Privacy and the use of third-party web and cloud-based service providers

This bulletin informs principals about the application of privacy law to the use of third-party online service providers in schools. It is part of a suite of advice for principals on cyber-security resources for schools and must be read in conjunction with ITD resources Principal support – assessing and engaging external IT services and Due diligence vendor checklist which address the application of due diligence to the selection of online services. It should also be read in conjunction with Online Applications and Parental Consent. Last updated February 2023.

On this page

Please wait while page index is generated

Privacy legislation

The Privacy and Personal Information Protection Act 1998 (PPIP Act) and Health Records and Information and Privacy Act 2002 (HRIP Act) and Privacy Act 1988 (Cth) regulate how the department collects, secures, uses and discloses the personal, sensitive and health information it holds on individuals..

Personal information

Personal information is information or an opinion about an individual from which their identity is apparent or can reasonably be ascertained.

Health information is personal information that is information or an opinion about the physical or mental health or a disability of an individual or provision of health services to an individual.

Sensitive information is personal information about an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.

For further information see privacy bulletin managing personal and health information.

Privacy principles

Privacy legislation identifies principles that organisations and public sector agencies must apply to management of personal information.

Collection principles

When collecting personal information organisations and agencies must:

  • only collect information for a lawful purpose directly related to a function or activity of the organisation or agency
  • collect information directly from the individual or their parent/guardian if under 16 years of age
  • inform the individual of:
    • the collection
    • purposes for which the information is being collected
    • intended recipients of the information
    • whether supply of the information is required by law or voluntary
    • consequences if the information is not provided
    • the right to access and correct the information and
    • name and address of organisation/agency collecting the information.

When the department and third-party service providers collect student personal information they must inform students and/or their parent/guardian of these matters.

For further information and a template privacy notice see privacy bulletin collecting personal and health information.

Retention and security principles

Organisations and agencies that hold personal information must:

  • retain the information only for as long as is necessary for the purpose for which it may be used
  • dispose of the information securely
  • protect the information by taking reasonable safeguards against loss, unauthorised access, use or disclosure.

Further information for principals about management of information security and due diligence when deciding whether to use non department IT services is provided in ITD resources Principal support – assessing and engaging external IT services and Due diligence vendor checklist.

Storage of and access to personal information provides additional information about security, access and alteration principles.

Access and alteration principles

Organisations and agencies that hold information must, if requested by an individual, provide access to their personal information and make appropriate amendments to ensure the information is accurate, relevant, up to date, complete and not misleading, having regard to the purpose for which it was collected.

As part of their due diligence principals should ensure third party service providers have procedures that enable individuals to request access to and alteration of their personal information.

Information and application forms for accessing or amending personal information is available at Privacy Information and Forms.

Use and disclosure principles

Organisations and agencies that hold personal information must only use or disclose the information for the purpose for which it was collected. An individual’s consent is required if their information is to be used and/or disclosed for another purpose.

Apps and Software

Entering or uploading student personal information (name, email address, photos or anything else that could reasonably identify a student) into any software or App may require parent consent depending on the kind of software of App. For more information (and a template parent consent form) see Online applications and parental consent.

For further information on use and disclosure principles see privacy bulletin use and disclosure of personal information.

Further information

Due diligence vendor checklist (XLSX, 21KB)

Assessing and engaging external IT services (DOCX, 94KB)

Online applications and parental consent

Return to top of page Back to top