Students access 2000 private files in major privacy failure
A pair of school students were able to access 2000 files detailing other students’ mental health diagnoses, disabilities and behavioral concerns last year because of inadequate data privacy controls from the NSW Department of Education.
The largest data breach was among 491 incidents detailed in the NSW Auditor General’s report on Monday, which identified “critical gaps” between official policy and how student data is handled in schools between 2023 and 2025.
He credited the NSW Department of Education with strengthening cybersecurity and centralizing contracts for learning application software used by teachers and students, rather than leaving it up to schools to make their own decisions.
He explained the issues in detail, including how technical responsibilities were allocated to school principals.
“These are complex technical risks and the ministry has not assessed whether schools have the capacity or ability to manage them,” he said.
The use of third-party platforms was problematic because there was no system-level oversight or control to protect student information.
The report details how a “marketplace” of approved software and apps exists for schools to choose from that meet their security and privacy requirements.
The audit said 60 percent of online learning applications used by the 37 schools it consulted for its audit were not available on the ministry’s official market.
“Some schools are using third-party digital products without departmental oversight,” he said.
The auditor general noted a Human Rights Watch report in 2022 that examined 163 education apps and websites approved by governments in 49 countries, including Australia, and found that children’s data was widely collected and shared for purposes unrelated to education.
Under the former Coalition government’s since-repealed Local Schools, Local Decisions policy, schools were allowed to “adopt their own technology solutions”. Last year the ministry tightened the rules, ensuring that marketplace apps are only required when existing subscriptions expire.
What information is collected by ClassDojo?
ClassDojo is a third-party application used by some schools in NSW to enable communication between classroom teachers and parents. It may collect the following information about students and their parents:
- Class name (students and parents)
- Username – determined by the user (student)
- Name (students and parents)
- Surname (student and parent)
- Records of behavioral incidents (student)
- Behavioral observations/notes (student)
- Participation (students)
- Academic studies (students)
- Video or audio recording (students)
- Email address (students and parents)
- Phone number (parents)
- Languages spoken (students and parents)
- Responses to online learning, surveys and forms (students and parents)
Some off-the-shelf apps were not based in Australia and held data overseas, such as ClassDojo, which was rated “use with caution.” The report stated that it was used by some schools.
Another problem was that staff access privileges to student records and information were inconsistent. There were examples of staff maintaining access to students’ records even when they were no longer working at the school.
It was also revealed last August that two high school students accessed nearly 2,000 files related to other students’ mental health diagnoses, behavioral concerns, family situations and disabilities. They were on the Microsoft 365 platform.
They were able to access the files because the department’s configuration choices undermined the platform’s built-in access controls, the report said. This meant that when staff “collaborated” on documents, they were unknowingly gaining access to students and staff across entire schools and departments.
According to Auditor Bola Oyetunji’s report, schools are using a mix of digital and paper-based records, creating privacy issues.
“A community member found volumes of school documents containing student information dumped at the construction site of a building. The ministry recovered and digitized the records,” he said.
There were four recommendations, including reviewing the allocation of responsibilities to headteachers, improving guidance and support for schools, and strengthening controls to manage access to and use of student information.
NSW Department of Education Secretary Murat Dizdar said he supported the recommendations.
“The Ministry has started work in various areas identified by the audit and will strengthen governance, oversight and assurance arrangements,” Dizdar said.
Education Minister Prue Car said the concerns raised may be due to the Coalition’s failed Local Schools, Local Decisions policy.
“This approach left individual schools and staff with the responsibility of overseeing complex data security,” he said.
Start your day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.
