Recent amendments to the Privacy Act introduce changes that require schools to consider their privacy practices, including in relation to the collection, retention and use of personal information and data. It is necessary to act now to ensure present compliance and with a view to preparing for changes that are to be introduced in 2026.
Key Impacts
A tort for serious invasion of privacy
A new statutory tort for serious invasion of privacy came into effect on 10 June 2025, allowing individuals (including children) to seek legal remedies for either of the following types of conduct:
- an intrusion on their seclusion; or
- misuse of their personal information.
A successful complaint will need to show:
- That there has been an invasion of privacy by intrusion (including into a private space and/or activities) and/or misuse of personal information in an inappropriate manner;
- In circumstances where an expectation of privacy exists – to be assessed on a case by case basis, considering the purpose of the invasion/misuse, nature of the information used, use of technology and attributes of the person (including whether they are a child);
- Intentional or reckless conduct – not merely inadvertent or negligent;
- The invasion being regarded as ‘serious’ (or ‘highly offensive’ per similar legislation in NZ, USA and Canada) which is intended to discourage trivial claims;
- There was no greater public interest which required disclosure of the information, such as public health and safety, freedom of the media, open justice and similar considerations.
- Relevantly, claims can be brought against both organisations and individuals, providing a notable difference from the Privacy Act which makes only organisations liable for breaches of privacy. Claims must be brought within 12 months of a person becoming aware of the invasion of privacy, or 3 years after it occurred, whichever is earlier. Children (under 18) have a further period and can bring a claim at any time prior to their 21st
Courts can order a range of remedies, including injunctions, declarations, apologies and/or damages.
Defences are available. Those include where a person acted under legal authority, where action was necessary to protect people or property and in situations where consent was provided.  Exceptions also apply to the sharing of information with (and use of information provided by) law enforcement agencies and individuals under the age of 18.
Children’s Online Privacy Code
The imminent introduction of the Children’s Online Privacy Code will bring changes relating to the use of data relating to under 18’s (children) by relevant social media and electronic service providers, including the online collection and use of children’s data by educational apps.
The application of the Code is broad and schools which are providing online learning tools and forums, posting material to social media (irrespective of whether students post, comment or participate) or school/educational apps, are likely to be regarded as a provider and caught by the proposed changes. Those matters will also need to be considered in light of the proposed changes which will provide greater recognition of the right of children to make decisions in relation to their own privacy. Considering those matters well in advance of the changes, which are to be implemented in 2026, will leave schools better placed.
Privacy and AI
When schools input personal information into AI tools (for example to undertake administrative tasks or for educational purposes), they must ensure that privacy obligations are being met. Uploading personal data into any AI platform involves a significant privacy risk.Â
Some schools have started using AI tools for tasks such as preliminary assessment or marking of student work. Again, care should be exercised as even though steps may have been taken to de-identify the author, the work may still carry content that identifies the individual. That may create a privacy record which is then uploaded/shared in an (unsecure) open AI platform. Schools which are using AI tools should seek guidance and put in place suitable AI governance practices and documented policies.
Doxxing
Another change introduced through the Privacy and Other Legislation Amendment Act in December 2024 was to amend the Commonwealth Criminal Code Act to make doxxing a criminal offence.
Schools are on high alert as there are a number of recent examples of students becoming involved in such behaviour, including through the release of AI altered and deep-fake works involving other students.
The nature of that conduct raises duty of care issues, and at a minimum, expectations should be made clear in policies and through student education.
Recommended Actions for Schools
To align with these reforms, schools should consider the following steps:
- Conduct a privacy review (or where necessary a Privacy Impact Assessment (PIA)): Evaluate current data handling practices to identify and mitigate privacy risks.
- Update Privacy Policies: Ensure that privacy notices are comprehensive, up-to-date, and easily understandable by students and parents.
- Implement Staff Training Programs: Educate staff on new privacy obligations and best practices for data protections
- Review Third-Party Agreements: Assess contracts with service providers to ensure they comply with the updated privacy requirements, including where those providers may use or rely on AI technology.
- Enhance Data Security Measures: Strengthen technical and organisational measures to protect personal information from unauthorised access or disclosure.
Schools should be reviewing their position now to address changes which have already commenced. Proactively taking steps in anticipation of further reforms to be introduced in 2026 will also leave schools better prepared to protect student privacy and ensure compliance with the updated legal framework.
