Vetting of Application Security & Privacy

ECNO’s Vetting of Application Security & Privacy (VASP) service provides professional risk assessments of security and privacy concerns related to educational digital tools and applications on behalf of Ontario’s K-12 School Boards.

Our process is based on our Student Digital Privacy Standard, which embodies uncompromising standards of protection and embodies progressive privacy and security protections that align with those endorsed by regulators and experts across North America and the European Union. The goal is to shift the data protection landscape and raise the bar for student digital privacy in Ontario schools.

What it is

VASP assessments provide Boards with a risk score, incorporating information about the risks that should be considered, and any mitigating strategies that can help reduce the identified risks.

Our assessments examine the student and staff personally identifiable information (PII) being collected, weigh any privacy or security risks, verify compliance between publicly stated policies/terms and practice, and advise on mitigating strategies where required.

What it is not

A VASP assessment is not a certification, endorsement or marketing tool. It is also not an approval or disapproval of any given digital tool for use in schools and classrooms. Our assessments are a tool that School Boards utilize as part of their own independent processes for reviewing digital tools.

Ultimately, it is up to each Board to assess the identified risks against their risk tolerance, as part of their own digital tool assessment and approval process.

The VASP Process

1. Staff submit a request though their School Board’s Digital Tool approval process.
2. Each Board typically conducts their own internal assessment of their digital tools and applications from a pedagogical lens to establish that the Board has the infrastructure to support the software, and that they do not already have another digital tool in place that meets the needs.
3. The Board then submits a VASP request for the digital tool to be assessed.
   1. Requests for assessment are only accepted from our member School Boards; providers need to collaborate with their client’s School Board for their tool to be assessed.
4. A team of privacy and security analysts conduct an initial assessment. The Privacy Analyst vets the supporting documents and the Security Analyst ‘fuzzes’ the application. Typically, the vetting and fuzzing process results in a set of questions and recommendations for the provider.
5. The team will attempt to connect and collaborate with the provider to address any questions or recommendations.
6. Following provider discussions, the analysts produce School Board and Educator reports based on the initial assessment along with any changes/clarifications obtained during discussions with the provider.
   1. If the provider does not respond or is uncollaborative, we will publish the reports with our findings and note that the provided did not participate.

Please feel free to reach out to our team. Together, we can build a brighter and tech-savvy future for our schools.