Privacy Act 2020: Resources for schools and early learning services

This page outlines the key changes for schools and early learning services in the Privacy Act 2020 and provides links, resources and answers to common privacy questions.

Key changes affecting schools and early learning services

Schools and early learning services may be affected by the changes to the Privacy Act that came into force on 1 December 2020.

  1. There is a new requirement to report notifiable privacy breaches to the Privacy Commissioner and affected individuals (under existing licensing criteria, early learning services will also be required to notify the Ministry of Education of any notifiable privacy breaches).
  2. Privacy Principle 4 has been amended to ensure that when we are collecting information from children or young persons we do so in a fair and reasonable manner.
  3. The Privacy Commissioner has new powers to issue a Compliance Notice (directing an organisation to do or stop doing something) and Binding Access Determinations (requiring an organisation to release personal information), along with new fines for non-compliance with the Privacy Act.
  4. A new Privacy Principle (IPP12) which governs the sharing of information with individuals or organisations who are located overseas.

Privacy Act 2020 and the Privacy Principles – Office of the Privacy Commissioner(external link)

Areas to focus on

This information is intended to provide high-level guidance. For more detailed support we recommend you contact either the Office of the Privacy Commissioner or the New Zealand School Trustees Association (NZSTA).

Contact us – Office of the Privacy Commissioner(external link)

Get in contact – NZSTA(external link)

Areas

Approach

Take the time to understand the changes and your responsibilities

Read information about the changes:

Privacy Act 2020 changes information sheet [PDF](external link)

Comparing Privacy Acts – Office of the Privacy Commissioner(external link)

Access Privacy Act 2020 resources, including a free eLearning module:

Resources – Office of the Privacy Commissioner(external link)

Privacy Act 2020 – New Zealand Legislation(external link)

Information, privacy and copyright – NZSTA(external link)

Update existing references to the Act

All existing references to the Privacy Act 1993 will need to be updated to the Privacy Act 2020.

This is likely to include consent forms and enrolment forms. 

Take stock of the free and paid versions of cloud-based service provider applications (e.g. Skype) that are being used to store personal information or provide a service

The Privacy Act 2020 requires that personal information can only be disclosed overseas if either:

  • the organisation receiving the information can provide a similar level of protection as New Zealand, or 
  • people are informed about how their information is being disclosed and provide authorisation for this.

Using free versions of cloud-based applications creates a higher risk that personal information will be inappropriately stored, used and disclosed.

Cross-border disclosure – Office of the Privacy Commissioner(external link)

In some cases, it might be necessary to:

  • seek further authorisation from the people whose information is being disclosed
  • stop using providers or tools that do not adequately protect personal information, or
  • update existing contracts to ensure that information is being protected.  

Disclosure outside New Zealand – Office of the Privacy Commissioner(external link)

Review the current processes for responding to requests to disclose personal information

 

Individuals can make privacy act requests (i.e. request access to or correction of information about them) under the Privacy Act 1993.

In addition, under the Privacy Act 2020, the Privacy Commissioner will be able to make binding decisions on complaints about access to information.

All organisations should have processes in place to meet the requirements for responding to Privacy Act requests and directions from the Privacy Commissioner.

Review the current processes around data breaches  

Review your organisation’s processes for identifying privacy breaches and notifying affected parties.

Under the Privacy Act 2020, notifiable breaches must be reported to the Privacy Commissioner as well as to the affected party.

NotifyUs: Report breaches – Office of the Privacy Commissioner(external link)

If an early learning service needs to report a privacy breach to the Office of the Privacy Commissioner, they will also need to notify their local Ministry office at the same time. This is an existing licensing criteria requirement.

Local Ministry offices

Support staff capability and awareness 

The Privacy Act 2020 includes new criminal offences with penalties of up to $10,000.

Consider if the staff at your organisation require training or refreshers on managing personal information.

Robust processes and staff training remain the best way to ensure that personal information is appropriately collected, used and shared, and adequately protected.

Frequently asked questions 

We have already collected personal information from our students using forms that reference the Privacy Act 1993. Do we need to collect it again with forms that reference the Privacy Act 2020?

No. Collection statements made before 1 December 2020 under the 1993 Act remain valid. Personal information collected after 1 December 2020 will be collected under Privacy Act 2020.

Should I use free versions of Zoom, Skype, and other online communication tools?

There are significant privacy risks with using free version of online communication tools. Paid versions of software have fewer risks around collection, use and disclosure of the information shared over these platforms than free versions.

  • Review the privacy statement of each provider to determine how any personal information shared over the platform will be used and stored by them.
  • Review your organisation’s internal processes around what information will be discussed or shared using these tools. This is particularly important in light of the new rules for disclosing personal information overseas under Information Privacy Principle (IPP) 12.

Should I use free online tools for storing information and/or sharing files?

There are significant privacy risks with using free version of online information storage or file sharing tools.

Paid versions of online tools have fewer risks around access and use of information than free versions:

  • review the privacy statement of each provider to determine how any personal information will be used and stored by them
  • review your organisation’s internal processes around what information and/or files are stored or shared by these tools. This is particularly important in light of the new rules for disclosing personal information overseas under Information Privacy Principle (IPP) 12 – view all the IPPs in the Privacy Act 2020.

Should I use online service delivery tools, for example, Boom Cards?

There are significant privacy risks with using free versions of online service delivery tools.

Paid versions of service delivery tools have fewer risks around access and use of information than free versions:

  • review the privacy statement of each provider to determine how any personal information will be used and stored by them
  • review your organisation’s internal processes around what information is stored or shared by these tools. This is particularly important in light of the new rules for disclosing personal information overseas under Information Privacy Principle (IPP) 12 – view all the IPPs in the Privacy Act 2020.

Do I need to do anything about the contracts my organisation has with third-party service providers?

Yes. Review all contracts to ensure that they contain sufficient privacy and data protection clauses.

Disclosure outside New Zealand – Office of the Privacy Commissioner(external link)

More information about privacy, information and data

Resource

Source

Notes

Privacy ABC for Schools(external link)

(also useful for early learning providers)

Office of the Privacy Commissioner

Provides a helpful overview of privacy rights and responsibilities.

Covers sharing of photos on social media in Units 3 and 11.

AskUs(external link)

General privacy guidance

Office of the Privacy Commissioner

Knowledge base of questions and answers maintained by the Office of the Privacy Commissioner.

Option to submit questions.

Privacy and CCTV(external link)

Office of the Privacy Commissioner

A guide for services using or considering using CCTV.

Sharing information:

Early learning services

Schooling

Learning support

Ministry of Education

Information on sharing information for education providers.

 

Last reviewed: Has this been useful? Give us your feedback