A number of changes have been implemented to the Privacy Act over the last 12 months which have found many schools caught short in relation to their privacy practices.
Privacy policies and related documents should be reviewed and updated now to ensure the school is not left exposed and to address additional changes that are set to be introduced later in 2026.
What has changed
Privacy Commissioner’s investigative powers
OAIC now has stronger investigatory and enforcement tools available to it and has indicated that it will be undertaking a compliance audit of various industries in 2026. That enforcement outlook indicates that a stronger hand will be taken to ensure compliance, with civil penalties, infringement notices, investigative powers and significant fines now all increased.
A tort for serious invasion of privacy
A new statutory tort for serious invasion of privacy came into effect on 10 June 2025, allowing individuals (including children) to seek legal remedies for an intrusion into their seclusion, or for misuse of their personal information.
Relevantly, claims can be brought against both organisations and individuals, providing a notable difference from the Privacy Act which makes only organisations liable for breaches of privacy. Claims must be brought within 12 months of a person becoming aware of the invasion of privacy, or 3 years after the breach occurred, whichever is earlier. Children under 18 have a further period and can bring a claim at any time prior to their 21st Birthday.
Courts can order a range of remedies, including injunctions, declarations, apologies and/or damages. Defences are available and, relevantly, include where informed and specific consent has been provided. Accordingly, schools should be reviewing the consents which they obtain from students and parents and considering whether they can be tailored to anticipate claims, depending on their individual circumstances.
Doxxing
Amendments have been made to the Commonwealth Criminal Code to make doxxing a criminal offence. Schools are on high alert as there are a number of recent examples of students becoming involved in such behaviour, including through the release of AI altered and deep-fake works involving other students.
The nature of that conduct raises duty of care issues, and at a minimum, expectations should be made clear in policies and through student education.
What is still to come: Children’s Online Privacy Code
The imminent introduction of the Children’s Online Privacy Code will bring changes to the use of data relating to under 18’s by relevant social media and electronic service providers, including the online collection and use of children’s data by educational apps, learning platforms and student & parent portals, amongst others.
The application of the Code is likely to be broad and will provide greater recognition of the right of children to make decisions in relation to their own privacy. Considering those matters well in advance of the anticipated changes (not yet published), which are due to commence in early December 2026, will leave schools better placed.
Schools should be considering age-appropriate collection and consent practices, ensuring that documents (policies) are tailored to their operating requirements and with limitations on the use of information relevant to children.
Automated decision making (effective 10 December 2026)
All organisations (schools included) are required to update their privacy policies by 10 December 2026 to disclose:
- Where they use computer assisted or AI driven processing which includes dealing with personal information; and
- The types of decisions that are automated or the types of personal information used in that process.
Examples which are currently being used in schools include:
- Enrolment/applicant sorting;
- Student placement, class allocation, and timetabling;
- Predictive analysis for attendance, behaviour, wellbeing:
- Some protocols around marking and assessment (+ AI detection); and
- For those who are well advanced, where AI is integrated into the curriculum.
Policies and notices should all be updated by no later than 10 December 2026. Those should all be expressed in plain English due to the anticipated adoption of the Children’s Privacy Code from the same date. Schools should also consider publishing child friendly policies in addition to their existing (more detailed) policy documents.
Provider AI
This remains a hot topic due to the rapid adoption of the technology, not just by schools but also by their providers. Schools who engage contractors/providers that are likely to use AI, should review their contracts and make sure they are clear about matters such as:
- What AI tools can be used and for what purposes;
- What information can be uploaded to an AI platform or system;
- Who owns any created work, including AI generated work; and
- The need to have human author of the work and oversight.
Schools should also be seeking guidance and putting in place suitable AI governance practices and documented policies.
RECOMMENDED ACTIONS FOR SCHOOLS
Schools should consider the following steps:
- Update privacy policies: Ensure that privacy policies cover the recently implemented or anticipated changes. Policies must be up-to-date in plain English and easily understood.
- Update collection notices and consents: These may prove invaluable if consents anticipate relevant breaches.
- Implement staff training programs: Educate staff on new privacy obligations and best practices for data protections.
- Review third-party agreements: Assess contracts with service providers to ensure they comply with the updated privacy requirements, including where those providers may use or rely on AI technology.
- Enhance data security measures: Strengthen technical and organisational measures to protect personal information from unauthorised access or disclosure.
Schools should be reviewing their position now to address changes which have already commenced. Proactively taking steps in anticipation of further reforms to be introduced later in 2026 will also leave schools better prepared to protect student privacy and ensure compliance with the revised legal framework.
For further information, please feel free to contact me on 07 3224 0261.
