A pair of school students were able to access 2000 files detailing other pupils’ mental health diagnoses, disabilities and behavioural concerns last year due to insufficient NSW Department of Education data privacy controls.
The major data breach was among 491 incidents detailed in a NSW Auditor-General’s report released on Monday which identified “critical gaps” between official policy and how student data was handled in schools between 2023 and 2025.
It credited the NSW Department of Education with strengthening its cybersecurity and centralising contracts for the learning apps software teachers and students used, rather than leaving it up to individual schools to decide for themselves.
It detailed issues including how technical responsibilities have been allocated to school principals.
“These are complex technical risks, and the department has not assessed whether schools have the capacity or capability to manage them,” it said.
The use of third-party platforms was problematic because there was no system-level oversight or controls to protect student information.
The report detailed how there is now a “marketplace” of approved software and apps schools could choose from which had met security and privacy requirements.
The audit said 60 per cent of online learning apps used by the 37 schools it consulted for its audit were not available through the department’s official marketplace.
“Some schools use third-party digital products without departmental oversight,” it said.
The auditor-general noted a Human Rights Watch report in 2022 that reviewed 163 education apps and websites endorsed by governments in 49 countries, including Australia, and found widespread collection and sharing of children’s data for purposes unrelated to education.
Under the former Coalition government’s Local Schools, Local Decisions policy, which has since been axed, schools were allowed to “adopt their own technology solutions”. Last year, the department tightened the rules, mandating marketplace apps only once existing subscriptions expire.
What information is being collected by ClassDojo
ClassDojo is a third-party app used by some schools in NSW to enable communication between classroom teachers and parents. It can collect the following information about students and their parents:
- Class name (students and parents)
- Username – determined by the user (student)
- First name (students and parents)
- Surname (student and parents)
- Records of behaviour incidents (student)
- Behavioural observations/notes (student)
- Attendance (students)
- Academic works (students)
- Video or audio recording (students)
- Email address (students and parents)
- Phone number (parents)
- Languages spoken (students and parents)
- Responses to online learning, surveys and forms (students and parents)
Some apps that were not on the marketplace were not based in Australia and held data offshore, such as ClassDojo, which is rated as “use with caution”. It is used by some schools, the report said.
Another issue was inconsistent staff access privileges to student records and information. There were examples of staff maintaining access to students’ records even when they no longer worked at a school.
It also found that two high school students last August accessed about 2000 files relating to other students’ mental health diagnoses, behavioural concerns, family circumstances and disabilities. They were contained in the Microsoft 365 platform.
They were able to access the files because the department’s configuration choices undermined the platform’s built-in access controls, the report said. It meant when staff “collaborated” on documents, they unknowingly provided access to students and staff across all schools and the department.
Schools used a mix of digital and paper-based records which also posed privacy issues, Auditor-General Bola Oyetunji’s report said.
“A community member found volumes of school paper records containing student information dumped at a building construction site. The department recovered and digitised the records,” it said.
There were four recommendations, including reviewing the allocation of responsibilities to principals, improving the guidance and support for schools, and strengthening the controls for managing the access to and use of student information.
NSW Department of Education Secretary Murat Dizdar said he supported the recommendations.
“The department has already commenced work in several areas identified by the audit and will strengthen its governance, oversight and assurance arrangements” Dizdar said.
Education Minister Prue Car said the concerns raised can be traced back to the Coalition’s failed Local Schools, Local Decisions policy.
“That approach left individual schools and staff with responsibility for overseeing complex data security,” she said.
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.
From our partners
Disclaimer : This story is auto aggregated by a computer programme and has not been created or edited by DOWNTHENEWS. Publisher: www.smh.com.au
