Five years ago, I wrote about the troubling frequency with which IT teams had access to your passwords. Back then, it was alarmingly not seen as a pressing issue. Today, things are starting to change. Cybersecurity has tightened, and we’re hyper-aware of our personal information’s safety. Yet, in the drive to protect privacy, we’ve entered a space where the cure may be worse than the cause.
The PIA (Privacy Impact Assessment) has become a common fixture in schools, seen as a necessary part of understanding the volumes of data we hold on students, parents, and staff. The intent is clear: protect sensitive information. But the execution? It’s overbearing. Schools face an administrative avalanche when trying to assess every tool, website, or app our teachers and students touch. It’s become an impossible task. The reality is, schools today use hundreds, if not thousands, of apps, tools, and platforms in the pursuit of a modern education.
How do you even categorise these tools? Most people think of Learning Management Systems (LMS) or suites like Google Workspace and Microsoft 365 when they hear “data.” But what about smaller, seemingly insignificant sites like tracking data from a calculator tool or even the data collection built into hardware like 3D printers? When every tool used in a school requires its own privacy assessment, it’s not long before we hit a brick wall. And here’s the kicker: the administrative challenges have led to most tools being used right now, often without any awareness of their privacy policies.
To alleviate this burden, schools groups and systems are engaging external services that claim to streamline the PIA process. In Australia and New Zealand, a service called ST4S is used across school groups. The idea is simple: provide schools with pre-built PIAs for common apps. But this system solution does not undo the obvious failings of the needs for PIA’s across the board.
When reviewing the ST4S catalogue, many PIAs are already outdated (and ST4S is still relatively new). Broken privacy policy links, missing updates. How can we have confidence in the accuracy of the assessment if links don’t work?
Then there’s the issue of oversimplification. These services often reduce complex data risks to a traffic light system: green, yellow, orange, red. Sounds practical, right? But the problem is, a school’s student information system (SIS), which holds the most sensitive data about students, might get the same orange rating as an educational game app that collects just a name and email. It’s a gross misrepresentation of risk.
So what if we just look at the PIA recommendations? Unfortunately the offered recommendations are often unrealistic. A recent suggestion advised that we ensure the deletion of all related data from an SIS when a staff member leaves. This is problematic. Should we scrub everything, including teacher grades and the teacher student safety notes? Not only is it unrealistic, but it also risks compromising essential information that schools may legally be required to retain.
The impact on schools is a weaponisation of privacy.
Rather than empowering schools to make informed choices, the complexity of PIAs is being used as a reason not to engage with new tools. For IT teams or school leaders to block new ideas, progress and innovation. How often have we heard: “Sorry, we can’t use that tool, it needs a PIA,” or “That’s too risky, let’s not touch it.” This approach stifles innovation and creativity in schools, reducing the number of tools educators are willing to explore, just when our students need exposure to emerging technologies the most.
The answer is not more regulation. What schools need is a smarter, more focused approach to data management. Instead of treating every tool and platform the same, let’s focus on the real risks. The handling of Personal Information should follow basic, universal protocols. When it comes to Sensitive Information — like health data or records of counselling sessions — that’s where PIAs can be useful, but only when done well.
Let’s stop weaponising privacy and start using it as it was intended — to protect, not prevent. Schools are getting lost in the weeds of privacy compliance, and it’s impacting the very mission of education. PIAs should be a tool for safeguarding critical data, not a barrier to progress. Instead of curating a checklist for every app we touch, let’s shift to a protocol-driven approach where data handling is ingrained in every staff member’s practice. This way, schools can focus on what they do best: teaching and learning, not paperwork.