Summary #
Status #
- Active: This framework version is not the latest but is still currently active and accepted.
Key changes and items #
- Introduction of the Artificial Intelligence (AI) Module which includes criteria across cybersecurity, privacy and safety. V2024.1 introduces updates to the AI Module.
- Not all use cases of AI are assessable at this time. Review the ST4S Excluded / High Risk list for more information.
- Transition options are available to companies with v2023.1 or v2023.2 to the latest V2024.1
Dates #
- Original framework publication date: 11-June-2024
- Last update to this post: 29-January-2025
Description #
As AI rapidly expands into educational services, this framework focusses on critical controls to reduce risk and require organisations establish policies and procedures to effectively develop and maintain AI features/functions in respect to cybersecurity, privacy and online safety.
The AI Module aligns to the principles published by the Australian Ministerial Framework for AI in Education.
This framework v2023.2 introduces the AI Module. No other changes to the framework have been made since v2023.1
Key Features and Compliance Areas #
Incorporating major research and development by ESA and members of the ST4S Working Group, the AI module is designed to align with the key principles of the Ministerial Framework for AI in Education.
Overall, companies will need to demonstrate a commitment to safety and security, respect privacy, and be transparent on their usage of AI.
Key features of the AI Module:
- An exclusion list applies:
- Not all AI services are assessable and there is a focus on educational specific use cases of AI. Examples of services not assessable include using AI for biometrics, sensitive/personal information or student monitoring and administrative decision making (e.g. automated enrollment ratings with AI or analysing behaviour of students with AI).
- Some items on the exclusion list are subject to change pending advice from government and industry.
- Privacy controls:
- All services must opt-out information and user data or assets from training by default.
- If a service may use information for training or further developing the AI module, the service must provide privacy controls that allow users to easily opt-in, opt-out, and customise their preferences regarding how their information and data is to be used.
- Ethical framework and appointing an ethics/safety officer:
- Organisations must establish an ethical AI framework and appoint an AI ethics lead that is independent of development. The AI ethics lead should handle complaints from users, oversee feature development, and ensure safety testing and privacy practices are in place.
- Testing requirements:
- Testing is required for security (e.g. jailbreaking attempts), privacy (preventing personal information being disclosed to the model), and safety (e.g. testing for inappropriate content generation and outputs).
Suppliers and App Developers #
This version of the framework is in pilot and not all services with AI is assessable at this time. Supplier’s are encouraged to review the ST4S Excluded / High Risk List first to verify whether their service is eligible to be assessed.
If you are interested in how to best comply with the AI criteria we recommend reviewing the supporting resources and the criteria published in the supplier guide.
Transitioning #
Please contact the ST4S Team on the contact us page on our website.
The ST4S Team is working with suppliers on how best to transition by completing the AI Module separately in order to reduce assessment activities.
You are not required to be reassessed at this time.
A full reassessment is required. Please review the Readiness Check on our website to begin the assessment process.
Roll-out #
Overview #
The AI Module was previously in Pilot and is now implemented fully into the framework. AI is continually evolving and it’s important to note this module will very likely be updated again in the short term and feedback remains open.
The pilot and release of the AI Module into the framework involved a phased approach with an extended period of remediation for suppliers to support them in meeting compliance, and providing feedback into the framework.
- Phase 1 (V2023.2): Introduced the module and the majority of planned criteria, most notably the critical items. A limited set of companies were invited to the pilot from the pool of previous assessments, requests from the ST4S Working Group and new services expressing an interest via the Readiness Check tool.
- Phase 2 (V2024.1): Incorporates further feedback, corrections and adjustments from vendors and the working group. These updates are mostly requesting additional information and clarification on how AI services are integrated and terms of service governing the AI models.
The ST4S Excluded / High Risk list will be updated, however some use cases will remain. The above approach and phases are subject to change.
Consultation and Feedback #
Providing Feedback #
The ST4S Framework has a consultation and feedback process with a range of interested persons and organisations. Notably our feedback and consultation occurs government agencies in Australia and New Zealand such as the Department of Education in each State/Territory within Australia and the Ministry of Education in New Zealand. Consultation also occurs with independent and catholic sector school representatives. These members collectively comprise the ST4S Working Group.
ST4S originally launched in 2019 and is the work of multiple organisations and persons. Cybersecurity, privacy and online safety are rapidly changing and feedback is an important part of the framework. Releases are planned twice a year. Additional updates may occur in the interim.
Feedback is open to:
- App developers / suppliers.
- Academic researchers and independent ethical hackers.
- Advocacy groups (e.g. privacy or human rights advocacy groups etc).
- ST4S Working Group Members (e.g. Department of Education staff, Catholic and Independent sector representatives that are members of the group).
- Government agencies both local (e.g. Australia, New Zealand) and international.
Other Enquiries #
For general enquiries please contact us on our website. For media or press related enquiries, please contact our media team at Education Services Australia Limited (ESA).
