No, you can’t contract your way out of the Privacy Act

Resources for Vendors
Written By Niels Wouters

Some EdTech vendors still slip clauses into their terms and conditions that try to shift responsibility for privacy and security onto parents, educators or centres. It might look like a liability disclaimer, a “use at your own risk” statement, or a line suggesting the centre is solely responsible for what happens on the platform.

But here’s the reality: no matter how carefully you word your terms, you cannot contract your way out of obligations under the Privacy Act or the Australian Privacy Principles (APPs). If your platform collects, stores or processes personal information about children or families, you remain responsible for protecting it. The end.

 

“We’re not responsible if a parent shares their password.”

Yes, password-sharing creates risk. But a clause like the above is often a blanket escape hatch to avoid acknowledging broader security weaknesses. Even if a parent mismanages a password, the vendor must still:

  • secure the system against unauthorised access

  • prevent predictable URLs or weak API behaviour

  • ensure proper authentication and access controls

  • detect and respond to suspicious activity

Password negligence does not absolve a vendor from meeting APP 11 (security of personal information).

 

“By using this service, you assume all risk.”

This is simply invalid. A vendor cannot transfer responsibility for safeguarding personal information to families or educators. Under the APPs, the organisation collecting and storing the data retains the legal obligations. Not the end user.

 

“We are not liable for any loss, damage or breach of privacy.”

Vendors tend to include sweeping disclaimers like this. They may limit some forms of contract liability, but they do not override statutory privacy obligations. Suppose a vendor mishandles children’s photos, identity documents or behavioural records, such as by storing them unsecured in the cloud. In such cases, a disclaimer won’t protect them from OAIC investigations, regulatory enforcement, mandatory breach notifications, reputational damage, or loss of contracts with education providers. Disclaimers never excuse poor practice, especially when it involves children's data.

 

“We only provide the platform. Centres and schools are responsible for what is uploaded.”

This may be seen as an attempt to avoid responsibility for photos, documents or sensitive updates stored on the system. But if the vendor is storing or transmitting the data, they are a “holder” of personal information under the Privacy Act. That means they must still:

  • secure the data

  • protect it from unauthorised access

  • ensure proper deletion

  • notify of breaches

  • avoid over-collection

Platform responsibility cannot be outsourced.

 

What to do instead

Rather than hiding behind disclaimers, modern vendors build trust by adopting strong security practices and implementing sensible consent systems. But they also need to play a role as advocate and data custodian, such as by:

  • providing clear explanations to families

  • ensuring safe deletion and data minimisation

  • being transparent about third-party sharing

  • responding quickly and openly to incidents

These behaviours outperform disclaimers every time.

 

Disclaimer

Resources by Safer Footprint contain general information only and are not a substitute for obtaining legal advice. Safer Footprint does not accept liability for any action taken based on information presented on this website or for any loss suffered as a result of reliance on this website.

Niels Wouters
Previous

Understanding photo and video consent: what parents should know
Next

Should EdTech staff have Working With Children checks? A practical framework for vendors