New South Wales Auditor General highlights inadequacy of security and privacy protections in NSW public schools
June 29, 2026 |
Schools are mass collectors of data, much of it very sensitive. Details of children enrolled in classes, their medical and pyschological issues are enthusiastically collected. Phone numbers and addresses of parents, guardians and other relatives are provided to schools. Today the Auditor General in New South Wales released a report highlighting the problems with the current system in NSW schools.
It is very much a mixed report card. While the department has structures and policies in place there is a very imperfect implementation and monitoring. There is a real problems with apps schools use with much sensitive data accessible by third party providers.
The department states there were 491 suspected data breach matters resolved from 2023 to 2025 that involved student information:
-
- 435 matters were assessed as being a data breach but not an eligible data breach
- 6 matters met the threshold to constitute an eligible data breach
- 1 matter was assessed as a non-department data breach
- 35 matters were assessed as not being a data breach
- 12 were not data breaches but involved related queries from schools
- 2 were duplicate
In 83% of cases the suspected data breaches in 2024–25 were the result of human error, such as access control errors, email errors, permission-to-publish errors and staff misconduct. Other causes included loss or theft (7%), system faults (5%) or cyber incidents (3%).
Incidents
- The personal mobile phones of 2 department staff were compromised through SIM-swap attacks that compromised both their personal and department accounts. The threat actor accessed the personal information of students, staff and
- This breach was classified and handled as an eligible data breach, and the department notified affected individuals (with the help of ID Support NSW) and the The department advised it took other actions in response to the breach including:
- moving staff members who fell victim to the attack from text message multi-factor authentication to Microsoft authenticator with passkeys
- completing an internal audit to ascertain and revise down the extent of the personal information accessed by the threat actor
- engaging external service providers to ensure the department had met the regulatory requirements under the privacy legislation
- implementing phishing-resistant multi-factor authentication software for all employees (currently within the pilot phase).
Unauthorised disclosure of information
- A school shared photos of 3 students on its Facebook page without parental consent and despite enrolment forms indicating no permission. After a family raised concerns via email, the school removed the
- A staff member used the school’s third-party school administration system to send text messages to parents about their child’s absence from school. Instead of the text messages going only to the children’s parents, they went to the children’s emergency contacts and other children’s parents. After identifying this breach, the school reverted the settings on the third-party school administration system to their correct
- A community member found volumes of school paper records containing student information dumped at a building construction site. The department recovered and digitised the records.
The snapshot of the report provides:
Key findings
The department has established a range of controls to manage the security and privacy of student information
Over the last 3 years, the department has strengthened its controls by uplifting cyber security capability, centrally contracting key third-party IT vendors, developing specific policy frameworks, and providing professional learning and centralised supports for schools.
Technical responsibilities have been allocated to school principals without sufficient departmental oversight
The department does not clearly define the specific risks to student information that schools must manage, nor provide clear operational guidance or proactive support to monitor how legislative and policy requirements are met in practice at the school level. With principals relying on their own judgement and capacity, practices are inconsistent and in some cases non-compliant.
There are gaps in how schools apply the department’s staff access controls to systems
The department’s controls do not ensure that access to student information is limited to staff who need it for their role. Schools apply access controls inconsistently, and some staff access more information than they need or retain access after they leave a school. The department does not oversee or control staff access to third?party school administration systems, which hold large amounts of student information.
Some schools use third-party digital products without departmental oversight
The department’s marketplaces give schools a range of approved third-party digital products for school administration and online learning. It centrally manages contracts with third-party vendors, including terms to protect the security and privacy of student information. However, some schools use third-party products outside of these marketplaces and without departmental oversight or controls to protect student information.
The department does not independently assure third-party digital products in its marketplaces
While third-party vendors of digital products in department’s marketplaces are subject to contractual security and privacy controls, the department does not routinely verify vendor compliance.
The department only recently identified key third-party systems as ‘crown jewels’
The department did not classify Compass, SchoolBytes and Sentral – the third-party systems used by more than 98% of schools to manage student information – as ‘crown jewels’ until early 2026. The department is now implementing the higher levels of oversight, assurance and protective controls that apply to crown jewels.
Recommendations
The audit made recommendations for the department to review the allocation of responsibilities to principals, improve the guidance and supports for schools, and strengthen the controls for managing the access to and use of student information.
From the Report itself it is worth noting:
The Conclusion states:
The NSW Department of Education has established policies, systems and centralised supports to manage risks to the security and privacy of student information. Over the last 3 years, the department has strengthened these controls by uplifting cyber security capability, centrally contracting key third-party IT vendors, developing specific policy frameworks and providing professional learning and other supports for schools.
However, there are critical gaps in the translation of departmental policies, systems and supports into day-to-day practice within schools, which frustrates the effective protection of student information.
The department does not ensure the security and privacy of student information at the school level and when shared with third-party IT vendors; it relies on school principals to identify and address risks to student information. However, these are complex technical risks, and the department has not assessed whether schools have the capacity or capability to manage them; nor does it monitor whether mitigations to address these risks are in place.
The department and schools do not consistently apply access controls to ensure student information is only available to staff whose roles require it. Further, the department’s controls do not apply to unassessed or unapproved third-party digital products and it does not have visibility of their use
Regarding management of privacy at the school principal level:
The department assigns principals responsibility for managing the security and privacy of student information at the school level. This includes:
-
- selecting and operating systems used to store and process student information
- controlling settings for staff access to student information
- managing records and sensitive
Many of these responsibilities require complex technical and legal knowledge and skills. However, the department has not assessed whether principals have the capabilities or capacity to meet these obligations alongside their other educational leadership accountabilities.
There are problems with third party vendors:
More than 60% of online learning apps used by consulted schools are not available through the department’s marketplaces. While the department assesses some non?marketplace apps through Assessed IT, it does not contract with their vendors. These vendors are not required to comply with the department’s security and privacy requirements. Non-marketplace apps usually collect limited student information such as names, class and department-issued email addresses. In some cases, they can collect more sensitive information including student wellbeing data, demographic information, images and audio recordings
…………
The department’s contracts with third?party vendors in its marketplaces require vendors to meet independently certified security standards and provide self?assessment reports against the department’s security and privacy requirements. However, the department does not routinely use this information to undertake its own assurance activities. This limits its ability to independently verify that vendors meet expected security and privacy standards.
………..
Separately, the department has not conducted privacy impact assessments for these systems or implemented a risk?based approach to determine which other third?party digital products require assessment. Although not mandatory under legislation, the NSW Information and Privacy Commission recommends agencies undertake privacy impact assessments to identify and minimise privacy risks relating to changes in services, policies and new projects
…………..
Data collection and privacy practices in department-recommended apps (2026)
Researchers from the University of New South Wales (Jin et al. 2026) examined data collection and privacy practices in 200 learning apps recommended by Australian schools and education departments, including the NSW Department of Education. The study found 84% of apps began transmitting data to third parties immediately on launch, before any user interaction. This included device identifiers, location metadata and other sensitive information. It also found that 68% of apps contained embedded analytics or tracking tools with no clear educational purpose.
The privacy policies of these apps often did not explain these data-sharing practices. Only 3% were considered easy to read. Some apps that explicitly stated they did not collect personal data transmitted identifiable information within seconds of launch. This indicates that privacy policies frequently did not reflect actual app behaviour and could not be relied on to accurately describe how students’ data was handled.
Tracking and profiling of children through education technology (2022)
In 2022, Human Rights Watch reviewed 163 education apps and websites endorsed by governments in 49 countries, including Australia (NSW and Victoria). It found widespread collection and sharing of children’s data for purposes unrelated to education.
The research identified extensive use of tracking technologies, with 45 products transmitting children’s personal information to 196 other third-party companies, including advertising technology providers, often without meaningful notice or consent from parents or students. These practices could allow third-party vendors to combine data about a child’s device, location and online behaviour to build profiles predicting their interests and actions. This could be used for commercial purposes such as targeted advertising across multiple apps and websites. Data sharing practices were rarely transparent and were frequently not disclosed, or not fully disclosed, in the products’ privacy policies.
Human Rights Watch highlighted that this type of profiling is particularly concerning for children, as it can influence their online experiences and choices at a stage when they are more vulnerable to manipulation
………………..
During the audit review period, the department’s data indicates automated and manual processes identified 517 cyber security incidents affecting student information. This includes:
-
- attempted and successful access to student information
- compromised student credentials or accounts
compromised school staff credentials or other accounts with access to student information
………………….
The number of incidents increased each year, with an 89% increase between 2023 and 2024, and a further 161% increase between 2024 and 2025. The department attributes this to:
-
- the increase in systems and devices being actively monitored, including school systems and devices as well as department-managed systems and infrastructure
- tuning and improving the cyber security monitoring tools that automatically detect and alert security incidents
- establishing dedicated teams to support the identification, investigation and responses to security
The Australian covered the Report in School apps may harvest children’s biometric data and custody orders, audit reveals. It provides:
Children’s biometric data, medical issues and custody orders could be harvested and sold by educational apps used in schools, an alarming audit reveals.
In a lesson for schools across the nation, NSW Auditor-General Bola Oyetunji has raised red flags over the use of more than 1000 third-party teaching apps and administration software – including artificial intelligence chatbots – in Australia’s biggest public schooling system.
His report warns that commercial tutoring or administrative products, especially those using AI, can collect and on-sell sensitive information without parents’ knowledge – including their own job and contact details.
School discipline and counselling records, as well as children’s mental health issues and academic results, may also be harvested and stored indefinitely.
Family court orders, apprehended violence orders, child safety alerts and credit card details are also at risk.
“Student records contain highly sensitive data, and mishandling this information can cause genuine harm to students and families,’’ the audit report states.
“Children are particularly vulnerable if their personal information is exposed.
“Data breaches or poor security controls can lead to identity theft, online exploitation or harassment, targeting of vulnerable students, (or) exposure of medical conditions (or) sensitive family or custody arrangements.’’
The report spells out how two high school students managed to access 2000 Education Department files stored in Microsoft 365 last year. “Some files contained personal and highly sensitive information relating to other students’ mental health diagnoses, behavioural concerns, family circumstances and disabilities,’’ it states.
“During rollout, the department set default file-sharing permissions that allowed files to be shared publicly or with all users within the organisation.
“This meant that when staff in individual schools collaborated on documents, they unknowingly and inadvertently gave access to students and staff across all schools and the department.’’
When the department discovered the data breach, it removed sharing permissions, disabled the accounts of the students who accessed the files and forced them to delete any files not related to their school work.
The audit found that some teachers were able to access confidential student files for up to 12 months after staff left a school.
In another privacy breach, a Microsoft Teams feature enabling the collection of student voice and facial biometric data was turned on at a school without the Education Department’s knowledge.
NSW Education has mandated the use of a customised in-house version of ChatGPT for use in classrooms, and is considered to have the nation’s toughest controls over educational apps.
Despite this, the audit found its oversight of other AI in schools is “not keeping pace with technological innovation’’.
“AI is increasingly embedded in the third-party digital products that may collect, store or process student information,’’ the report states.
“AI can introduce risks to security and privacy by collecting more information than authorised, retaining it indefinitely or re-using it for purposes such as model training or commercial use.
“Parents may not realise their child’s information is stored in these products.’’
The NSW Auditor-General found that third-party tools proliferated during the Covid-19 pandemic when schools needed digital tools for remote teaching, administration and communicating with families.
His audit of 37 NSW public schools between 2023 and 2025 found that some were using third-party software banned by the NSW Education Department, which has a “marketplace’’ of 693 approved products, and another 326 categorised as “do not use’’.
“The department does not know how many schools use third-party online learning apps and other digital products outside its marketplaces,’’ the report states.
“From Term 3, 2025, the department made its marketplace for online learning apps mandatory. This means schools can continue to use existing apps until the current subscription expires.’’
NSW Education Department secretary Murat Dizdar told the Auditor-General’s office his department would “strengthen its governance, oversight and assurance arrangements relating to the management of student information across departmental, school and third-party environments’’ by July next year.