New South Wales Auditor General highlights inadequacy of security and privacy protections in NSW public schools
June 29, 2026
Schools are mass collectors of data, much of it very sensitive. Details of children enrolled in classes, their medical and pyschological issues are enthusiastically collected. Phone numbers and addresses of parents, guardians and other relatives are provided to schools. Today the Auditor General in New South Wales released a report highlighting the problems with the current system in NSW schools.
It is very much a mixed report card. While the department has structures and policies in place there is a very imperfect implementation and monitoring. There is a real problems with apps schools use with much sensitive data accessible by third party providers.
The department states there were 491 suspected data breach matters resolved from 2023 to 2025 that involved student information:
-
- 435 matters were assessed as being a data breach but not an eligible data breach
- 6 matters met the threshold to constitute an eligible data breach
- 1 matter was assessed as a non-department data breach
- 35 matters were assessed as not being a data breach
- 12 were not data breaches but involved related queries from schools
- 2 were duplicate
In 83% of cases the suspected data breaches in 2024–25 were the result of human error, such as access control errors, email errors, permission-to-publish errors and staff misconduct. Other causes included loss or theft (7%), system faults (5%) or cyber incidents (3%).
Incidents
- The personal mobile phones of 2 department staff were compromised through SIM-swap attacks that compromised both their personal and department accounts. The threat actor accessed the personal information of students, staff and
- This breach was classified and handled as an eligible data breach, and the department notified affected individuals (with the help of ID Support NSW) and the The department advised it took other actions in response to the breach including:
- moving staff members who fell victim to the attack from text message multi-factor authentication to Microsoft authenticator with passkeys
- completing an internal audit to ascertain and revise down the extent of the personal information accessed by the threat actor
- engaging external service providers to ensure the department had met the regulatory requirements under the privacy legislation
- implementing phishing-resistant multi-factor authentication software for all employees (currently within the pilot phase).
Unauthorised disclosure of information
- A school shared photos of 3 students on its Facebook page without parental consent and despite enrolment forms indicating no permission. After a family raised concerns via email, the school removed the
- A staff member used the school’s third-party school administration system to send text messages to parents about their child’s absence from school. Instead of the text messages going only to the children’s parents, they went to the children’s emergency contacts and other children’s parents. After identifying this breach, the school reverted the settings on the third-party school administration system to their correct
- A community member found volumes of school paper records containing student information dumped at a building construction site. The department recovered and digitised the records.
The snapshot of the report provides:
Key findings
The department has established a range of controls to manage the security and privacy of student information
Over the last 3 years, the department has strengthened its controls by uplifting cyber security capability, centrally contracting key third-party IT vendors, developing specific policy frameworks, and providing professional learning and centralised supports for schools.
Technical responsibilities have been allocated to school principals without sufficient departmental oversight
The department does not clearly define the specific risks to student information that schools must manage, nor provide clear operational guidance or proactive support to monitor how legislative and policy requirements are met in practice at the school level. With principals relying on their own judgement and capacity, practices are inconsistent and in some cases non-compliant. Read the rest of this entry »