NAG 5, privacy, and digital tools in NZ schools

When a primary kura adopts a new learning app, the board is not only buying software — it is making a decision about how student information is collected, used, and protected. National Administration Guideline 5 (NAG 5) requires schools to provide a safe physical and emotional environment for students. In practice, that expectation increasingly includes how digital tools handle personal information.

This article explains how NAG 5 connects to the Privacy Act 2020 when kura procure and roll out edtech. It is practical guidance for boards and senior leaders, not legal advice. For complex situations, consult your school’s legal adviser and the Office of the Privacy Commissioner.

What NAG 5 means for digital learning

NAG 5 sits alongside other governance requirements boards already monitor — health and safety, behaviour, and pastoral care. Digital tools touch all of these when they:

• Store learner names, photos, assessment results, or behaviour notes
• Enable messaging between staff, students, and whānau
• Profile usage or recommend content based on learner activity
• Integrate with your student management system via rostering

A board that approves tools without understanding data flows may meet the letter of a policy while missing real risk: unclear retention periods, offshore hosting, or terms that allow secondary use of student data.

Treat privacy as a governance matter. IT staff and vendors implement controls; the board asks whether those controls are good enough for your community.

Privacy Act duties schools must understand

Schools are agencies under the Privacy Act. The information privacy principles require you to collect only what you need, use it fairly, keep it secure, and be transparent with individuals (including whānau on behalf of tamariki).

For edtech, focus on:

Purpose limitation — Data collected for learning should not be repurposed for advertising or unrelated analytics.

Security — Reasonable safeguards for the sensitivity of the information. Ask where data is stored and who can access it.

Transparency — Privacy notices and terms whānau can understand, not buried in generic click-through agreements.

Retention and disposal — What happens when you leave the vendor? Can you export progress data?

Third parties — Sub-processors, analytics plugins, and AI features may introduce new flows you did not expect from the sales demo.

The Ministry of Education provides broader policy context for schools; your local policies should align with national expectations and your community values.

Board questions before approving a tool

Use these in board papers and vendor meetings:

1. What personal information does the tool collect, and from whom?
2. Is data hosted in New Zealand or Australia, or only in other jurisdictions?
3. Does the vendor use student data for advertising or model training?
4. Who owns exported data if the contract ends?
5. How does the tool support incident response and breach notification?
6. Is there a data processing agreement appropriate for schools?
7. How does SSO/rostering limit over-collection of fields?

Document answers. “The vendor said it’s fine” is not evidence for stewardship.

Our student data stewardship checklist turns these into a repeatable review. For procurement, pair with edtech vendor RFP questions.

Policies and roles that reduce risk

Privacy officer / designated lead — Often a senior leader who coordinates reviews and whānau queries.

Acceptable use and BYOD policies — Updated when classroom tools change.

Software approval process — No “shadow IT” purchases on school cards without review.

Incident playbook — Who contacts the vendor, who informs the board, when to notify the Privacy Commissioner.

PLD for kaiako — What must not be uploaded (e.g. unnecessary identifying images).

Align digital policy with curriculum change so teams are not asked to adopt three disconnected initiatives in one term. Implementation supports on Tāhūrangi help sequence curriculum work; privacy review should follow the same discipline.

Whānau transparency and consent

Whānau trust grows when schools explain what digital tools do in plain language. A one-page “apps at our kura” register — updated each term — beats a forty-page policy nobody reads.

Include for each tool:

• Purpose (learning, communication, admin)
• What student data is used
• How to ask questions or opt out where appropriate
• Contact for the privacy lead

For photography and video, separate consent processes still apply. Do not assume a learning app’s terms cover school events or social media.

The parents section of the Ministry site reinforces that families are partners in education. Mirror that tone in your communications.

Records of processing and audits

Maintain a simple register: tool name, vendor, data fields, hosting region, contract end date, last review date. Internal audits need not be forensic — sample three tools per term and complete the stewardship checklist.

When trustees ask “Are we compliant?”, answer with evidence: completed reviews, board minutes, and incident logs (even if empty). Compliance is a practice, not a one-off tick.

Māori-medium and bilingual settings

Tools must respect cultural data sensitivities and language needs. Ask vendors how te reo Māori content is stored, whether data is used to train models, and if communities can withdraw participation without penalty to learners.

Common failure modes in NZ primary kura

• Free tiers with ads shown to children
• Personal accounts used because SSO was “too hard”
• Overlapping apps each holding duplicate learner profiles
• Photos and names in public channels without consent
• Generative AI features enabled without understanding what content is sent offshore

Each of these is manageable with process — not panic — if caught before whole-school rollout.

Connecting privacy to edtech strategy

Privacy compliance supports trust with whānau and sustainable adoption. Evaluation frameworks that start with learning priorities — then test privacy — outperform tool-first rollouts.

Read how NZ primary schools evaluate edtech in 2026 for a full assessment process. Technical rollout guidance sits in SSO and rostering for primary kura.

More articles on this pillar: privacy and compliance topics.

Working with suppliers and MoE resources

When negotiating with vendors, require NZ-relevant contract clauses and clear support hours. Keep copies of all amendments. If a supplier updates terms mid-contract, trigger a fresh checklist review before accepting.

Schools can also learn from cluster networks — share anonymised review templates with neighbouring kura through Kāhui Ako hui, while remembering each school remains accountable for its own agency obligations under the Privacy Act.

Trustees who are new to digital risk should receive a short induction: what student data is, where it lives, and how NAG 5 connects to the Privacy Act. Ten minutes in a board workshop prevents months of confusion later.

Schedule privacy as a standing agenda item once per term — even if the report is “no incidents, register updated.” Regular attention beats annual panic when a whānau member raises a concern on social media. Ask your privacy lead to note one improvement action each term, however small. Over a year, those actions compound into a culture whānau can trust.

Next steps for your board

1. List all learning apps holding student data
2. Complete stewardship review on the highest-risk tools first
3. Add privacy criteria to your procurement template
4. Report termly to the board in plain language

LearnSpace is designed for NZ primary kura with privacy-first defaults and whole-school governance in mind. Explore school plans or browse the schools blog.