In this article, we are taking a look back at the security changes that we have implemented at VSware in 2018 and 2019.
The EU General Data Protection Regulation (GDPR) is an EU-wide regulation that came into force on May 25th 2018. It was enforced to set a new standard for how companies use and protect EU citizens’ data. At VSware we have worked hard to ensure that we are fully compliant and maintain our transparency on how we use our customer’s data. Before making the necessary changes, we prepared for GDPR by carrying out the following tasks and reviewed these areas:
Internal Review - VSware started preparation for GDPR by preparing a comprehensive overview of all systems and data as well as formulating a plan to improve all processes related to this data. This also includes a commitment to better communicate all changes with the customer.
Access Management - Improved user management options mean that schools have more power to decide which users see certain information.
Incident Management - This data breach reporting tool on our website enables customers to report breaches outside of office hours. It can be accessed .
Subject Access Request - Under the new GDPR guidelines, individuals have the right to request access to the information the school holds on them or their child. If a parent, student or employee of a school requests access to the information the school holds on them, that request goes to the school first and will then be passed on to VSware for processing.
Ease of Access - VSware makes it easy to retrieve student/parent/staff information as all data is stored in one place.
Security Updates 2018/2019
2 Factor Authentication
2-Factor Authentication is an optional security feature that can be added to the user login screen. The feature allows the school to decide which groups of users are included in 2FA (Principals/Secretaries/Teachers/Contacts/Learners). Here’s how it works:
- 2FA is first enabled for a specific group of users. When a user then attempts to log in, an SMS will be sent to their phone with a once-off code which they must enter to gain access to their account. The mobile number used will be the one saved on their VSware account
- The user will be brought through the 2FA process every 30 days or if they log in on a new computer/device
- If a school decides to use this feature, the principal must call support and request to have it enabled for the school. After this is done, you can then specify which users (Teachers/Learners etc.) will have 2FA enabled. This can be done in ‘Settings > System Settings > check the relevant boxes as in video above
- There is also a new report in ‘Settings’ called 2 ‘Factor Auth’. It provides a list of users who do not have a mobile phone number saved on their account
2FA process:
- Go to your school URL and enter in your login details
- If you have not logged in in over 30 days, or if you are attempting to log in on a different device or computer than the last login attempt, a SMS will be sent to your mobile phone containing a verification code and you will be presented with the below screen.
3. Enter your verification code and click sign in.
-----------------------------------------------------------------------------------------------------------------------------
Password security
In order to ensure that our software fully protects our user’s personal information, we have made some significant changes to the way in which VSware handles user passwords. The latest changes were made in July 2019.
Click here for the guide on how to reset passwords and here for the full manual.
Users can now update their own passwords
All users (parents, teachers, secretaries, principals, all school staff) can now reset their own passwords without having to go through the school admin staff with the exception of students who must still contact the school.
The previous system meant that users had to go through the school admin to receive a temporary password. This is now only valid for student users.
Permanent passwords (the ones created by the user) are never visible to anyone but the user themselves, even to secretaries and principals (admin)
The only instance that the admin will ever be able to see the password of another user is when the temporary password is created for a student. There is an option to make this temporary password briefly visible so that the secretary can give it to the student, however the secretary will never be able to view/print/download the permanent password of another user in any instance. SMS messages cannot be sent t to students either so it is not possible to see the password this way either.
Passwords can no longer be generated in a list for either individual users or groups of users
Now, when you view ‘Print Student Data’, the options for Mother Password, Father Password, Self password or Student password are no longer available to generate in a downloadable file or to print. You are also not able to print a teacher’s password from ‘Print Teacher Data’. This applies to when you are accessing the print student/teacher data screen either from a group or an individual user.
There is a new report that generates a list of which household contacts or student accounts are missing a password
The new reports found under 'Student Reporting' and 'Teacher Reporting' have been created because print student/teacher data can no longer be used to identify accounts with missing passwords.
-----------------------------------------------------------------------------------------------------------------------------
SEN documents in read only format
This update ensures that medical and SEN documents open in the browser in read only mode. This also means that only PDF documents can be uploaded to the student’s SEN section.
-----------------------------------------------------------------------------------------------------------------------------
Upload your school’s privacy statement
Schools can upload their own privacy document in PDF form onto their login screen. To do this, go to settings > system settings and press ‘Upload a privacy statement’. This will allow anyone with the link to the VSware login page to download this document, including parents.
-----------------------------------------------------------------------------------------------------------------------------
Enable / Disable Dashboard Widgets
Users are able to toggle on/off existing widgets on the dashboard (such as Behaviour, Overdue roll calls etc.) This allows the user to have greater control of what they see when they log in. This is particularly useful if you use a projector in the classroom and don’t want student or class details displaying on the board.
-----------------------------------------------------------------------------------------------------------------------------
Updated Teacher Permissions
Previously the user permission ‘Allow access to Detailed Student Information’ allowed users access to the Personal and Household tab of a student profile as well as the ability to print student data. Administrators can now separate these permissions, so that it is possible to give a teacher access to either the Personal or Household tab or give access to Print Student Data. This is managed through Users & Groups.
-----------------------------------------------------------------------------------------------------------------------------
User Setup Wizard
The images below are a preview of what you will see when the User Setup Wizard appears on your account.
In May, all users were prompted to go through a short checklist after logging in to ensure that the way in which we use your school data is fully GDPR compliant. The ‘wizard’ prompts you to review to the following:
Our Privacy Statement. You will be given the option to review this statement before accepting
If you have access to the Intercom chat feature, you will be given the option to receive communications about events and services through this channel
The configuration of the widgets on your dashboard. You will be prompted to select which widgets appear on your dashboard when you login. The purpose of this is to ensure that sensitive student information (like details of a behaviour incident) do not display immediately after login. This is especially useful for teachers who project their screens in front of their class
You will only be shown tasks that are yet to be completed. If you have already configured your widgets for example, the wizard will skip this step and if you are a parent or student, you will not be asked about Intercom
-----------------------------------------------------------------------------------------------------------------------------
Print Student Data now in ‘Household’
The “Print Student Data” option is available under the Actions button on the Student’s household tab. This option is only available for Principals, Secretaries and Teachers.
-----------------------------------------------------------------------------------------------------------------------------
Users access to Print Student Data
The permission changes also have an impact on the print student data feature. It’s a bit complicated, so let's break it down:
1) If permissions “Grand Access to ALL Students Profiles” and “Print Student Data” are both ticked in teacher’s account page:
Teacher will be able to print student data for all students from all classes and groups and they will have access to print all data on those students (apart from Custom fields and Usernames / Passwords)
Note: For FE schools, some fields such as: Grant, VITOS, Self Email, Self Mobile, Self Username, Self Password may not be available. If you require these but they are missing, please contact support.
2) If permission “Print Student Data” is ticked in teacher’s account page (Screenshot above):
For students the teacher does not directly teach – minimal data can be printed: Class, First Name, Last Name, Full Name
For students they do teach, the data they can print is based on the teacher’s permissions for student’s Personal and Household tabs (on teacher’s account page). To put that another way, if the teacher has the ‘Print Student Data’ and ‘Allow access to student’s Household tab’ permissions checked, they will be able to print household information on their own students, and if they have the‘Print Student Data’ and ‘Allow access to student’s Personal tab‘ permissions checked they will be able to print personal information on their own students.
-----------------------------------------------------------------------------------------------------------------------------
Users & Groups
In order to improve security, we have created brand new screens for managing users and their permissions.
We know that each school is unique and roles and responsibilities can be divided up in lots of different ways. These new screens not only increase security by making it easier for a school to manage who has access to what data, but it also cuts out a lot of the cumbersome work associated with managing permissions on a user by user basis.
With this new system, a school is now able to manage all users and also create bespoke user security groups. For example, you can decide to create a group of year heads, class tutors, career guidance, attendance officers, teachers with timetabling permissions etc.
Previously, it was only possible to grant permissions on an individual basis, meaning that you would be forced to go to the account page of each individual yearhead for example and grant the specific permissions you wanted them to have.
The layout of the new screens means that this is no longer necessary. It has been simplified so that everything is contained in just two screens, one to create the security groups and allocate the permissions associated with them, and one to drag and drop the names of the relevant users into those groups. It’s that simple!
-----------------------------------------------------------------------------------------------------------------------------
Restricted teacher access to student information
This feature follows on from Users & Groups. All teachers now only have access to the profiles of students that they directly teach unless they are given additional permissions in Users & Groups, particularly 'Access to all student profiles'.
If a teacher has basic access, they will see: Display Name, Photo, Current Student Status (which lesson they are currently in) for students that they don’t directly teach.
Substitution
In cases where a teacher is substituting for another teacher, the covering teacher will have access to the details of the students they are covering. These details will just include the student’s Attendance, Behaviour, Timetable and Classes & Groups. This access will only last for the day.
Adding a behaviour
When adding a behaviour and clicking into the dropdown menu of the student’s subjects, they will only see subjects they are assigned to or are covering.
Make editable
Teachers will have access to the teaching groups that were assigned to them through the following live timetable changes:
- Swap Teacher
- Add as Additional Teacher
- Add Lesson
- Add New Resource Class
- Add Existing Resource Class
-----------------------------------------------------------------------------------------------------------------------------
Guide to password safety
---------------------------------------------------------------------------------------------------------------------------
Responsibility Disclaimer
As part of our continued efforts to improve the security of our user’s data, we are planning to add a simple reminder to our screens which prompts the user to ensure that any sensitive information which is downloaded or printed from VSware is handled in a secure and appropriate manner. We know that on a busy school day, things like this can sometimes get overlooked so the prompt is there simply to serve as a reminder.
There are two changes to be aware of.
1. You will be prompted to accept the responsibility disclaimer when attempting to print student data from the groups tab, the classes tab, the student’s profile, from a student data template or from the teaching group screen. It will require that you accept it’s terms before proceeding.
The responsibility disclaimer will also appear when you are attempting to print teacher data from the groups tab or from teacher data templates in groups. It looks like this:
2. Then, once you have generated this list, you will see that the disclaimer will be automatically added to the the bottom of this page as an extra prompt to keep the file secure.
-----------------------------------------------------------------------------------------------------------------------------
New preview, download and delete button for PDF
We have added some new buttons to certain screens which will allow you to view, download or delete PDF documents more easily than before.
The previous set-up meant that you would have to use the actions button to reach these steps, but now the buttons are right beside the PDF name and are ready to click.
These buttons will be available when you view documents in the following areas:
Teacher Docs
Student SEN and Docs
Settings > AutoDocs
Another nice feature is that when you hit the delete button, a pop up will appear to ask whether you’re sure you want to delete, making sure that documents can’t get deleted by accident.
-----------------------------------------------------------------------------------------------------------------------------