Australia's New Privacy Laws - What SA Schools Need to Know

The Privacy and Other Legislation Amendment Act 2024 represents a significant shift in Australia’s approach to data privacy. For IT Teams in South Australian schools, these changes increase obligations surrounding the protection of student information, digital platforms, and cyber resilience.

This article highlights the most critical updates and provides actionable insights tailored for school environments across South Australia.

Key Changes and Their Impact on SA Schools

1. Statutory Tort for Serious Invasions of Privacy

As of 10 June 2025, individuals—including students and parents—now have the right to take legal action for serious invasions of privacy. Examples include:

• Unauthorised access to student records
• Unlawful or improper sharing of personal information

SA School Impact:

South Australian schools must implement robust access controls and maintain comprehensive audit trails for student data. IT Managers are responsible for leading staff privacy training and proactively reviewing all internal data management procedures to ensure alignment with new compliance expectations.

2. Automated Decision-Making Disclosure

By December 2026, schools will be required to provide full transparency around the use of automated systems—such as AI-driven learning analytics or enrolment algorithms—within their privacy policies.

SA School Impact:

If your school leverages digital tools that make decisions based on student data, it is essential to clearly outline how these systems operate and the specific data they process. This is particularly relevant for any environment using machine learning assessment platforms, and IT Managers should now begin documenting and communicating these processes to ensure compliance and maintain trust with the school community.

3. Children’s Online Privacy Code

The OAIC is set to introduce a Children’s Online Privacy Code by December 2026, specifically aimed at enhancing protections for minors online.

SA School Impact:

South Australian schools must proactively assess and validate every digital platform students access to guarantee compliance. IT Managers should commence thorough evaluations of third-party applications and technology partners now, reducing future risk and ensuring seamless, secure digital experiences for students.

4. Criminalisation of Doxxing

The deliberate sharing of personal information with intent to cause harm—known as doxxing—is now classified as a criminal offence, carrying penalties of up to seven years' imprisonment.

SA School Impact:

South Australian schools need to update cyberbullying and digital conduct policies to address this legislative change. IT Managers are responsible for deploying real-time monitoring and alerting systems to identify and prevent doxxing incidents across all school networks, safeguarding both students and staff.

5. Overseas Data Transfers and Whitelisting

The Act establishes a "whitelist" of countries recognised as having adequate privacy safeguards. Schools are required to ensure that all overseas data transfers strictly adhere to this list.

SA School Impact:

As many South Australian schools rely on cloud-based services hosted internationally, IT Managers must systematically confirm that all providers operate within approved jurisdictions. Contracts and data handling processes should be updated promptly to maintain regulatory compliance and protect sensitive student information.

6. Stronger Security Requirements

The definition of “reasonable steps” now explicitly mandates both technical and organisational controls to safeguard personal information.

SA School Impact:

Encryption, multi-factor authentication, and comprehensive incident response strategies are now baseline expectations. IT Managers should lead a detailed security audit across all systems, ensuring infrastructure and procedures exceed the new legislative standards and foster a culture of ongoing vigilance.

What Should IT Managers in SA Schools Do Now?

1. Conduct a Comprehensive Privacy and Security Audit
   Assess all systems that collect, store, or process personal data, ensuring end-to-end visibility and risk mitigation.

2. Update Privacy Policies
   Align school privacy documentation to incorporate requirements for automated decision-making and international data transfers.

3. Review Vendor and Cloud Service Contracts
   Evaluate and update agreements with all third-party service providers—particularly those handling student data or cloud infrastructure—to ensure compliance with updated regulations.

4. Train Staff on Privacy Awareness
   Integrate privacy training into onboarding and regular professional development programmes, fostering a culture of security-first thinking.

5. Prepare Early for the Children’s Privacy Code
   Begin systematically reviewing and validating all student-facing digital tools to guarantee readiness for forthcoming compliance requirements.

Final Thoughts

The Privacy and Other Legislation Amendment Act 2024 marks a pivotal moment for South Australian schools. IT Managers now play a leading role in driving regulatory compliance, strengthening the security of student data, and minimising organisational risk in an evolving digital landscape.