As we have discussed previously, the Privacy Commissioner is actively working on the Children and Young People’s Privacy Project (Project) to help safeguard children’s personal information. 

Last year, the Privacy Commissioner found that clearer guidance and stronger regulations are needed to address children’s privacy issues. In this article, we outline recent updates including the announcement of a forthcoming best practice guide for the education sector.

Key takeaways

  1. New Guidance for Organisations Involving Children and Young Adults has been released. This is fresh guidance on photography and filming for organisations, with the aim of empowering children and their caregivers to understand and exercise their privacy rights effectively. The Commissioner has also provided guidance on how to respond to requests for a child or young person’s personal information. We summarise this below.
  2. The Privacy Commissioner has announced the preparation of a comprehensive best practice guide for the education sector. An expert advisory group is being established to support the development of the guide. Once it is finalised, the Guide will set expectations across the sector for the proper handling of personal information, and will require organisations in the sector to revise their existing policies to ensure compliance. We have outlined the proposal below and will report further as more information is released.

Fresh guidance

The Photography and Filming Guidance is a useful tool for sports clubs, volunteer organisations and other groups who regularly engage with young people. Key areas of the guidance include:

1. Collecting images:

  • Ensure images are only collected for a lawful purpose.
  • Consider what information the image reveals about the child or young person.
  • Obtain informed consent from children, young people, or their parents before taking photos or videos.

2. Using and sharing images:

  • Use images only for the purpose they were collected.
  • Obtain consent for any new use of the images.
  • Review the images before sharing them to ensure the child will not be embarrassed or harmed.

3. Keeping images safe:

  • Implement safeguards to prevent the misuse of images.
  • When using online platforms for video conferencing or online classrooms, always use your organisation’s account and not your personal account
  • If you can only use personal devices to take photos or videos, transfer the content to the organisation’s secure environment and delete them from your device promptly. 

4. Retention and deletion of images:

  • Do not keep images longer than necessary.
  • Develop and document processes for reviewing, retaining and deleting images.
  • Ensure images are permanently deleted – digital images sometimes require a few steps to be taken before the image is permanently deleted. The most secure way of permanently deleting images is through the use of specialised software that overwrites the image’s data. 

5. Photography and filming policy:

  • It is good practice to create a policy that outlines how images are collected, used, shared, and kept secure.
  • Inform children, young people, parents, staff, and volunteers about the policy. Providing the policy can help children, young people and their parents make an informed decision about agreeing to having their photos taken, used and shared. 

6. Managing others:

  • If using professional photographers, ensure that children, young people and their parents are aware of the photographer and consent to being recorded. 
  • Inform spectators at your event (including parents) of your policy or remind them to be mindful when taking and sharing images of children and young people. Have a process in place where people can raise any concerns about images being taken and shared of the event. 

The Sharing Personal Information about Children and Young People Guidance helps agencies respond to requests for personal information about children and young people. Key areas include:

1. Dealing with requests:

  • From parents, legal guardians, caregivers, non-custodial parents and Lawyers for the Child.
  • When requests fall outside the Privacy Act and should be managed as Official Information Act requests.
  • When other laws, including the Health Act 1956 and the Health Information Privacy Code, apply.

2. Agency responsibilities: 

  • Confirming the identity of the requester.
  • Refusing requests that may be made under the threat of harm.
  • Ensuring information is provided to the correct person. 
  • Handling requests from other agencies. 

Education sector Practice Guide

The second recent development is the announcement of an upcoming detailed best practice guide for the education sector. This will be relevant to early learning centres, primary, intermediate and secondary schools, as well as those working alongside students with learning support needs.

The guidance will cover areas such as:

  • Children’s Privacy Rights and the Privacy Act 2020.
  • Privacy, Security and Confidentiality.
  • Collecting, using and sharing information.
  • Keeping students and parents/caregiver informed.
  • Special Categories of information.
  • Accuracy of information.
  • Keeping information safe and secure.
  • Retaining and disposing of information.
  • Managing requests for information.
  • Managing privacy breaches.
  • Education technology.
  • Managing privacy complaints.

At present, public details are limited. The Privacy Commissioner has indicated that an expert advisory group made up of experts across the sector will support the development and publication of the guidance. The membership of this group has not yet been announced. 

Get in touch

Please get in touch with our contacts if you have any questions about this article, data privacy or its application to education in general. 

Special thanks to Claire Boniface for her assistance preparing this article

Contacts

Partner
Sally McKechnie
Partner
Rachael Judge
Partner
Karen Ngan
Partner
Jania Baigent
Special Counsel
Anita Birkinshaw

Related Articles

Legal Updates

Facing the Future: Facial recognition technology in New Zealand

June 10, 2025·5 min read
Legal Updates

From Principle to Practice: OPC’s draft Guidance for the indirect collection of personal information

May 09, 2025·5 min read
Legal Updates

Cyber risks report - be prepared

April 16, 2025·10 min read
Legal Updates

Privacy in the spotlight: Key lessons for businesses

March 17, 2025·4 min read
Legal Updates

Navigating the Customer and Product Data Bill: What you need to know and how to prepare

March 05, 2025·4 min read