View Categories

ST4S Framework v2025.1

2025.1 ST4S Framework Hero Image

Summary #

Status #
  • Latest Version: This is the latest framework version that's currently active.
Key changes and items #
  • Various improvements to question wording and response options.
  • Updates to the classification of certain data types.
  • Updates to integration category (INT).
  • Improvements to access controls and password related criteria.
Dates #
  • Original framework publication date: 16-12-2025
  • Last update to this post: 16-December-2025

Description #

ST4S v2025.1 includes many changes suggested by app developers and suppliers, and the adjustment of criteria to align with new forms of authentication including password-less type options.

Feedback on the ST4S assessment framework can be submitted at anytime through our feedback and consultation form.

Summary of Changes #

0

Major Changes #

0

Moderate Changes #

0

Minor Changes #

Key Features and Compliance Areas #

Various improvements:

  • This framework introduces major improvements to pre-existing criteria, the majority of which do not impact critical compliance.
 

Access controls (category A):

  • Passkeys, secure login links, one time passcodes (OTPs) and similar are being incorporated into the framework.
  • We have improved criteria on student login methods including for services which provide classroom activities through the use of a ‘room code’ or ‘join code’ etc. Apps should implement rate limiting and brute force protections on these methods.
  • We have revamped the order and simplified some of the criteria to help improve whether a control applies to the organisation vs the service.
Integrations:
  • Clarifying controls and how privacy criteria applies to services only receiving vs sending and receiving personal data.
  • Services which act as the primary sending service (e.g. major student administration systems and core systems) will be required to apply privacy features to support schools in opting out particular students to protect their information from being disclosed to other apps and services not authorised.

AI Module:

  • We are continuing to review the AI Module criteria and how personal information can be safely processed with privacy protections in an expected future release (subject to approval) under v2026.1.
  • Services which provide interactive AI features used by students (e.g. image generation or chat bot conversations) must demonstrate additional safety testing including displaying critical safety messaging and alerts.
  • Companies with interactive chat bots and image generation tools are strongly advised to review the Australian eSafety Comissioner’s publications in relation to the online safety code and other guardrails announced by her office in relation to AI features.
  • Services which use speech to text (STT), text to speech (TTS) along with AI models to improve effectiveness (e.g. AI enhanced transcribing), or to provide accessibility use case (e.g. assistive technology which use AI features) will be assessable under v2026.1 however, companies may apply for an exemption to be assessed under v2025.1 now.  Please contact the ST4S Team first before requesting an assessment.

Suppliers and App Developers #

If you are interested in how to best comply with the AI criteria we recommend reviewing the supporting resources and the criteria published in the supplier guide.

Transition options are available depending for suppliers who have had a service recently assessed under the ST4S framework including those who undertook the AI Module in its first release or as part of v2024.1.

Transitioning #

We will be publishing information after the framework is released for app developers looking to upgrade from a recent version of the framework.

Consultation and Feedback #

Providing Feedback #

The ST4S Framework has a consultation and feedback process with a range of interested persons and organisations. Notably our feedback and consultation occurs government agencies in Australia and New Zealand such as the Department of Education in each State/Territory within Australia and the Ministry of Education in New Zealand. Consultation also occurs with independent and catholic sector school representatives. These members collectively comprise the ST4S Working Group.

ST4S originally launched in 2019 and is the work of multiple organisations and persons. Cybersecurity, privacy and online safety are rapidly changing and feedback is an important part of the framework. Releases are planned twice a year. Additional updates may occur in the interim.

Feedback is open to:

  • App developers / suppliers.
  • Academic researchers and independent ethical hackers.
  • Advocacy groups (e.g. privacy or human rights advocacy groups etc).
  • Industry groups relating to cybersecurity, privacy, safety and software development.
  • ST4S Working Group Members (e.g. Department of Education staff, Catholic and Independent sector representatives that are members of the group).
  • Government agencies both local (e.g. Australia, New Zealand) and international.
Submit Feedback

Other Enquiries #

For general enquiries please contact us on our website. For media or press related enquiries, please contact our media team at Education Services Australia Limited (ESA).

What are your thoughts on this article?