Clive Palmer’s Political Parties and their Exemption from the Privacy Act: Time for a Change?
Australia’s Privacy Act treats political information od... ...
As digital systems become foundational to education and early childhood services, large volumes of sensitive information—often spread across internal systems and centralised, cloud-based platforms – are being collected and stored by schools, childcare centres and education departments. With this increase in the collection and centralisation of data, new risks are created particularly when governance, cybersecurity and oversight fail to keep pace with technological adoption. Protecting the data of Australian kids has emerged as a major privacy challenge.
Recent incidents across Victoria and New South Wales highlight a troubling pattern: children’s data is being gathered at scale, shared widely, retained for significant periods of time and in some cases exposed in ways that families cannot meaningfully control. These breaches are not just technical failures; they carry long-lasting human, emotional and social consequences for young people who have little ability to protect themselves and at the same time erode the confidence of the broader community in the value of digital systems.
In January 2026, the Victorian Department of Education confirmed a significant cyberattack that resulted in unauthorised access to a database holding information on current and former students across government schools. The compromised data reportedly included student names, school-issued email addresses, encrypted passwords, school names and year levels.
Although authorities stated that highly sensitive fields such as home addresses and dates of birth were not accessed, the scale of the breach—potentially affecting hundreds of thousands of students—raises serious concern.
Even seemingly basic data forms the backbone of a person’s digital identity. Names combined with school and email details can be used to launch targeted phishing campaigns, manipulate student accounts, conduct social engineering attacks, and gradually build detailed identity profiles. Given that children’s data often remains accurate for many years, the long-term risk of fraud and impersonation is significant—and often goes undetected until adulthood.
In New South Wales, the rollout of the Digital Hub—a centralised platform for collecting and managing data from early childhood education and care (ECEC) services—has sparked widespread privacy concerns among parents and educators.
The system aggregates enrolment, attendance and personal identifiers from thousands of preschools and childcare centres into a single digital environment, often relying on third-party vendors and commercial platforms. Critics have highlighted serious risks, including:
One reported case involved a parent discovering that their child’s birth certificate and other sensitive records were accessible via a publicly reachable URL—described not as a theoretical risk, but an active data breach unfolding in real time.
Centralising children’s data dramatically increases the “blast radius” of any breach. A single configuration error, weak access control or compromised account can expose information about thousands of children who cannot consent, monitor misuse or advocate for themselves.
Another significant concern has been the inappropriate collection of biometric data in New South Wales schools. In 2025, a Microsoft Teams feature reportedly enabled voice and facial recognition data collection for student accounts without the department’s immediate awareness. While the feature was later disabled and authorities stated the data was deleted, key questions remain unanswered: how many students were affected, how long the data was retained, and whether parents were informed at the time.
Biometric data—such as facial templates or voice profiles—is uniquely sensitive. Unlike passwords or ID numbers, biometric identifiers cannot be replaced once compromised.
Other publicised controversies around the use of biometric systems in NSW schools have eroded community confidence and highlighted the need for strict necessity, proportionality and transparency tests before deploying such technologies in educational settings.
Unapproved or poorly governed biometric collection introduces risks of long-term surveillance, identity spoofing, tracking and profiling. Once captured, such data may be reused for purposes far beyond its original intent, a phenomenon known as “function creep,” with significant implications for children’s autonomy and privacy well into adulthood.
Data breaches involving children are often discussed in technical terms, but their true impact is deeply personal and long-lasting.
Children’s personal information is particularly valuable to criminals because it can remain exploitable for decades. Fraudsters may open accounts, apply for credit or commit other forms of identity crime long before a child is old enough to notice unusual activity. Many only discover the damage years later—when applying for university, employment or a first loan.
Beyond financial harm, data breaches erode trust. Parents often experience anxiety and frustration, unsure whether they can rely on schools and government systems to protect their children. Students may feel uneasy knowing that strangers could have access to details about their school, identity or personal history, affecting confidence and sense of safety.
Repeated incidents undermine faith in digital transformation across education. Families may withdraw consent for digital tools, resist innovation, or disengage from programs that could otherwise enhance learning outcomes—all because privacy risks were not adequately managed.
To genuinely protect children and maintain public trust, education providers and policymakers must treat privacy as a core safety issue, not merely as a compliance issue or an IT concern.
Key actions include:
Apply Privacy by Design including minimising data collected to that strictly necessary for educational purposes, maintaining transparency with families about how data is used, stored and protected and clearly defining retention limits and ensure timely deletion of records and build privacy safeguards into systems, procurement processes and vendor contracts from the outset
In practice, this includes actions such as:
Practical action steps here include:
Prepare for incidents
Start by developing child-appropriate breach-response plans, communicating promptly and clearly with affected families and providing guidance and support on protecting against identity misuse.
This can look like:
Australia’s education and childcare systems are rapidly digitising—and while this transformation brings enormous benefits, it also introduces new and enduring risks. Recent breaches and governance failures in Victoria and New South Wales show that children are uniquely vulnerable in the digital ecosystem. Their data is long-lived, valuable to criminals, and often collected without their understanding or control.
Protecting children’s privacy requires more than compliance checklists. It demands intentional design choices, rigorous oversight and a recognition that privacy failures can shape a child’s life long after the breach itself fades from headlines. By prioritising privacy, security and data governance now, education providers can help ensure that digital innovation truly serves the best interests of Australia’s future generations.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.