Privacy in Education — What Teachers and Students Should Check
Free NZ privacy checklist for teachers and students: 5 privacy checks before using any school app or AI tool. Covers Privacy Act 2020 and what to ask schools.
Quick answer
Before a school tool asks for student or staff information, you should be able to explain what data it collects, why it needs it, who can access it, and what happens if the school stops using it. If those answers are unclear, pause before using the tool or sharing more information.
Treat every new classroom app, AI tool, or learning platform as a privacy decision before it becomes a teaching decision. Check the data collected, the purpose, the access controls, the retention rules, and whether student work or personal information can be reused for analytics or AI training.
Student and educator privacy in New Zealand schools involves a set of overlapping obligations — the Privacy Act, the Education and Training Act, and the expectations set by the Office of the Privacy Commissioner. These are not abstract compliance requirements. They describe what should happen in practice when a school adopts a new digital tool, shares student information with a third party, or stores records about a student’s learning or wellbeing (1)(2).
This guide gives both teachers and students a practical starting point for understanding those obligations and acting on them.
Why privacy in schools deserves specific attention
Schools handle sensitive information as part of daily operations. When that information moves through digital tools — particularly cloud platforms, AI-assisted marking tools, communication apps, or learning platforms — it is easy to lose sight of where the data actually goes and who can see it.
Children and young people are entitled to a higher standard of privacy protection in digital contexts. That expectation applies to schools and the tools they choose to use.
What privacy law actually requires in NZ schools
The Privacy Act 2020 applies to all organisations, including schools. The key obligations for school staff include:
- collecting only the personal information needed for a genuine educational purpose
- storing it securely and limiting who can access it
- not sharing it with third parties without a clear basis and, where required, consent
- correcting or removing it when appropriate
- being able to explain why it is being collected if asked
The Education and Training Act 2020 adds layer-specific requirements around student records, enrolment information, and the handling of learning data (4)(5).
For students, your rights include asking what information is held about you, why it is held, and who has access to it. You can also ask for inaccurate information to be corrected.
Privacy checklist — 5 questions to ask before using a school tool
Before a school or class adopts a new digital tool, make sure you can answer all five of these:
If the answers are unclear, treat that as a reason to pause and investigate before committing.
The Office of the Privacy Commissioner provides a Privacy Impact Assessment template that schools and kura can adapt to evaluate new digital tools before adopting them (2).
Privacy tools available in New Zealand
The Office of the Privacy Commissioner offers practical resources that schools can use directly:
- Privacy tools for agencies — includes checklists and guidance for evaluating privacy risk when adopting new technology (1)
- Privacy Impact Assessment template — a structured template applicable to school tool evaluation (2)
- Access to personal information guidance — what individuals can ask for when they want to know what information is held about them (6)
- Children’s Privacy Project — provides context for why school-specific privacy standards matter beyond general compliance (3)
What to do if you think student data has been mishandled
If you are a student and you think your personal information has been shared, stored, or used incorrectly:
- Tell a trusted adult — a parent, caregiver, or teacher you feel comfortable with.
- Ask the school directly — you have the right to know what information is held and why.
- Make a complaint to the Privacy Commissioner if the school has not resolved your concern — this is free and available at privacy.org.nz (7). Do not assume it will sort itself out — mishandled student data can affect future opportunities and wellbeing.
If you are a teacher and you become aware that a tool provider has mishandled student data:
- Document what you know about the incident, including dates, what data was involved, and what the tool provider has said.
- Notify your school leadership or designated privacy officer.
- Report the incident to the Privacy Commissioner through their online complaints process (7).
- Review whether the tool should continue to be used and document the decision.
Practical privacy habits for teachers
These habits reduce the risk of accidental privacy breaches in daily teaching:
- Do not store student assessment data in unencrypted spreadsheets or personal cloud accounts
- Use school-provided platforms for student communications rather than personal messaging apps
- Be cautious about sharing student work samples publicly — even de-identified examples need care
- Review the privacy settings of any new tool before introducing it to a class
- Ask the IT or leadership team to confirm tool compliance before adopting something new for sensitive tasks
Practical privacy habits for students
You do not have to wait for teachers to manage this:
- Check the privacy settings on any app or platform you use for schoolwork — especially if you signed in with a personal account
- Be cautious about sharing your school email address with apps or websites outside of your school’s approved tools
- If an app asks for more access than it needs — for example, access to your contacts or location when it only needs to store documents — ask a teacher before agreeing
- If something feels wrong — for example, an app is sharing your work publicly without asking — tell a teacher or parent
Knowledge check
Sources and references
[1] New Zealand. Office of the Privacy Commissioner. (2025). Privacy tools for agencies. https://www.privacy.org.nz/responsibilities/privacy-tools-for-agencies/
[2] New Zealand. Office of the Privacy Commissioner. (2025). Privacy Impact Assessments. https://www.privacy.org.nz/responsibilities/privacy-impact-assessments/
[3] New Zealand. Office of the Privacy Commissioner. (2025). Children’s Privacy Project. https://www.privacy.org.nz/focus-areas/children-and-young-people-policy-project/
[4] New Zealand. Parliament. (2020). Privacy Act 2020. https://www.legislation.govt.nz/act/public/2020/0031/latest/whole.html
[5] New Zealand. Parliament. (2020). Education and Training Act 2020. https://www.legislation.govt.nz/act/public/2020/0041/latest/whole.html
[6] New Zealand. Office of the Privacy Commissioner. (2025). Your rights. https://www.privacy.org.nz/your-rights/
[7] New Zealand. Office of the Privacy Commissioner. (2025). Children’s privacy guidance for the education sector. https://www.privacy.org.nz/resources-and-learning/a-z-topics/protecting-children-and-young-peoples-privacy/childrens-privacy-guidance-for-the-education-sector/
What to do next
- Check Cyber Security for New Zealand Educators for the broader educator safety pathway.
- Read AI Safety for New Zealand Educators if you or your school are using AI-assisted tools.
- Use AI tools confidently in policy with AI Tools in the Classroom — Policy Template.
- See AI privacy in a school context with The privacy questions your school should be asking about AI tools — before the next staff meeting.
- Follow the student pathway at Cyber Security for Students in New Zealand.