Student data stewardship checklist for NZ schools
A practical checklist for kura reviewing edtech vendors — Privacy Act alignment, data flows, retention, and board-ready documentation before rollout.
Use this checklist when a syndicate wants to trial a tool, when ICT proposes a whole-school integration, or when the board asks for evidence that student information is handled responsibly. It complements our article on NAG 5 and digital tools and aligns with the Privacy Act 2020 principles.
Before you start
- Named reviewer (senior leader or privacy lead)
- Tool purpose linked to a curriculum or pastoral goal
- Trial scope defined (classes, duration)
- Whānau communication draft ready if the trial expands
Collection and purpose
- List every data field requested (name, email, year level, photo, assessment, etc.)
- Confirm each field is necessary for the stated purpose
- Roster via SSO/SMS where possible — avoid manual spreadsheets of learners
- No collection of unnecessary whānau contact data in classroom tools
Vendor and legal documentation
- Current terms of service and privacy policy saved (dated PDF)
- Data processing or school agreement reviewed
- Sub-processors listed (hosting, analytics, AI features)
- Answers recorded using vendor RFP questions
Storage, access, and security
- Hosting location documented (NZ, AU, or other)
- Role-based access for staff; student accounts age-appropriate
- No advertising to students; no sale of personal information
- Export format known if you leave the vendor
Retention and incidents
- Retention period and deletion process documented
- Breach notification process understood
- School incident playbook updated if this is a high-risk tool
Governance sign-off
- Review attached to board paper if over delegation threshold
- Trial evaluation date set with syndicate lead
- Re-review scheduled if vendor updates terms or adds AI features
Roles and accountability
| Role | Responsibility |
|---|---|
| Principal | Escalation, board reporting, vendor dispute |
| Privacy lead | Checklist completion, register maintenance |
| ICT | SSO, roster sync, technical incident |
| Syndicate lead | Trial feedback, classroom acceptable use |
| Board | Approval over threshold; policy adoption |
Red flags — stop until resolved
- Vendor cannot explain hosting location or sub-processors
- Tool requires student email addresses when SSO suffices
- Terms allow advertising to minors
- No export path on contract exit
- Generative AI sends student work offshore without clear consent
Escalate red flags to the principal and board chair before trial expansion.
Annual review cycle
Each January (or contract anniversary):
- Re-read vendor terms for changes
- Confirm roster fields still minimal
- Archive previous checklist version in board folder
- Remove tools no longer used from the public register
After approval
- SSO/rostering configured per rollout guide
- Kaiako briefed on acceptable uploads and messaging
- Tool added to public register of school apps for whānau
Optional: board paper attachment summary
The [tool name] review was completed on [date]. Data is hosted in [region]. No advertising to students. SSO enabled. Trial recommended / not recommended because [one sentence]. Next review [date].
Attach the full checklist to the board portal for audit purposes. Keep signed PDFs or ticket numbers from vendors so you can prove diligence if a complaint arises.
Stewardship is ongoing. Re-run this checklist when contracts renew or features change.
LearnSpace helps kura adopt apps with privacy-first design. Explore school plans and more under privacy and compliance.