Our school has a mixed BYOD and school-owned device environment. Can you manage both?

Yes. School-owned devices enroll into Intune with a managed configuration; BYOD devices either use a managed-app pattern (the data lives in managed containers, the device stays personal) or a lighter identity-only pattern. The right mix depends on year level, the apps in use, and how much IT staff time you have. We don't push one pattern on every school.

What about student privacy when we're using third-party learning platforms?

That's a vendor-risk conversation, not a technical one. For each platform we build a register: what data flows to it, what the vendor's security posture is, where the data is hosted, and what the contract says about access, breach notification, and data deletion on termination. Then we review it annually with you. If a platform can't demonstrate good posture, we flag it and you decide.

We have long-serving staff with accumulated access to everything. Is that an issue?

Usually yes. The "everyone had admin because it was easier" era leaves a residue: dormant service accounts, shared mailboxes with passwords written down somewhere, system accounts that survived the IT coordinator who set them up in 2014. We audit identity as part of onboarding and give you a prioritised clean-up list. Nothing dramatic; just getting the environment honest about who can actually do what.

We're connected to the diocese / system network. Does that mean we're covered?

Partly. Diocese or sector-level infrastructure typically covers identity federation and sometimes filtering, but not EDR on your devices, not Microsoft 365 tenant configuration, not backup, not the cybersecurity training your staff need, and not your school-specific vendor risk. We integrate with sector-level services where they exist and cover the gaps.

Can teachers use Microsoft 365 Copilot, ChatGPT Edu, or Claude on student work or records?

Yes, with the right tier and the right policy, and it's worth doing properly rather than ignoring. Teachers are using these tools already; the question is whether you've chosen the ones with appropriate data-handling terms (Microsoft 365 Copilot under an EDU agreement, ChatGPT Edu, Claude for Work) and written an acceptable-use policy that covers what data can be entered, how AI-assisted assessments are marked, and how parents are informed. We've helped schools land on policies that aren't a blanket ban but also aren't a Wild West.

Industry · Education

IT and cybersecurity for Australian schools.

Independent and Catholic schools. Student information systems, learning platforms, assessment tools, mixed device environments, parent communications, and the governance expectations that sit behind all of them. We know the school year has rhythms the IT plan has to respect.

What's actually different in education

Schools are high-trust environments with complex consent chains.

The data a school holds is unusual: information about children, held with the consent of parents, shared with teachers, processed through a dozen third-party platforms, and retained for years beyond the student's time at the school. Every decision about access, sharing, retention, and deletion involves someone who didn't consent directly. That's why the paperwork matters; the paperwork is the consent chain made durable.

The technical pattern is standard-ish: a Microsoft 365 tenant, a student information system, a learning management system, a mixture of school-owned and BYOD devices, a filter somewhere, a backup somewhere, and several dozen specialist platforms accumulated over the years. The issue is rarely the platforms themselves; it's that no one has ever audited the whole shape and made it cohere.

We run that audit as part of onboarding, sequence the clean-up against term dates (some things can't move during reports, some things can't move during exams), and hand you a clean register of who holds what, who can access it, and how you'd prove it in a Child Safe audit.

Live right now · education

The 2026 pressure points we're actively working on with clients.

The specific asks, deadlines and enforcement actions shaping 2026 conversations in your sector.

Child Safe Standard 9: online safety is now enforced

State regulators are actively enforcing the online-safety dimension of the Child Safe Standards. Schools are expected to risk-assess every student-facing SaaS tool before deployment, with a documented outcome and a review cadence. Audit questions on this have shifted from "do you have a policy" to "show us the risk register".

National Framework for Generative AI in Schools

The national framework is now in effect, and the 2026 policy updates from AISNSW, AISV and most dioceses require vendor data-handling review before teachers deploy any AI tool in class. The practical ask: no consumer AI on school devices, enterprise-tier tools only, a written acceptable-use policy for teachers and students, and evidence that parents have been informed.

LMS and SIS vendor risk register

Compass, Sentral, SEQTA, Canvas, Seesaw, ClickView, hundreds of specialist tools: state bodies and insurers are now asking schools to maintain a documented third-party risk register with breach history, data-handling terms and offboarding arrangements. Post the high-profile 2024/25 breaches, this has moved from nice-to-have to board-level expectation.

Dedicated security role on the school org chart

Boards in independent and Catholic schools are increasingly funding a dedicated cybersecurity role (either a part-time in-house role, a retained specialist, or an MSP-provided vCIO function). The driver: parent community expectations after high-profile school breaches in 2024/25.

Frameworks that turn up in the room

Industry frameworks, regulations and audit standards for education in Australia.

Privacy Act 1988 + APPs: Student information is personal information. Most independent and Catholic schools have direct APP obligations; many government-funded but non-government schools inherit obligations through their sector agreements.
Child Safe Standards: State-based Child Safe Standards (NCCS, VCSS, etc.) include information-handling and record-keeping expectations. IT is the system that enforces access segregation, retention, and the audit of who accessed what.
NSSF / AIS / state accreditation: Registration and accreditation frameworks for non-government schools include governance expectations that extend to IT risk management. Evidence is expected, not assumed.
Vendor risk (LMS, SIS, assessment platforms): The learning platforms, student information systems, and assessment tools in use each introduce a third-party risk. Increasingly, schools are being asked to demonstrate oversight of these relationships, not just select them.
ACSC Essential Eight: Independent schools in particular are being asked by insurers and diocese-level bodies to demonstrate Essential Eight maturity. See /essential-eight for the maturity model.

Common questions

The things education clients ask us first.

Our school has a mixed BYOD and school-owned device environment. Can you manage both?: Yes. School-owned devices enroll into Intune with a managed configuration; BYOD devices either use a managed-app pattern (the data lives in managed containers, the device stays personal) or a lighter identity-only pattern. The right mix depends on year level, the apps in use, and how much IT staff time you have. We don't push one pattern on every school.
What about student privacy when we're using third-party learning platforms?: That's a vendor-risk conversation, not a technical one. For each platform we build a register: what data flows to it, what the vendor's security posture is, where the data is hosted, and what the contract says about access, breach notification, and data deletion on termination. Then we review it annually with you. If a platform can't demonstrate good posture, we flag it and you decide.
We have long-serving staff with accumulated access to everything. Is that an issue?: Usually yes. The "everyone had admin because it was easier" era leaves a residue: dormant service accounts, shared mailboxes with passwords written down somewhere, system accounts that survived the IT coordinator who set them up in 2014. We audit identity as part of onboarding and give you a prioritised clean-up list. Nothing dramatic; just getting the environment honest about who can actually do what.
We're connected to the diocese / system network. Does that mean we're covered?: Partly. Diocese or sector-level infrastructure typically covers identity federation and sometimes filtering, but not EDR on your devices, not Microsoft 365 tenant configuration, not backup, not the cybersecurity training your staff need, and not your school-specific vendor risk. We integrate with sector-level services where they exist and cover the gaps.
Can teachers use Microsoft 365 Copilot, ChatGPT Edu, or Claude on student work or records?: Yes, with the right tier and the right policy, and it's worth doing properly rather than ignoring. Teachers are using these tools already; the question is whether you've chosen the ones with appropriate data-handling terms (Microsoft 365 Copilot under an EDU agreement, ChatGPT Edu, Claude for Work) and written an acceptable-use policy that covers what data can be entered, how AI-assisted assessments are marked, and how parents are informed. We've helped schools land on policies that aren't a blanket ban but also aren't a Wild West.

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.