In this article, we are taking a look back at the security changes that we have implemented at VSware in 2018 and 2019. 

The EU General Data Protection Regulation (GDPR) is an EU-wide regulation that came into force on May 25th 2018. It was enforced to set a new standard for how companies use and protect EU citizens’ data.  At VSware we have worked hard to ensure that we are fully compliant and maintain our transparency on how we use our customer’s data.  Before making the necessary changes, we prepared for GDPR by carrying out the following tasks and reviewed these areas:

Internal Review VSware started preparation for GDPR by preparing a comprehensive overview of all systems and data as well as  formulating a plan to improve all processes related to this data. This also includes a commitment to better communicate all changes with the customer.

Access Management Improved user management options mean that schools have more power to decide which users see certain information.

Incident Management This data breach reporting tool on our website enables customers to report breaches outside of office hours. It can be accessed here.

Subject Access Request Under the new GDPR guidelines, individuals have the right to request access to the information the school holds on them or their child. If a parent, student or employee of a school requests access to the information the school holds on them,  that request goes to the school first and will then be passed on to VSware for processing.

Ease of Access 

VSware makes it easy to retrieve student/parent/staff information as all data is stored in one place.

Security Updates 2018/2019

2 Factor Authentication

2-Factor Authentication is an optional security feature that can be added to the user login screen. The feature allows the school to decide which groups of users are included in 2FA (Principals/Secretaries/Teachers/Contacts/Learners). Here’s how it works: 

  •  2FA is first enabled for a specific group of users. When a user then attempts to log in, an SMS will be sent to their phone with a once-off code which they must enter to gain access to their account. The mobile number used will be the one saved on their VSware account
  • The user will be brought through the 2FA process every 30 days or if they log in on a new computer/device
  •  If a school decides to use this feature, the principal must call support and request to have it enabled for the school. After this is done, you can then specify which users (Teachers/Learners etc.) will have 2FA enabled. This can be done in ‘Settings > System Settings > check the relevant boxes as in video above
  • There is also a new report in ‘Settings’ called 2 ‘Factor Auth’. It provides a list of users who do not have a mobile phone number saved on their account

2FA process:

  1. Go to your school URL and enter in your login details
  2. If you have not logged in in over 30 days, or if you are attempting to log in on a different device or computer than the last login attempt, a SMS will be sent to your mobile phone containing a verification code and you will be presented with the below screen. 

3. Enter your verification code and click sign in.

-----------------------------------------------------------------------------------------------------------------------------


SEN documents in read only format

This update ensures that medical and SEN documents open in the browser in read only mode. This also means that only PDF documents can be uploaded to the student’s SEN section.

-----------------------------------------------------------------------------------------------------------------------------

Upload your school’s privacy statement

Schools can upload their own privacy document in PDF form onto their login screen. To do this, go to settings > system settings and press ‘Upload a privacy statement’. This will allow anyone with the link to the VSware login page to download this document, including parents.

-----------------------------------------------------------------------------------------------------------------------------

Enable / Disable Dashboard Widgets

Users are able to toggle on/off existing widgets on the dashboard (such as Behaviour, Overdue roll calls etc.) This allows the user to have greater control of what they see when they log in. This is particularly useful if you use a projector in the classroom and don’t want student or class details displaying on the board.

-----------------------------------------------------------------------------------------------------------------------------

Updated Teacher Permissions

Previously the user permission ‘Allow access to Detailed Student Information’ allowed users access to the Personal and Household tab of a student profile as well as the ability to print student data. Administrators can now separate these permissions, so that it is possible to give a teacher access to either the Personal or Household tab or give access to Print Student Data.

-----------------------------------------------------------------------------------------------------------------------------

User Setup Wizard

The images below are a preview of what you will see when the User Setup Wizard appears on your account. 

In May, all users were prompted to go through a short checklist after logging in to ensure that the way in which we use your school data is fully GDPR compliant. The ‘wizard’ prompts you to review to the following:

Our Privacy Statement. You will be given the option to review this statement before accepting

If you have access to the Intercom chat feature, you will be given the option to receive communications about events and services through this channel

The configuration of the widgets on your dashboard. You will be prompted to select which widgets appear on your dashboard when you log in. The purpose of this is to ensure that sensitive student information (like details of a behaviour incident) do not display immediately after login. This is especially useful for teachers who project their screens in front of their class

You will only be shown tasks that are yet to be completed. If you have already configured your widgets for example, the wizard will skip this step and if you are a parent or student, you will not be asked about Intercom

-----------------------------------------------------------------------------------------------------------------------------

Print Student Data now in ‘Household’

The “Print Student Data” option is available under the Actions button on the Student’s household tab. This option is only available for Principals, Secretaries and Teachers.

-----------------------------------------------------------------------------------------------------------------------------

Users access to Print Student Data

The permission changes also have an impact on the print student data feature. It’s a bit complicated, so let's break it down:

1) If permissions “Grand Access to ALL Students Profiles” and “Print Student Data” are both ticked in teacher’s account page:

Teacher will be able to print student data for all students from all classes and groups and they will have access to print all data on those students (apart from Custom fields and Usernames / Passwords)

Note: For FE schools, some fields such as: Grant, VITOS, Self Email, Self Mobile, Self Username, Self Password may not be available. If you require these but they are missing, please contact support.

2) If permission “Print Student Data” is ticked in teacher’s account page (Screenshot above):

For students the teacher does not directly teach – minimal data can be printed: Class, First Name, Last Name, Full Name

For students they do teach, the data they can print is based on the teacher’s permissions for student’s Personal and Household tabs (on teacher’s account page). To put that another way, if the teacher has the ‘Print Student Data’ and ‘Allow access to student’s Household tab’ permissions checked, they will be able to print household information on their own students, and if they have the‘Print Student Data’ and ‘Allow access to student’s Personal tab‘ permissions checked they will be able to print personal information on their own students.

-----------------------------------------------------------------------------------------------------------------------------

Restricted teacher access to student information

All teachers now only have access to the profiles of students that they directly teach.

For students that they don’t directly teach, they will see: Display Name, Photo, Current Student Status (which lesson they are currently in).

If a teacher does need access to the profile of all students in the school, a new security role “Grant Access to ALL Student Profiles” can be ticked on the teacher’s permissions page to grant them this access, as in the screenshot above.

Substitution

In cases where a teacher is substituting for another teacher, the covering teacher will have access to the details of the students they are covering. These details will just include the student’s Attendance, Behaviour, Timetable and Classes & Groups. This access will only last for the day.

Adding a behaviour

When adding a behaviour and clicking into the dropdown menu of the student’s subjects, they will only see subjects they are assigned to or are covering.

Make editable

Teachers will have access to the teaching groups that were assigned to them through the following live timetable changes:

  • Swap Teacher
  • Add as Additional Teacher
  • Add Lesson
  • Add New Resource Class
  • Add Existing Resource Class

-----------------------------------------------------------------------------------------------------------------------------

Guide to password safety

---------------------------------------------------------------------------------------------------------------------------


Responsibility Disclaimer

As part of our continued efforts to improve the security of our user’s data, we are planning to add a simple reminder to our screens which prompts the user to ensure that any sensitive information which is downloaded or printed from VSware is handled in a secure and appropriate manner. We know that on a busy school day, things like this can sometimes get overlooked so the prompt is there simply to serve as a reminder. 

There are two changes to be aware of. 

1. You will be prompted to accept the responsibility disclaimer when attempting to print student data from the groups tab, the classes tab, the student’s profile, from a student data template or from the teaching group screen. It will require that you accept it’s terms before proceeding.

The responsibility disclaimer will also appear when you are attempting to print teacher data from the groups tab or from teacher data templates in groups. It looks like this:

2. Then, once you have generated this list, you will see that the disclaimer will be automatically added to the the bottom of this page as an extra prompt to keep the file secure. 

-----------------------------------------------------------------------------------------------------------------------------

New preview, download and delete button for PDF

We have added some new buttons to certain screens which will allow you to view, download or delete PDF documents more easily than before.

The previous set-up meant that you would have to use the actions button to reach these steps, but now the buttons are right beside the PDF name and are ready to click.

These buttons will be available when you view documents in the following areas:

Teacher Docs

Student SEN and Docs

Settings > AutoDocs

Another nice feature is that when you hit the delete button, a pop up will appear to ask whether you’re sure you want to delete, making sure that documents can’t get deleted by accident.

Did this answer your question?