early childhood education and care.
For parents, educators and early childhood services cybersecurity will always be a top concern. It conjures worst fears about paedophiles, exposure to explicit online material and peer-to-peer bullying. It requires informed awareness, a degree of vigilance and age-appropriate strategies. A partnership between parents and educators and the free flow of information between home and early childhood settings are a must.
Yet while strategies have emerged for dealing with these risks, as a sector we barely talk about other pressing concerns, some of which involve legal obligations.
Overall Australia is under-prepared on cyber security according to one academic. Visiting Professor of Cyber Security at the University of New South Wales, Greg Austin, pointed out in a recent article that Australia has for many years lacked strategies to deal with the underlying issues of cyber security and that this erodes national capacity and security. Professor Austin argued that Australia lacks a comprehensive digital strategy and the broader context needed to link disparate measures.
‘A cybersecurity strategy without a plan for globally competitive innovation in the digital economy is like building an ever-stronger wall while the building it protects gradually falls into disrepair ’
(The Conversation, 4 March 2015).
In the article Austin identifies many areas where Australia can do better including three sectors that are not translating advanced technologies to their field—education was one of those sectors.
Early childhood services tend to focus on some kinds of cyber security at the expense of attending to other risks and obligations.
For the kinds of cybersecurity that early childhood services are only too well aware of, there are strategies and resources. Stay smart online, and Think You Know have been highly effective campaigns to equip children, parents and educators with the skills to deal with online stranger danger and similar cyber risks. The Alannah and Madeline Foundation is one of many organisations disseminating programs, information and strategies to help ensure children’s safety and reduce online bullying. In March the Australian parliament passed legislation to strengthen protections for children in the online world and the government will soon announce a Children’s E-commissioner.
An aspect of cybersecurity often overlooked by early childhood services is the impact of privacy law amendments that came into force in 2014. These create obligations under the Privacy Act that many in the early childhood sector may not be aware of and for which their compliance and response strategies are underdeveloped.
The new laws cover many aspects of privacy and information collection. Of particular relevance are data protection and cloud storage regulations. They affect any organisation including ECEC organisations that have a turnover of more than $3 million (not a profit, but a turnover of $3 million). It can also apply to organisations with a turnover less than $3 million under certain circumstances.
One implication seems to be that storing data—images of children or personal details—with a telecommunications or data company that uses an off-shore server (ie a cloud server that is not physically located in Australia) may be in breach of the Act. Three million dollars! Offshore! you say. How can that be relevant?
Except it is relevant. Many early childhood educators and services may make modest profits but their annual turnover may exceed $3 million. Or an individual or ECEC service (including a family day care educator) may be part of a much larger organisation—a company or local government for instance—with a high annual turnover. Or it may apply because under the Act an organisation is defined as providing a health service and holding health information.
The Act itself specifically names child care centres as ‘entities’ covered by the privacy provisions.
In the creation of portfolios, newsletters for parents and maintaining an online portal for educators and families many administrators and educators are transferring data via cloud servers. Google mail, Dropbox, Picasa or any of the hundreds of online albums, galleries and social media sites accessed by educators and services, use cloud server technology. It is not always clear whether cloud servers are located in Australia. Even locally based internet service providers, web hosts or software companies may be storing clients’ data in servers that are located outside Australia.
Early Childhood Australia is seeking official advice and information from the Government about the new laws and how they affect individuals and organisations in the early childhood sector. We will keep you updated through Digichild.
Some Information Communications & Technology (ICT) companies have already rearranged their operations to be compliant with the new Australian laws and we are looking into this too, to bring members and subscribers more information.
At the very least if your early childhood service has a website, uses social media or sends documents, personal information and images of children and families by email you should assess the situation and possibly seek advice. Consider your security, internal protocols and whether the new provisions might apply.
Learn more in ECA’s Digital Business Kit, Module 8: Cloud Computing has a fact sheet and videos to help examine the issues. It includes questions to ask your internet service provider. You can also look at the government’s cloud consumer privacy factsheet.
How has your early childhood service responded to these new cyber security arrangements? Let us know by posting a comment below or emailing email@example.com.