Washington, DC, 18 May 2023—During the second annual Privacy & Interoperability Symposium, the Student Data Privacy Consortium (SDPC) announced version 1.0 of the first ever international education sector specific data security standard. The Global Education Security Standard (GESS) reflects the combined work and outputs of a multi-national team dedicated to improving the cyber safety of the education sector. The Student Data Privacy Consortium (SDPC), a Special Interest Group of the non-profit Access 4 Learning (A4L) Community, has been successful in bringing the educational technology (EdTech) marketplace players and school districts/states/countries together in addressing student data privacy obligations.
This SDPC Project Team has come together over the past 18 months to synthesize security, privacy and child safety requirements from across the USA, Europe, New Zealand and Australia to develop a set of relevant controls, which draw on existing international standards, to produce a set of controls which can be used by the education sector to drive adoption and compliance across the thousands of applications used across schools globally. This work leverages the work previously produced by the Safer Technologies 4 Schools project in Australia.
Anthony Yaremenko, Co-founder of Safer Technologies 4 Schools (ST4S), Australia states; “A unified standard, respected and supported by education authorities globally, will help shape the bi-partisan conversations between software vendors and education providers as we all work together to ensure the safety of students and school communities. Intended key benefits include a single repository of controls able to be contributed to and shared by education bodies across the globe; significantly reduced compliance overheads for software vendors who will be able to be attest once to the GESS controls and have this result respected in participating education jurisdictions; and lastly, a message to the software industry that security and privacy of education data is of the utmost importance.”
Building upon the success of the Student Data Privacy Consortium’s work to normalize privacy obligations across jurisdictions, the GESS is expected to move the international EdTech community towards shared expectations and solutions to secure education data while ensuring privacy obligations are met.
Dr Veli Hillman, Founder of EDDS, Visiting Fellow at London School of Economics & Political Science, alumna of Berkman Klein Centre for Internet & Society at Harvard University, and Trustee of a public high-school in the UK states “The GESS cybersecurity framework is a major step forward in protecting us all from cyber-harms. I will be taking it to the European Broadband Commission and the UK Government in the coming weeks and we are trailing it with two cohorts of UK and Nordic EdTech’s over the next three months.”
The Global Education Security Standard portal is provided openly for the Pk-20 community to explore the identified controls from existing cyber security frameworks. The portal allows visitors to filter the GESS controls by frameworks or jurisdictions. Sets of GESS controls as well as assessment questions may be downloaded to assist providers in understanding and meeting the requirements. A4L Community members will soon be able to leverage a self-assessment as a way to measuring and tracking their own compliance with GESS.
“The GESS framework allows us, as a global EdTech vendor providing software and services to schools, colleges, local government and the wider public sector, to map our existing approaches to security and data protection against the wide range of standards and frameworks, covering approaches based on local legislation as well as international codes, and allow educational institutes to openly review and assess what we do” states Tony Sheppard, Information Governance Lead, NetSupport. “As well as enabling the mapping to take place, it can also highlight our gaps and in which regions it may affect our compliance. I can’t think of a more comprehensive tool for EdTech vendors to use as part of a continuous cycle of security improvements and providing demonstrable information on good practices.”
In related work, the SDPC is expected to release the highly anticipated version 2 of the National Data Privacy Agreement (NDPA) in the US within a few months. Updates to the NDPA are expected to further streamline the safe onboarding of safe EdTech applications in the US. In addition, the NDPA V2 will include compliance with the GESS as one of the options to meet the security requirements further streamlining the obligations expectations between providers and schools.
“As a recognized standard, GESS will ensure privacy protections and reduce costs for K-20 and providers. Data privacy negotiations are very time consuming for both parties and this will enable them to streamline the DPA process”, states Connie Coy, MOREnet Cybersecurity Analyst.
Feedback to the first release of GESS from the software industry and education sector is welcomed and will be curated and incorporated as appropriate to ensure a useful, relevant and enduring approach to security and privacy continues via GESS. A feedback link is provided on the GESS portal for input.
To learn more about the work of, or join the A4L Community, please visit https://privacy.a4l.org/
To find out more about GESS, please go to: https://sdpc.a4l.org/gess_home.php
To find out more about the ST4S project, please go to: https://st4s.edu.au/