Schools are confusing subjective gatekeeping with legal compliance, creating a direct path to the Privacy Commissioner. The statutory right to access is not a suggestion; it is a 20-working-day deadline that triggers immediate audit failure.
Up to $15,000. That’s the fine for misusing a National Student Number under the Education and Training Act 2020, s 661. It’s the financial anchor for a systemic failure: schools treating student data access as a matter of institutional discretion, not legal mandate. The ‘need to know’ principle is being weaponised to obscure non-compliance.
The Audit Trigger
The auditor arrives with three questions. They demand documented procedures for identity verification, a log of every withheld request with its legal justification, and proof of a designated privacy officer with a 24-month complaint log. The absence of any one is a red flag. The absence of all three is a systemic governance failure. They will cross-reference your logs against the 20-working-day response clock mandated by the Privacy Act 2020. Every late response is a documented breach.
The Regulatory Hook
The law is binary. Privacy Act 2020, Principle 6 gives the student a right of access. Education and Training Act 2020, s 165(3) compels reporting to parents without student consent. These are not competing interests; they are parallel statutory rights. Withholding information requires citing a specific Privacy Act exception—not citing teacher discomfort or administrative convenience. The Privacy Commissioner’s enforcement powers turn every poorly documented decision into a potential investigation, fine, and permanent reputational stain.
Director Action Point
“Show me the log of all personal information requests from the last year. For each one, show me the date received, the documented identity verification process, the date of our decision, and the specific Privacy Act 2020 clause cited if we withheld any information. I want to see the 20-working-day clock on every entry.”