One document said there were no accreditation standards for school software or IT providers, so it was hard for school staff to assess what they were buying. Photo: 123RF
Documents show New Zealand-made software has put schools at risk from hackers, and Education Minister Chris Hipkins last year urged officials to act faster to protect them.
The proactively released papers from 2021 included a handwritten note from Hipkins, saying schools "can't afford to lose a single day, given the vulnerability".
"I would like this work given an even greater sense of urgency than the paper suggests," he wrote.
"Schools do not have the capability or capacity to manage these issues and it is unfair to ask them to do so."
RNZ reported last month on plans developed earlier this year to improve schools' cybersecurity by centralising key digital services to the Ministry of Education and setting standards for school software.
Now the ministry has published papers from 2021 that informed that work.
They included a ministry report to the minister from June last year which showed New Zealand-made software, including student management systems (SMS), was exposing schools to cybersecurity risks.
"These issues are exacerbated by evidence of poor design and implementation of many of the applications schools rely on for their day-to-day operations," it said. "This is particularly acute with education sector applications such as SMS. Many vendors in this space are small local companies that do not meet standards typically required by government.
"Schools are particularly vulnerable as many of the systems they use have not been engineered with security as a key requirement nor kept up to date as new cyber threats emerge."
Education Minister Chris Hipkins. Photo: RNZ / Angus Dreaver
A paper from October said SMS were "a challenging place to start, but time is of the essence".
"The nature of the sensitive information in school SMS and the extent to which SMS are relied upon within kura and schools, is exacerbated by the potential fragility of some SMS vendors," it said.
The October paper said it would take four to five years to address the SMS market, including revising schools' contracts and fixing security risks.
It said some IT vendors might upgrade their systems, but there was a risk others would not and the ministry would support them "rather than risk a denial of service" to schools.
The June paper said cloud technologies mitigated many of the risks, but exponentially increased the number of software applications schools were using and created other problems.
"The increasing use of data-driven learning insights and adaptive learning applications is vastly increasing the amount of student data being held in such systems, and many hold data offshore, not necessarily subject to NZ jurisdictional protections."
It said multiple large multinationals and at least one New Zealand cloud-based SMS vendor had suffered significant privacy breaches.
The document said there were no accreditation standards for school software or IT providers, so it was hard for school staff to assess what they were buying.
A document from October last year showed the ministry was collaborating with Australian officials to create trans-Tasman standards for education software.
The paper said the ministry spent about $78 million a year on centrally provided IT services, and more would be required.
The government Budget this year included $27 million for immediate measures to shore up schools' cybersecurity.