VIC.GOV.AU | Policy and Advisory Library

School operations

Privacy and Information Sharing

On this page:

Privacy impact assessments

Overview

A privacy impact assessment (PIA) identifies and assesses the privacy impacts of any initiative or software that handles personal, sensitive or health information.

PIAs help schools identify privacy and security risks, evaluate compliance with Victorian privacy law and document ways to reduce risks. They also help schools identify important information to include in parent notifications.

When a PIA is needed

All software used by schools must meet child safety, privacy, records management and information security requirements.

A PIA is recommended if the school wants to use software not already provided by the department that:

Software may be high risk when it:

  • holds sensitive or health information about students, parents or staff
  • handles photos or videos of students
  • offers cloud storage with limited security or allows insecure access through the internet or mobile devices
  • allows remote access, video or teleconferencing, unmoderated or unsupervised chats
  • allows users to share content publicly
  • is a new and relatively unknown software that handles personal information.

For more information or clarification about whether a PIA needs to be conducted, please contact the Privacy team at privacy@education.vic.gov.au. By engaging with the Privacy team throughout the completion of the PIA, principals can make informed decisions when implementing software in their school.

For more information on requirements for school software, refer to the Technologies and ICT Services policy.

Before implementing any software, schools must refer to and follow the guidance in the Software and Administration Systems policy.

Conducting a PIA

The PIA template is best completed by the person in the school who is most familiar with the software or initiative. Vendors must not complete the PIA on the school’s behalf. However, staff can contact vendors to ask specific questions about security setup and functionality.

PIA templates

Pre-populated PIA templates are available for software commonly used in schools. Schools must adjust these and complete them to reflect how their school plans to use the software to meet their requirements.

Download the templates from Pre-populated PIAs (staff login required)External Link .

For other software, download the PIA template (DOCX 145 KB) (staff login required)External Link .

Completing the template

The PIA template consists of:

  • Part 1: Risk identification
  • Part 2: Action list
  • Part 3: Endorsement.

Part 1: Risk identification

Part 1 of the template is an analysis of the proposed software against the 10 Information Privacy PrinciplesExternal Link covering each stage of the information life cycle (collection to disposal).

Things to consider at each stage of the information life cycle:

  • Collection: What information is being collected. Is it all necessary? Is the school collecting new information or can existing information be used? Is a new collection statement or consent required?
  • Use and disclosure: Does the use and disclosure of existing information fit the original collection purpose? Is there a reasonable expectation of the use and disclosure? Who will the information be shared with?
  • Quality: How will the school keep the information current, accurate and complete?
  • Storage and security: How will the school keep the information safe? Is the data stored outside of Victoria and, if so, will similar privacy protections apply?
  • Disposal: Do any mandatory retention periods apply? How will information be returned, destroyed or permanently de-identified?

Part 2: Action list

Part 2 of the template is a list of actions the school must take to reduce any risks identified in Part 1. The department’s privacy team can help determine these in consultation with the school.

Part 3: Endorsement

Once Part 1 and 2 are completed:

  1. Send it to the Privacy team to review. They may require changes before it can proceed.
  2. The principal’s endorsement is required once any changes are made. By signing the PIA, the principal accepts responsibility for the completion of the action list and any risks described in the PIA.
  3. Send the signed PIA back to a privacy officer who will also endorse it and acknowledge that the PIA has been completed in accordance with department policy and process.

It is important to note that the Privacy team don’t endorse any software. Instead, the Privacy team’s role is to review PIAs and offer recommendations and advice on ways to reduce risks.

Once the PIA is endorsed by all parties, schools must:

  • keep the signed PIA with other project documentation (for example, security assessments and contracts)
  • complete everything in the action list
  • record any additional actions taken after the PIA was signed by adding a page after the endorsement section
  • share a copy of the PIA with the School Council, if requested and with principal approval.

Privacy matrix

Some schools maintain a privacy matrix which is a list of all third-party software at their school that handles personal, sensitive or health information.

Using a privacy matrix is optional but it can be useful to help streamline notifications or communications to parents.

To start creating a privacy matrix, download the Privacy matrix template (XLSX 34 KB) (staff login required)External Link .

If help is required to complete the privacy matrix, please contact the Privacy team at privacy@education.vic.gov.au

Includes information on when and how to conduct a privacy impact assessment.

Reviewed 10 July 2025

Guidance

Was this page helpful?