Should EdTech staff have Working With Children checks? A practical framework for vendors

Resources for Vendors
Written By Niels Wouters

EdTech companies increasingly hold some of the most sensitive information in the education system: photos of young children, identity documents, developmental notes, health updates and day-to-day behavioural information. In many cases, your staff have more visibility into a child’s digital life than the educators who care for them.

That raises an important question that the sector is only just beginning to confront: should vendor staff with access to children’s data be required to hold Working With Children Checks (WWCCs)? Here’s a simple, modern way for vendors to think about it.

 

Why WWCCs matter in EdTech

In physical environments (childcare centres, schools, OSHC) a Working With Children Check is compulsory for anyone who might interact with children, whether directly or indirectly. But we like to think that in digital environments, the principle is the same: if staff can view, retrieve, analyse or handle information about children, that access carries responsibility.

When your engineers, support staff or analysts can see children’s photos, learning stories, identity documents, behavioural logs, incident reports, medical notes, they are effectively in a “child-contact” role, just in a digital space rather than a physical one.

A WWCC is not a silver bullet, but it signals a baseline commitment to child safety, and aligns your organisation with the National Principles for Child Safe Organisations.

 

A simple framework for vendors

You don’t need to require WWCCs for every employee. Instead, apply a tiered model:

Tier 1: No access to child data → No WWCC needed. Designers, marketers or admin staff who cannot access production systems or identifiable data.

Tier 2: Occasional, supervised or time-limited access → Strongly consider WWCC. Developers, QA testers or product managers who sometimes work with real data or support escalations.

Tier 3: Regular or high-privilege access → WWCC should be mandatory. Customer support teams, engineers with production access, operations and security staff, data analysts, and anyone who may handle identity or media data directly.

This approach keeps the burden manageable while respecting the importance of child safety.

 

Good access control goes beyond checks

If staff can access children’s data, WWCCs should be one part of a broader safety model. But they’re not the end all and be all. We recommend vendors to also consider:

  • Implementing detailed logging of who accesses which records, when, and for what purpose.

  • Reviewing access logs regularly, not only when something goes wrong.

  • Ensuring staff access is purpose-bound, not open-ended “just in case” visibility.

  • Removing old access privileges immediately when roles change.

  • Conducting periodic internal audits to identify unnecessary entitlements.

This transforms your platform from “trust us” to “verify everything.” It also helps detect patterns or misuse early, which is essential in any child-facing environment.

 

The benefits to vendors

Vendors who take data access privileges seriously reduce risk and gain market advantage.

Childcare centres and schools increasingly ask questions about data governance, staff access policies and safeguards. A clear stance on WWCCs and access logging is an indicator of maturity, responsibility and alignment with child-safe standards. It differentiates your product in a crowded market where trust is becoming a competitive edge.

Niels Wouters
Previous

No, you can’t contract your way out of the Privacy Act
Next

What strong vendor response looks like: Getting privacy, consent and data management right