If you're a Business Manager at an independent school, add this to your list.

On 10 December 2026, the Office of the Australian Information Commissioner will register the Children's Online Privacy Code. The exposure draft has been out since 31 March 2026, and the consultation window closes on 5 June. After that, the Code becomes binding — and a breach of it will sit in exactly the same place as a breach of the Australian Privacy Principles. Section 13 of the Privacy Act. Same penalty regime. Same enforcement powers.

I have had three school conversations in the last month that all started the same way: “I think my IT manager is across this.” They were not. And it is not really an IT problem.

Here is the part that will land hardest for boards: the Code does not just apply to the apps your students use. It applies to your school as an APP entity, and it changes what you are expected to demand from every EdTech vendor sitting on your invoice list. Most schools I work with have somewhere between forty and eighty active SaaS subscriptions touching student data. Learning management. Attendance. Parent communications. Photo-sharing platforms. Wellbeing surveys. Reading and maths apps. Single sign-on. Each one is now part of your compliance perimeter.

What the Code actually says

The Code is the first major piece of subordinate legislation flowing from the Privacy and Other Legislation Amendment Act 2024. It targets entities providing social media services, relevant electronic services, and designated internet services where children's personal information is reasonably likely to be handled. The OAIC has been explicit that this covers a long way beyond TikTok — it includes games, streaming platforms, educational tools, and the apps and systems schools use to track development, share photos with parents, and monitor performance.

A short version of what changes:

Age of digital consent is 15. For anyone under 15, the entity must obtain verifiable parental consent and take reasonable steps to confirm parental responsibility.
Age assurance is mandatory. Providers must take reasonable steps to determine the age of users. What counts as reasonable scales with the risk of harm.
Privacy documentation must be age-appropriate. A 2019 privacy policy written by a lawyer for adults will not pass. Either the general policy is rewritten in language a child can understand, or a separate child-facing version is provided.
Statutory right to deletion within 30 days. Children — and parents acting on their behalf — can demand deletion of personal information. The provider has 30 days to respond.
No targeted advertising, profiling, or monetisation of children's data. Full stop.

Why this is a school problem, not just an EdTech problem

Independent schools are APP entities under the Privacy Act. State schools sit under different state-level regimes, but private and independent schools have always been covered. You hold an enormous volume of children's personal information — academic records, behavioural notes, health data, photographs, biometrics in some cases, family arrangements, financial data.

The Code does not pretend that schools can outsource this responsibility to their EdTech vendors. The OAIC's clear position is that “schools will handle consent” is not a compliance strategy for either side. If your vendor relies on you to obtain parental consent, that is a contractual matter you must actively manage — not a one-line clause to ignore.

More to the point: when a child or parent exercises their statutory right to deletion, the request lands somewhere. If it lands with you, you need a process. If it lands with the vendor, you need to know that the vendor has a process and that the deletion actually happens across every system, backup, and downstream integration.

Most schools I have audited cannot tell me, in writing, what data each of their SaaS vendors holds, where it sits geographically, how long it is retained, what it is shared with, or how a deletion request is honoured. That is the gap the Code closes.

The penalty regime has already changed

This is the bit most school boards have not connected.

The 2024 amendments lifted the civil penalty for serious or repeated privacy interferences to the greater of $50 million, three times the benefit obtained, or 30 per cent of adjusted turnover for the relevant period. The OAIC also gained new infringement notice powers for less serious contraventions — a faster, lower-evidentiary-threshold mechanism. The regulator no longer needs to drag every matter through the Federal Court.

The Code, once registered, is enforceable through that same regime. Breach the Code, breach the Act. The penalty exposure for a school depends on size and circumstance — but the days of a stern letter from the Commissioner are over.

The OAIC has not confirmed when the Code actually starts binding entities — only that it must be registered by 10 December 2026, with transition periods part of the current consultation. Plan as if you have twelve months from the day the Code takes effect. Anything more is a gift.

What I actually recommend

For a school operating with the typical SME budget and a part-time IT lead, the work is not glamorous. It is governance, procurement, and documentation — three things schools are already pretty good at when the trigger is regulatory rather than technological.

Start here:

Build a vendor register for every system that touches student data. Name, purpose, data fields collected, retention period, data residency, sub-processors, deletion process, contract end date. If you cannot fill in those columns, that is the first finding.
Write a child-facing privacy notice. Plain English. Short sentences. Tested with a Year 5 child for comprehension. This is required, not optional, and waiting until November 2026 to start is poor planning.
Review every EdTech contract due for renewal in the next twelve months. Add a Children's Online Privacy Code compliance clause. No targeted advertising. No use of student data for product improvement or analytics beyond the contracted service. Confirmed deletion within 30 days of request or contract end. Sub-processor disclosure.
Get your parental consent process documented and verifiable. A tick box in the enrolment portal is not verifiable consent. Build the workflow now, before vendor renewals expect it to exist.
Brief the board. This is a governance matter, not an IT line item. The board needs to know the obligations, the timeline, the penalty regime, and which committee owns it.
Decide who is your responsible person. Under the broader Privacy Act reforms, accountability for privacy decisions sits somewhere. In schools, it usually falls to the Business Manager by default. Make it explicit.

Most of this is documentation work and supplier-management discipline. None of it requires capital expenditure. All of it is significantly cheaper before December 2026 than after.

The question worth asking

Parents enrol their children at your school for many reasons, but the underlying transaction always involves trust — including trust with information that they would not share with most people in their lives. The Code is a regulator's attempt to make that trust legally meaningful when it is mediated by software.

The question is not whether the Code applies to your school. It does.

The question is whether the answer to “can we, on a Tuesday, produce a list of every system that holds our students' data, and the legal basis on which each one holds it?” is yes or no.

If it is no, that is where the next six months go.

Daniel Johns is a CRISC-certified virtual CISO and GRC advisor, Founder of Coastal Cyber, and a member of the ISACA Global Advisory Council and CompTIA Executive Council ANZ. He works with healthcare providers, financial services firms, and technology businesses across Southeast Queensland on privacy, cyber security, and governance.

If your privacy and cyber posture needs a clear-eyed assessment, book a 20-minute conversation.