What data is held?
It's important to understand what information is being held about your child. Does it include your home address? Think about the potential consequences if this information was lost or shared.
Who owns this data?
Do you have the right to request it is removed? What will be done with the information? What can be done with your child's image?
Does the company hold your children's data in an unencrypted form?
If an attacker gets access to a system on which unprotected information like this is stored, they will immediately be able to access all of the data which we've mentioned above.
How does the system perform user authentication? How frequently must passwords be changed?
It's important to understand how users get in. Is this easily broken by an attacker?
Can you show me a DFD that shows where unencrypted PII exists in the system and how you mitigate attacks against it?
This is checking the technical soundness of the solution that the company have built. If they're unable to do this, how can you be sure that their system is secure?
What security auditing has been done on the system?
A secure system will have been checked by reliable third parties or a mature internal security team.
Has your company been audited in line with ISO27001?
ISO27001 is an international standard for organisational security.
Where you're holding videos and pictures, what CDN arrangements if any, do you use, and where is your CDN provider based?
Is HTTPS used at all boundaries including CDNs?
What arrangements do you have in place to dispose of data once the children are no longer at school / nursery?
Can you give me a list of the positions held by people with potential access to the data? This should include administrators at onward service providers such as AWS, Azure or Google. Have all of these people received Criminal Record Checks? Are any of these people based abroad?
Who has access to your children's data?
Please list any third-party analytics tools to which any form of metadata is sent.
Third party tools may potentially receive identifiable information about your children. Is this information being sent anywhere?
Are you prepared to let one of your customer sites undergo a third-party security assessment?