This is according to findings outlined in an audit report by the New South Wales Auditor General, which assessed how effectively the state’s Department of Education and its public schools ensure the security and privacy of student information.

The audit, which engaged with 37 schools across the state, found technical responsibilities have been allocated to principals without sufficient departmental oversight. 

While school leaders take responsibility for selecting the operating systems used to store and process student information, control settings for staff access to it, and manage records and sensitive information, the report warns these obligations require ‘complex technical and legal knowledge and skills’ which principals might not have. 

The Department has not assessed the exact capacity of school leaders here, it flags. 

And while principals are provided with general policies, training and central supports to aid them, the Department does not offer a consolidated resource on the specific student information risks they need to manage, nor monitor how they carry out this work in practice. 

“With principals relying on their own judgement and capacity, practices are inconsistent and in some cases noncompliant,” the report states. 

Leading cybersafety expert Susan McClean told EducationHQ that the situation wasn’t fair on principals. 

“Twenty years ago if you looked at the cybersecurity ecosystem, schools were always considered an easy target – and that hasn’t changed,” she says.  

“Particularly in government schools, they rely on the Department – and what they do is a little bit hit and miss and flaky. [Principals don’t get the training.” 

McLean says independent and Catholic schools can be ‘slightly better’ when it comes to protecting student information online, at least because they often have the budget to be able to employ specialised staff to oversee this area.  

“Consulted schools generally feel supported by the Department and know where to seek help when needed. However, the audit observed inconsistent practices across schools. 

“In some cases, schools did not protect student information in line with legislative requirements or the Department’s policies and procedures,” the audit stated.  

In 2025, the Department received 690 requests for legal advice on privacy from schools and staff. 

Schools sought advice on:

 • sharing information about students with third parties; 
• consent to publish images of students; 
• authorised recording and surveillance (e.g. closed circuit cameras); and
• data breaches. 

“Overall, consulted schools tend to rely on local staff capacity, ad hoc arrangements or requests to the department to manage the operational aspects of security and privacy risks associated with student information,” the report concludes. 

Student records contain highly sensitive data, and mishandling this information can cause real harm to young people and their families. 

The audit also found the Department lacks comprehensive oversight and assurance of third-party digital products that schools are using that may risk the safety and security of student information. 

Indeed some 60 per cent of learning apps and other digital products school use fall outside the Department’s marketplace of regulated and approved products. 

These companies are not required to comply with the Department’s security and privacy requirements, despite the apps usually collecting limited student information such as names, class and Department-issued email addresses. 

“In some cases, they can collect more sensitive information including student wellbeing data, demographic information, images and audio recordings,” the audit flags. 

And while the Department expects schools to only share limited student information with these apps, it does not have oversight to know whether or not this is happening. 

A requirement for schools to only use Department-approved marketplace learning apps once their existing subscriptions expire was brought in, but this is not consistent practice across schools, the analysis found.

Research published this year from the University of New South Wales raised serious concerns around the data collection and privacy practices in 200 learning apps recommended by Australian schools and education departments, including NSW. 

The study found some 84 per cent of apps began transmitting data to third parties immediately on launch, even before any user interaction occurs.

This included device identifiers, location metadata and other sensitive information. It also found embedded analytics or tracking tools with no clear educational purpose were embedded in 68 per cent of the apps. 

The apps’ privacy policies also did not make their data-sharing practices clear, with just 3 per cent considered easy to read.

“Some apps that explicitly stated they did not collect personal data transmitted identifiable information within seconds of launch. This indicates that privacy policies frequently did not reflect actual app behaviour and could not be relied on to accurately describe how students’ data was handled,” the audit report warns. 

Student records contain highly sensitive data, and mishandling this information can cause real harm to young people and their families. 

Children are considered ’particularly vulnerable’ if their personal information is exposed, the report notes, with the potential for data breaches or poor security controls resulting in identity theft, online exploitation or harassment, the targeting of vulnerable individuals, the exposure of medical conditions as well as sensitive family or custody arrangements. 

Issues around staff access to student information are also highlighted, with schools applying their own rules about who is granted access to what. 

Consulted schools did not refer to the Department’s standard when explaining how they assign, review or remove staff access, meaning inconsistent approaches abound, the audit found. 

Some schools could not explain why some staff were granted certain levels of access that did not align with their role. 

“These weaknesses are evident in the management of elevated or privileged access, which involves permissions beyond those of a standard user and can enable staff to access or change sensitive student information or users’ access,” it flags. 

The Department has identified that less than 20 schools continue to operate systems and use software outside its approval and security controls.

The audit makes a number of recommendations for the Department to strengthen privacy protections in schools.