Student Data Protection

The scope is broader than most schools assume:

• SIS records (student information systems)
• Payment data (parent fees, school meals)
• Safeguarding notes and welfare records
• Photos and CCTV footage
• Communications (parent-teacher email, WhatsApp groups, virtual classroom recordings)
• Special educational needs assessments

Each category has different sensitivity and different breach implications.

• New Zealand: Privacy Act 2020. Notification to Privacy Commissioner and affected individuals when serious harm is likely.
• United Kingdom: UK GDPR + Data Protection Act 2018, plus the DfE Cyber Standards. ICO notification within 72 hours.
• Australia: Privacy Act 1988 + Notifiable Data Breaches scheme. OAIC notification within 30 days for likely-serious harm.

Educational sector also has region-specific safeguarding obligations layered on top.

Three concrete supports:

• Audit trails: console logs are richer and more queryable than legacy AV reports.
• Access logs: who accessed what student record, when, from where, auditable on demand.
• Anti-exfiltration: BlackFog stops data leaving the device, which is the practical mechanism behind most breach scenarios.

1. Identify, confirm scope, what was accessed, by whom
2. Contain, isolate affected systems, revoke compromised credentials
3. Assess harm, apply the regulator's "serious harm" test
4. Notify, regulator first (within window), then affected individuals
5. Recover, restore from clean backups, change credentials, monitor for follow-up attempts

KB sits with you through all five steps. We provide the documentation regulators expect.