The Dutch government is pulling out the purse strings to improve digital security in primary and secondary education. These sectors will receive 6 million euros structurally to address digital security and privacy. In this way, the cabinet wants to create a safe learning and working environment, both physically and digitally. So write Minister of Education, Culture and Science Robbert Dijkgraaf and Minister of Primary and Secondary Education Dennis Wiersma in a letter to the Lower House.
Educational institutions are increasingly targeted by cyber attacks. Despite all measures to increase cyber resilience, they are still susceptible to digital attacks. This was concluded by the Inspectorate of Education in September 2021. Then-Minister of Education Ingrid van Engelshoven shared these concerns and announced measures to increase the digital resilience of the education sector.
It is up to Minister Dijkgraaf and Wiersma to heed and follow up on this promise. And that is exactly what the ministers are doing. As educational institutions store and exchange more and more data about pupils and students, it is important to protect them from cyber attacks and other digital threats.
"Digital resilience must therefore be increased at all institutions to a level that provides demonstrable security," the ministers wrote to the House of Representatives. "Non-commitment is not an option when it comes to digital resilience and privacy. The entire education sector and all stakeholders must take steps to increase digital resilience across the sector, and to ensure the continuity and quality of education and research."
Educational institutions, as data controllers, are admittedly responsible for how personal data are processed. That does not mean that the government should stand by the sidelines. On the contrary: according to Minister Dijkgraaf and Wiersma, the government has a "strong, anticipatory role."
With increasing digitization in education, it is becoming increasingly difficult for institutions to ensure privacy. Therefore, the government is going to get more actively involved. To begin with, Data Protection Impact Assessments (DPIAs) on digital products in education will be conducted centrally. "This will allow institutions to make better informed choices about the privacy of pupils and students," the ministers write.
In addition, the Ministry of Education is working toward a shared standards framework for digital security for the entire education sector. The starting point for this is the ISO 27002 standards. Senior secondary vocational education, higher education and the research sector already use that standards framework. Minister Dijkgraaf and Wiersma want to introduce this in primary and secondary education.
Furthermore, the Inspectorate of Education will have a greater role. The Inspectorate has no separate powers in the area of cybersecurity. However, the ministers hope the Inspectorate can act as an incentive to improve cyber resilience across the sector. Finally, the ministers are committed to more training. Raising awareness of digital threats should boost digital resilience.
To implement these measures, the Ministry of Education is reaching into its pockets. Primary and secondary education will receive an additional 6 million euros structurally to improve digital security. That money is intended, among other things, to create a framework of standards for information security and privacy. That requires specialized and legal knowledge "that is not present at every school." That creates inequality between schools and differences in digital safety of students.
To counter this, the government wants to centralize this knowledge. With the help of external audits, the government can intervene when necessary. Educational organizations such as Kennisnet, the PO Council and SIVON are helping to draw up the standards framework. The government aims to conduct a baseline measurement early next year.
To ensure that school boards pay more attention to information security and privacy, they must explicitly address these topics in their annual reports. This measure will take effect from the school year beginning in 2023.
Finally, there will be a Computer Emergency Response Team (CERT) for primary and secondary education that will act as a "digital fire department." A school that is the target of a cyber attack can then report here. CERT then helps the institution deal with it. CERT joins the Landelijk Dekkend Stelsel (LDS). This is a partnership between vital and non-vital companies and agencies in the area of cybersecurity that share relevant threat information among themselves.
