Secure websites for schools: How to do them right

In recent months, institutions have taken steps to encourage schools to set up updated websites in accordance with the indications provided by the Agency for Digital Italy.

Today it actually is all institutions have a website to communicate with the outside world and get the school community to participate in the activities that are carried out and the projects that are carried out, but the institutional portals are not always clear, accessible and clear to the users.

Coincidentally encounter outdated websites and is not in line with the latest models, both in terms of design, ease of use and security.

School, “Pnrr Alerts” can really improve it: here’s how

Restyling of the school’s website: the digital PA project in 2026

Given the tool’s indispensability and the need to create more modern and secure portals, the Minister of Education and the Minister of Technological Innovation and Digital Transformation have recently made PNRR funds available to institutions creating new websites, available until 23 September 2022.

New Security Strategies for MSP: A Complete Guide to Threat Defense

the purpose is to create more modern and efficient schools through portals in step with innovation and security, and structured according to a standard model that enhances the digital experience for parents, students and the entire school community.

As mentioned, the aspect related protection of personal data it is a priority and affects the value of the platform that each institution chooses to use.

So let’s see what elements need more attention to ensure the highest level of security for visitors to the site.


Primarily all sites must have a privacy policyas the school processes a large amount of personal data through the institution portal.

Let’s think about information collected by default from the server (IP address, navigation data) in normal operation or for the data communicated directly by the user by completing an online form (such as those for sending and receiving MAD or for contact requests).

The school must therefore provide users with information about the data collected by the site and on the related treatments under Art. 12 and 13 of the GDPR.

A good practice is to make the information available via a link placed in the footer. It is actually preferable the information can be consulted from each section of the siteand not just from the website.

For a more effective fulfillment of the obligation of comprehensibility, it is also advisable to precede or follow the various collection points for personal data / forms of a message that contains the information that can be directly referred to the collection itself.

Cookie policy

To date, there are still many schools that must adhere to the “Guidelines for Cookies and Other Tracking Tools” approved by the Guarantee of Personal Data (Regulation No. 231 of June 10, 2021).

Therefore, it often happens when browsing the web, how many pages do not have banners to accept third-party cookies, or how outdated cookie policies are.

Usually, third-party cookies originate from the presence on the website of elements incorporated from external platforms (such as YouTube or Vimeo videos, etc.), or from plugins for social media, news feeds or similar features.

With regard to tracking systems, The authority has recently ruled in the Google Analytics casewhich calls on “all data controllers to verify that the methods of use of cookies and other tracking tools used on their websites, with particular attention to Google Analytics and other similar services, comply with the laws of personal data protection”.

Finally, it is important to remember how The cookie policy should not be “copied” from other websites (albeit with similar activities), as the tracking systems are not necessarily the same.

HTTPS protocol

For all sites we recommend adopt an HTTPS protocol (Hyper Text Transfer Protocol Secure), which ensures that the information exchanged between the user’s browser and the web portal is encrypted.

HTTPS is mainly used for protect online transactions and data extremely confidential, but even school pages are often equipped with a reserved area where personal information is transferred.

Furthermore, a website created simply in the HTTP indication shows “not secure” in the address bar, and this at the level “perception“Is the worst thing you can do to surf the web.

In addition to the benefit of security and information encryption, the use of an HTTPS protocol allows the institution’s website to place yourself at the top of the list of the results from the major search engines.

Google penalizes e.g. non-HTTPS sites (and in fact, an HTTP site, even with the same content quality and authority, appears lower in results than a site using the HTTPS protocol).

Choice of supplier

Another basic aspect is that security for the “web hosting” providerwho must be a qualified person present on the AgID Cloud Marketplace, and whose task is to inform the owner of the site in advance about the server’s location and other aspects.

The supplier must be designated by the department as an “external data processor”, as the data that passes through the site is also seen by third parties, and it is therefore essential to define the roles to be sure of complying with the responsibility principle that determines the owner’s responsibilities. collected information.


The school must regularly check the availability of its websiteit is the ability of different users, in different contexts, to access the graphical interface and content.

Making a website accessible means providing access to information also for people with different types of physical disabilities and for those who have limited hardware and software tools.

Accessibility of school websites: state-of-the-art and critical questions

Publication of content and personal information

All documents and information published on the website (and therefore also those published for the purpose of transparency and publicity) must respect the privacy of the data subjects.

Schools, like all public bodies, have a duty to pay the utmost care when selecting the personal data to be used, in particular with regard to specific categories of data and data relating to criminal convictions and offenses.

Some years ago, the guarantor published “Guidelines for the processing of personal data, also contained in administrative deeds and documents, carried out for the purpose of advertising and transparency on the network of public entities and other obligated entities”, to provide precise indications to all PAs

Through this orientation the Authority has defined the obligations for publication on the Internetand specified with regard to the categories of specific data and data relating to criminal offenses and offenses, that such data “is protected by a particularly strict framework of guarantees that allow public entities to provide such information only in the case required by an express legal provision and to treat them only if they are in fact “indispensable” for the purpose of pursuing an objective of public interest, such as transparency, that is, when the same cannot be achieved, on a case-by-case basis, using anonymous data; or personal data of various kinds “.

THAT special data and data relating to criminal convictions and offenses can therefore only be published if it is provided for in an express legal and regulatory provision, and only if they are specifically “indispensable”, ie. if the purpose of transparency cannot be achieved with anonymous data or other personal data.

In these cases, specific technical measures must also be taken to prevent search engines from indexing data and reusing it.

As the Italian privacy guarantor also points out in frequently asked questions “Online transparency in PA and privacy”, before publishing content on the document’s website, each PA must:

  • Identify whether there is a legal or regulatory requirement that legitimizes the distribution of the document or personal data;
  • Check, on a case-by-case basis, whether the conditions for blurring certain information are met;
  • Remove sensitive and legal data from indexing (ie online search engine availability), as mentioned in the previous section.

Each institute therefore has the obligation to publish information online only if dissemination is really necessaryin a way that is proportionate to the purpose of transparency pursued and envisaged by the regulations.

In addition, if the school intends to publish personal information other than that required for reasons of transparency, it must first proceed with the anonymisation of the information and avoid solutions that allow identification, even indirectly or subsequently, of the interested party.


Before publishing any content on the Site, it is necessary to ensure that the material is freely reproducible or to obtain the consent of the author.

With regard to the resources available online, it is advisable to always consult the legal comments carefully.

Only if you read phrases like “all rights reserved” or “freely usable material”, it is possible to publish the content without requesting anything from its author.

In any case, when using third-party materials, it is also necessary to indicate the source from which the resource was retrieved (or the place of origin in the case of images).


Based on this, the website plays a central role in terms of communication, as it allows the school to reach a wide audience of users.

Each school should therefore draw up internal regulations so that the portal complies with the requirements of AgID and the Guarantor, respects the privacy of interested parties, is accessible, easily consulted and constantly updated, and reflects the school’s image, promoting a participatory and organizational relationship between community members.

Ransomware and double (and triple) extortion: what it is and how to defend yourself


Leave a Comment