Education: privacy compliance when accessing student records from third-party sources

Education providers in New Zealand — universities, polytechnics, wānanga, and private training establishments — collect personal information about students from multiple third-party sources as part of enrolment, scholarship assessment, and academic record management.

Common third-party data sources

• NZQA — qualifications, credits, and academic records
• StudyLink — student loan and allowance status
• Previous institutions — academic transcripts and conduct records
• Immigration NZ — visa status for international students
• Police — safety checks for students on placement

IPP3A obligations

When an education provider accesses student data from any of these sources, they are collecting personal information from a third party. IPP3A requires them to take reasonable steps to ensure the student is aware of the collection.

Current practice

Most institutions include a broad data collection consent in their enrolment form. However, the 2024 amendment's "proportionate" standard means the consent should be specific about which third-party sources will be accessed.

Recommendations

• Update enrolment forms to specifically list the third-party data sources accessed.

• Provide a separate notification when accessing sources not covered by the enrolment consent (e.g., police checks for placements).

• Record the IPP3A pathway for each third-party data access.

• Use DEIS to automate compliance for credit checks and identity verification during enrolment.