Education
Parents forgive a lot. A data breach isn't on the list
For NZ schools, tertiary providers, and training organisations — written for the NZQA review that suddenly pivots to IT, the staff laptop that went home with a term's worth of attendance data, and the parent email no one wants to open.
Sector Reality
The question a customer or insurer asks before the deal
It rarely starts with a breach. It starts with an NZQA reviewer asking what happens when a pastoral-care issue lands on a personal laptop
Waiting costs more in education. A parent email becomes a mandatory Privacy Commissioner notification. An NZQA surveillance visit becomes a formal finding. A TEC query becomes a funding hold. None of them are classroom emergencies. All of them take longer to fix than the original question would have taken to answer cleanly
Common Pressure Points
Where the questions cluster before the deal lands
Where the questions arrive from NZQA, the Privacy Commissioner, the Board of Trustees, and the parent community, usually in the same week
Who has the student management login on their phone right now?
Teacher phones. Deputy phones. The part-time bursar's phone. The TA who covered two days of admin last term. Most schools can't answer the question, and no one wants to ask it in front of the Board.
A staff laptop walked out of the library. It had the term's attendance data on it
The Privacy Commissioner has received sharper letters for less. Mandatory notification doesn't care whether the laptop was locked or the staff member thought it was 'just attendance.' The letter to parents gets written whether the school is ready or not.
The data that would take a decade to rebuild lives on personal laptops
Research notes, student histories, pastoral files, curriculum work — sitting across personal laptops, shared drives, and cloud accounts nobody formally approved. Hackers have already been caught selling access to 7 of 8 NZ universities. The funders, commercialisation partners, and auditors are the ones asking first.
NZQA wants evidence. TEC wants evidence. A parent wants reassurance. None of them want the same answer
Each review cycle, the same questions land in the Principal's inbox — from different reviewers, about slightly different things, in slightly different formats. Without a single place to pull from, every answer gets written from scratch under time pressure, and the gaps show.
Standards That Apply
The evidence that ends the questionnaire loop
Common obligations and buyer expectations
Relevant Services
First month: baseline, ownership, and one piece of evidence
The first move: a student-data asset register, a tested breach-notification flow, and one piece of evidence for the next NZQA cycle
Stop searching ten systems every time a customer asks for their data
Map where personal information enters your business, where it goes, and who is responsible before privacy obligations or customer questions catch you out.
Make Awareness Change What Staff Actually Do
Turn awareness from annual box-ticking into staff behaviours that reduce the risks most likely to cost the business money, time, or trust.
Know Who Gets Told, When, And What, The Moment A Breach Hits
Get the business ready to respond to a privacy breach with a practical plan, decision guide, and rehearsal before the real call comes in.
Stop Maintaining Policies Nobody Actually Reads
Put the policies the business actually needs in place, keep them current, and stop policy work turning into an annual scramble.
See What Information Runs The Business
Know which information loss would hurt first, who owns it, and where it sits before security, privacy, or continuity decisions get made in the dark.
Stop Guessing When A Buyer Asks How Secure You Are
See where the business is exposed, what matters first, and what should be fixed before the next review, buyer question, or renewal lands.
Questions We Hear
The questions every discovery call opens with
Education budgets are tight — can we really afford security support? +
Hackers have already been caught selling access to 7 of 8 NZ universities on the dark web. A breach of thousands of student records triggers mandatory Privacy Commissioner notification, reputational damage with parents and community, and potential NZQA scrutiny. Support starts from $1,750 a month, designed to work within education funding realities.
Our IT department already handles security — why do we need dedicated support? +
Your IT team manages your network, devices, and systems — and they do that well. But Privacy Act compliance, research IP controls, NZQA expectations, pastoral care data duties, and a working staff training plan are not IT tasks. When the Privacy Commissioner investigates a student data breach, they ask about policies, processes, and ownership — not firewall configuration.
We haven't experienced an attack — why invest now? +
Hackers were selling access to 7 of 8 NZ universities on the dark web, and NCSC scanning identified 556 potentially vulnerable NZ education web services. Educational institutions are targeted because they hold extensive personal data, operate open networks, and often have limited security resources. The Mercury IT attack showed how a single supply chain ransomware incident can cascade across education and health at once. Waiting for an incident to justify investment means responding under crisis conditions instead of building resilience on your terms.
How does this work alongside our existing IT team? +
Our support complements your IT team — it doesn't replace them. We handle the strategy, risk assessment, policy, compliance mapping, and board-level reporting. Your IT team keeps running the technology. Most IT teams welcome it because it formalises work they know needs doing but don't have the bandwidth to lead.
What Usually Happens Next
Put the evidence in place before the next NZQA cycle or parent letter asks for it
If a review, a near-miss, or a parent query has landed in the last month, we'll help you decide what to tighten and what to document first — without dumping work on teachers and office staff who are already stretched.