Student Data Privacy in Australian Schools: What Leaders Need to Know
Student data privacy has moved from a compliance checkbox to a genuine school governance issue. As schools adopt more digital tools — learning management systems, assessment platforms, communication apps, student information systems — the volume of data being processed about students has grown dramatically.
This guide is written for Australian school leaders: principals, IT directors, business managers, and anyone involved in EdTech procurement decisions.
The Legal Framework
The Privacy Act 1988
The Privacy Act 1988 (Cth) is the primary federal legislation governing personal information in Australia. It applies to:
- Australian Government agencies
- All businesses and not-for-profits with annual turnover above $3 million
- Health service providers regardless of turnover
- Private schools regardless of turnover (as they are treated as businesses)
Key implication: Every private school in Australia is directly bound by the Privacy Act. Government schools are bound by state-based privacy legislation that typically mirrors the federal framework.
The Australian Privacy Principles (APPs)
The Privacy Act is operationalised through 13 Australian Privacy Principles (APPs). For schools, the most relevant are:
APP 1 — Open and transparent management Schools must have a clearly accessible privacy policy explaining what data they collect, why, and how it's handled.
APP 3 — Collection of solicited personal information Schools should only collect the personal information reasonably necessary for their functions.
APP 5 — Notification of the collection Individuals (or their parents/guardians for minors) must be notified when personal information is collected.
APP 6 — Use or disclosure of personal information Information collected for one purpose should not be used for another purpose without consent or a legal basis.
APP 8 — Cross-border disclosure Before disclosing information to overseas recipients (including cloud service providers), schools must take reasonable steps to ensure the recipient handles the data in a way consistent with the APPs.
APP 11 — Security of personal information Schools must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access.
The Notifiable Data Breaches Scheme
Since 2018, organisations covered by the Privacy Act must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm.
For schools, this means:
- A process must exist to detect and assess potential breaches
- Notification must occur within 72 hours of determining a breach has occurred
- Affected families must be directly notified when there is real risk of serious harm
Student Data: Special Considerations
Student data carries additional sensitivity because:
- Minors cannot provide meaningful consent — parental/guardian consent is required for most data collection
- Data persists — educational records can follow students for years; a mistake at age 12 can have implications at age 22
- Power imbalance — students and families cannot easily opt out of school systems
- Data richness — school data includes academic performance, behavioural records, health information, family circumstances, and more
What Counts as Personal Information?
In the school context, personal information includes but isn't limited to:
- Name, date of birth, address
- Academic results, assessment data, attendance records
- Behavioural and disciplinary records
- Medical and health information
- Family and household information
- Photos and video
- Device identifiers and IP addresses
- Biometric data (used in some attendance systems)
Sensitive Information
The Privacy Act provides additional protection for _sensitive information_, including health information, racial or ethnic origin, and religious beliefs. Schools frequently handle sensitive information — medical conditions, learning disabilities, cultural background — and must apply higher standards of care.
Vendor Due Diligence: What to Ask
When a school procures any EdTech platform that processes student data, they are sharing that data with a third party. Schools remain responsible for how that data is handled, even after it leaves their systems.
Data Location
Ask: Where is our data stored? In which country or countries?
Why it matters: APP 8 requires schools to ensure overseas recipients handle data consistently with Australian privacy principles. Data stored in the US, UK, or EU may be subject to foreign access by government agencies under laws like CLOUD Act (US) or equivalent frameworks.
Best practice: Australian schools should prefer vendors with data stored exclusively in Australian data centres, particularly for sensitive student information.
Data Use and Training
Ask: Is our student data used to train your AI models? Is it shared with any third parties?
Why it matters: Some EdTech vendors use customer data to improve their products. For student data, this is ethically problematic and may breach APP 6 (secondary use of information).
Best practice: Vendors should provide a Data Processing Agreement (DPA) that explicitly prohibits using student data for model training or product improvement without express consent.
Data Retention and Deletion
Ask: How long do you retain our data? What happens to it when we terminate our subscription?
Why it matters: Schools have obligations around records retention — but also around data minimisation. Vendors who retain data indefinitely after contract termination create ongoing privacy risks.
Best practice: Contract terms should specify: maximum retention period post-termination, data deletion/return within a defined timeframe, and certification of destruction on request.
Security Certifications
Ask: What security certifications or frameworks does your platform comply with?
Relevant frameworks include:
- ISO/IEC 27001 — international standard for information security management
- ACSC Essential Eight — Australian Cyber Security Centre baseline strategies
- ACSC Information Security Manual (ISM) — comprehensive guidance for government-aligned organisations
- Penetration testing — regular independent security testing
Incident Response
Ask: What is your breach notification process and how quickly will you notify us?
Under the Notifiable Data Breaches scheme, schools need to know about vendor incidents quickly enough to fulfil their own notification obligations.
Building Your Privacy Framework
Privacy Impact Assessments (PIAs)
A PIA is a structured process for identifying and managing privacy risks before implementing a new system or changing how data is handled. The OAIC recommends PIAs for any new significant project involving personal information.
For EdTech procurement, a PIA should address:
- What data will be collected
- Who will have access to it
- Where it will be stored and processed
- How it will be secured
- How it will be deleted
- What happens in the event of a breach
Staff Training
Privacy obligations only function if staff understand them. Regular training should cover:
- What constitutes personal information at your school
- How to handle requests from parents/guardians for access to their child's records
- How to respond to suspected data breaches
- What to check before using a new EdTech tool
Parent Communication
Schools are increasingly expected to proactively communicate their data practices to families. An accessible, plain-language summary of what data is collected and why — beyond the technical privacy policy — builds trust and reduces complaints.
_GoHiMark is built on Australian infrastructure, complies with the Privacy Act 1988, and provides a full Data Processing Agreement on request. Learn more about our security practices._