The New Children’s Online Privacy Code is Coming: What Schools Actually Need to Do
If you’ve been keeping an eye on the digital landscape in education lately, you know the ground is shifting beneath our feet. Between student management systems, classroom apps, and online learning portals, our schools handle an immense amount of student data every single day.
Recently, the Office of the Australian Information Commissioner (OAIC) released the Exposure Draft of the new Children’s Online Privacy Code. This is a massive piece of regulation spinning out of the Privacy and Other Legislation Amendment Act 2024, and it is set to be formally registered by 10 December 2026.
I’ve been deep in the trenches on this one, attending the OAIC’s webinars, participating in their forums, and digging into the draft rules. If there is one thing I walked away with from those briefings, it’s that this isn't just a problem for social media giants. The OAIC has been incredibly clear that the Code applies to services "primarily concerned with the activities of children." That includes the ed-tech tools and platforms our schools rely on every day.
We need to get ahead of this now. Here is a practical look at what the Code requires and how we need to adapt.
The Big Shifts You Need to Know
The OAIC is essentially forcing a cultural shift in how we handle kids' data, and there are a few core pillars that will now guide everything we do.
First and foremost, the "Best Interests of the Child" comes first. This is no longer just a nice philosophical sentiment, it is a legal baseline. Every single data practice must actively support the safety, development, and overall wellbeing of the student.
Alongside this is the mandate for privacy by default. Systems must automatically default to strict privacy settings from the moment a student logs in. That means no automated geolocation tracking, and absolutely no profile building or targeted advertising based on student behaviour.
Finally, the Code sets a very clear line at the age 15 threshold. Students aged 15 to 17 can legally give their own privacy consent. For students under 15, parental consent is strictly required. Interestingly, the OAIC also emphasises getting the child's own assent, their personal agreement, before we even go to the parents for that final, official sign off.
What School Policy Hub is Offering Schools
One of the biggest complaints from the OAIC is that privacy policies are usually written by lawyers, for lawyers. The new Code demands that privacy information be clear, prominent, and genuinely age appropriate.
To meet these strict new rules, I have already updated our entire suite of student and parent facing documents to make sure we are fully compliant:
Young Student Friendly Privacy Picture Board
For our youngest students especially those who can’t quite read yet a wall of text is completely useless. The OAIC explicitly calls for "non-text material" to engage young children, which is why we’ve introduced our newly updated Privacy Picture Board. By using simple graphics and a comic style flow, it shows kids exactly what happens to their information, like their names, photos, and grades. It breaks down who can see their details in a visual way they can actually digest, while reassuring them that they always have the right to ask questions about where their information goes.
Student Friendly Privacy Policy (For Independent Readers)
For our older students who can read but definitely don't want to wade through pages of legal jargon, we’ve completely stripped out the heavy jargon to create a streamlined, plain language Student Friendly Privacy Policy. Written to talk directly to them rather than at them, this version clearly explains their digital rights in plain English. It spells out exactly how they can request to see or delete their personal data, while pulling back the curtain on how the school actively protects them from being tracked online.
The Core Privacy Policy
Our master Privacy Policy has been revised to clearly separate data collection that is absolutely essential for schooling from data that is optional. It also outlines exactly how we audit third party providers to ensure they are holding up their end of the bargain.
The Broader Compliance Picture: Supplementary Policies
Beyond updating our core privacy policies, true compliance means looking at the bigger picture of how data moves through our school daily. To back up these changes, we have also developed a suite of supplementary policies and procedures designed to handle specific high risk areas all of which are now available to download in our template store. This includes a robust Data Breach Response Procedure to ensure we can act instantly if data is ever compromised, alongside a strict Student Photographs and Video Images Policy and Procedure to manage visual media safely. We have also introduced a brand new CCTV and Video Surveillance Policy to ensure that even our physical security footprint aligns with these strict new digital privacy expectations. Finally, given how rapidly the classroom environment is changing, we have added an Artificial Intelligence (AI) Academic Integrity Guidelines Staff & Student Resource to ensure that the use of generative AI tools remains transparent, secure, and respectful of data privacy boundaries.
Final Thoughts
While this feels like a lot of administrative homework, it’s a massive win for student safety. It forces the digital tools our kids use every day to be transparent and secure. By updating our picture boards, simplifying our language, and tightening our consent forms now, we aren't just ticking a compliance box we're actively protecting our students.
Are you currently auditing your school's digital tools or rethinking your privacy policies? I'd love to hear how your school is handling the upcoming changes. Let’s chat in the comments below!
© 2026 Jane Schwarzinger School Policy Hub. All rights reserved.
