NSW Schools Leak Student Data: 2000 Files Exposed

A recent audit of the NSW Department of Education has uncovered significant data privacy issues, including a breach where two students accessed approximately 2000 files containing sensitive information about their peers. These files included details on mental health diagnoses, disabilities, and behavioral concerns, exposed due to misconfigured Microsoft 365 settings that undermined built-in access controls.

The report, covering the period between 2023 and 2025, identified critical gaps between official policies and the practical handling of student data. It highlighted issues such as school principals being allocated complex technical risks without adequate assessment of their capacity to manage them. Furthermore, the reliance on third-party learning apps presented problems due to a lack of system-level oversight, with a significant percentage of apps used by schools not appearing on the department's approved marketplace.

Inconsistent staff access privileges also contributed to the security vulnerabilities, with instances of former staff retaining access to student records. The audit also cited an example of paper records containing student information being found dumped at a construction site. The Department of Education has committed to implementing the audit's recommendations, which include reviewing principal responsibilities and strengthening controls over student information access and usage.