Data security warning for parents of school children in South Africa

The Department of Basic Education (DBE) uses a system for sharing and storing administrative data so old that it does not work on computers running Windows 10 or 11, reports Rapport.

This means the machines running the DBE’s system, SA-SAMS, are running on a version of Windows that no longer receives security updates from Microsoft.

Windows 10 will enter End of Support on 14 October 2024, after which Microsoft will no longer provide free security updates for the operating system.

Microsoft offered an extended security update (ESU) programme for Windows 7, which ended in January 2023. It did not offer ESU for Windows 8.1.

According to Rapport, SA-SAMS does not have the capability to protect information with encryption technology or multi-factor verification.

Although the system does not use any cloud storage, the data of students, parents, and teachers must be transferred to the DBE.

To send the data to the DBE, some schools export it to a USB drive or even take the whole computer on which they run SA-SAMS to the department.

One Gauteng school administrator told Rapport that they often have issues when the DBE issues a new patch for SA-SAMS to change something on the software’s back end.

“We always hope and pray they don’t make any changes,” they said.

A school principal in KwaZulu-Natal told the publication that they use a third-party platform, but have to periodically export their data into SA-SAMS because the DBE wants the information in that format.

They also said that they have resisted providing the DBE with quarterly financial reports. However, under the controversial new Basic Education Laws Amendment (BELA) Act, schools must now submit their financial information using SA-SAMS too.

Reports that SA-SAMS does not encrypt or data could land the department in more hot water with the Information Regulator.

The Information Regulator and DBE are already at loggerheads over the publication of matric results in newspapers.

Last year, the privacy watchdog served the DBE with an enforcement notice, warning that publishing matric results newspapers breached “the conditions for the lawful processing of personal information” under the Protection of Personal Information Act (Popia).

When the DBE failed to appeal or provide a written undertaking not to publish the results, the Information Regulator fined it R5 million.

It also applied to the High Court for an urgent interdict to block the DBE from publishing the results.

While the interdict was thrown out of court when the Information Regulator couldn’t adequately explain why it hadn’t taken action against the DBE sooner, the merits of the matter have yet to be heard.

Three years ago, the DBE announced it would stop publishing matric results on media platforms, including newspapers, to comply with Popia.

However, it faced backlash from civil society group AfriForum and Afrikaans news publisher Maroela Media. They argued that the change would disadvantage learners who didn’t live near their respective schools.

The North Gauteng High Court overruled the department, instructing it to continue publishing matric results on media platforms and in newspapers.

However, it ordered the DBE to ensure that the results published did not reveal the names and surnames of learners.

The department accepted the ruling as it had not published learners’ names alongside their results since 2014.