EthosOne
Sector scanner
By Dave Yeates

Sector Signal, May 2026: the end of the outsourced school

Three Australian regulators in the past fortnight said the same thing in three different ways. Schools cannot outsource accountability. Not to a vendor. Not to a board structure. Not to a generic privacy regime.

This is Issue 03 of Sector Signal, the EthosOne fortnightly read for independent school principals and boards. Plain language. Primary sources. One reflection question per pattern, for use in your next senior team meeting.

Pattern 01: the OAIC just put 177 schools on notice

On 11 May 2026, the OAIC publicly acknowledged the global Instructure (Canvas LMS) cyber incident. 177-plus Australian schools, universities, and education organisations have been identified as Canvas users in the breach. Brisbane Grammar, Sacred Heart College Geelong, and Mentone Grammar are among the Australian independent schools named. The data exposed includes names, email addresses, student ID numbers, and platform messages.

The reason this matters to schools that do not use Canvas is the legal architecture under the Privacy Act 1988. Australian Privacy Principle 8 requires an APP entity that discloses personal information to an overseas recipient to take reasonable steps to ensure the recipient does not breach the APPs. Section 26WC(1) deems the disclosing entity to "hold" that personal information for the purposes of the Notifiable Data Breaches scheme.

The legal effect is straightforward. If your school disclosed student data to an overseas vendor and that vendor is breached, your school remains responsible for assessing whether the incident is an eligible data breach and for notifying the OAIC and affected individuals where serious harm is likely. The accountability does not travel with the data. It stays with the school.

That rule is not specific to Canvas. It applies to every overseas SaaS your school uses. Microsoft. Google. Adobe. Brevo. Stripe. Zoom. The Canvas event is simply the live proof point that the rule is in operation. The vendor register is now a board artefact, not an IT artefact.

A reflection for your senior team. Name the five overseas vendors your school cannot operate without by Monday. For each, when was the last review of their breach notification SLA and the data classes you have disclosed?

Pattern 02: VRQA just became the first Australian regulator to prescribe board composition

The Victorian Registration and Qualifications Authority closed consultation at 5pm on 20 May 2026 on its updated Guidelines to the Minimum Standards for School Registration. The draft introduces two material new prescriptions. A majority of independent directors on the governing body, where no prior board composition rule existed in Australian school registration regimes. And written delegations setting financial and non-financial limits, including sub-delegation conditions and reporting obligations. Final guidance is expected from Term 3 and applies from 1 January 2027.

This is the first time an Australian state regulator has codified board composition for independent schools. The bar has moved from "is the school registered" to "is the governing body structured to make defensible decisions". The VRQA is, in effect, in the boardroom.

The upstream cause is the 2023 Productivity Commission's accountability deficit finding, operationalised by the Better and Fairer Schools Agreement 2025-2034. VRQA is the canary. NESA's 2026 short-notice inspection regime samples evidence from "the school's records from its usual day to day procedures and operations" - the same shift, in sampling mode. South Australia's Education and Early Childhood Services Act review commences this year. Each state regulator is asking the same underlying question in different clothes.

What changed this fortnight is that VRQA crossed a line every other state can now follow. Board composition is no longer a school's internal governance choice. It is a registration condition.

A reflection for your senior team. Does your governing body have a written declaration of which directors are independent and which are interested? When was the declaration last updated? Would your delegation register survive a regulator asking who can spend what, and when did they last report back?

Pattern 03: EdTech vendors are about to be in scope

The OAIC's exposure draft Children's Online Privacy Code closes for consultation on Friday 5 June 2026, with registration aimed for 10 December 2026. The Code expands children's privacy protections beyond social media platforms to apps, games, and websites used by under-18s. The OAIC has signalled that education technology providers and providers of certain wearables or smart toys accessed by children may also be required to comply.

For three decades, the Privacy Act treated children as a sub-category of adults. The Children's Online Privacy Code separates them into their own protected class. Any digital service "likely to be accessed by children" inherits a higher standard of consent, design, and safeguarding.

The compounding effect with Pattern 01 matters. Every overseas EdTech vendor a school uses becomes a vendor that will need to demonstrate Code readiness from December. The school's vendor register is therefore not only a Canvas-response artefact, it is also the procurement instrument that will determine which vendors survive the December registration date. The question about a vendor stops being "could they be breached" and starts being "are they built to a children's standard".

A reflection for your senior team. If the Children's Online Privacy Code registers on 10 December as drafted, which of your current EdTech vendors will you need to re-paper before renewal? What does your procurement pipeline look like between now and December?

What this fortnight has in common

Three different signals, the same shape. The OAIC's Canvas statement says the school cannot outsource the breach. VRQA's prescription says the school cannot outsource board composition. The Children's Online Privacy Code says the school cannot outsource the obligation to vendors who treat children's data like adult data. Each pattern moves a piece of accountability from outside the school back to inside it.

You do not need to respond to all three in the next 14 days. The next board meeting is the right moment to look at your vendor register, your board composition declaration, and your EdTech procurement pipeline, and ask the same question three times: where in our school does this responsibility actually live, and is it built to hold up under scrutiny.

That is the question the next 12 months will keep returning to.

Sector Signal is a fortnightly read for independent school principals and boards. EthosOne writes it as part of how we listen to the sector we serve. If a colleague would benefit from receiving it, send them this link.


Discover more about EthosOne

Continue exploring governance insight, product context, or speak with our team.

Board-ready in 30 days

EthosOne supports everyone who plays a role in school governance:

What you can expect

Governance Clarity

Boards get consistent, ready-to-present insights.

Assurance Confidence

No blind spots, everything tracked under ownership.

Compliance Control

State-aligned obligations managed and visible.

Risk Transparency

ISO-aligned risk management with accountability.

Get your Exposure Score

Walk into the next board meeting already sure.

Book a demo for your school

When the assessor calls, the evidence is already there.