Security and Privacy

Te Rito is designed to keep personal information safe and secure while building an understanding of learners. 

It is maintained to the highest security standards.

Edsby, the vendor who owns the platform supporting Te Rito, has:

• ISO27001 Certification for their Information Security Management System.
• Safer Technologies for Schools (ST4S) badging.
• Signed the (US) Student Privacy pledge Signatories 2.0 - Pledge to Parents and Students
• Under the US-based Common Sense Privacy programme, achieved a Basic Evaluation Pass with a score of 93% for its privacy and security practices (last reviewed 2023).
• Regular security testing in place to assure learners, their whānau and schools that information is protected and only shared with authorised people. 

All data sent between Te Rito and a user or another data store (such as a Student Management System) is encrypted in transit and when stored in Te Rito.

Te Rito has completed a full Privacy Impact Assessment (PIA).

It was proactively released on 13 December 2024.

A PIA is a way for organisations to assess and address privacy risks when they’re collecting, using or sharing personal information.

Te Rito's PIA was developed in consultation with Ngā Rau Whakatupu, the Office of the Privacy Commissioner, and other Ministry teams.

You can access copies at the links below:

• For the full PIA see Te Rito Privacy Impact Assessment
• For a summary see Te Rito PIA plain language summary

Download a summary of the PIA in Te Reo Māori at the link below.

Kura, schools and the Ministry share responsibility for ensuring Te Rito’s information is protected. 

This means only authorised people are able to access it:

• People working in schools can only see information they need to do their jobs.
• Educators access Te Rito using their Ministry Education Sector Logon (ESL)
• Only Ministry people providing technical support to ensure the integrity, security and safety of the platform have access. 
• The Te Rito Data Kaitiakitanga Group oversees how Te Rito’s information is managed, and tightly controls access to data by authorised users. 
• Te Rito’s PIA outlines the approach for managing privacy risks. 

The personal information held in Te Rito is subject to the Privacy Act 2020.

This means:

• It can only be collected in Te Rito if it is for a lawful purpose connected with functions or activities that relate to education, and if the information is necessary for that purpose.
• It must be safeguarded from loss and unauthorised access, use, and modification or disclosure.
• It should only be used for the reason it was collected and it must be disposed of when it's no longer needed. 
• It should not be shared unless there is a good reason.

It also means learners and their parents or legal guardians:

• Must know about the information being collected and why it is being collected (and school communications can help with this).
• Have a right to see information about them held in school systems and correct it if it's not accurate.

See the Te Rito privacy statement and Te Rito Terms of Use for more about responsibilities when managing information.

Before connecting to Te Rito, kura and schools should review their privacy documentation to ensure they're up-to-date and fit for purpose.

They should outline the rights of learners, parents or legal guardians under the Privacy Act 2020, and copies can be requested by anyone at any time.

Privacy statements and policies should cover:

• why information is being collected
• who is going to see the information
• the legal basis for collecting information
• whether providing the information is mandatory or voluntary
• that learners, parents or guardians have the rights of access to, and correction of, their personal information.

Enrolment forms should request explicit consent to share learner information with the next kura or school. 

If it's not included on an enrolment form, the privacy statement should make it clear that one purpose for collecting learner information is to share it with the next kura or school, or through Te Rito.

Under the Education Act and other legislation, kura and schools do not need consent to use Te Rito to support learners with their education, but it is good practice to let learners, parents and whānau know what information is being collected and how it will be used.

Sharing any personal information collected requires consent. If learners or their parents and whānau do not give consent, no learning support information about the learner will appear in Te Rito (apart from demographic information which comes from the school's SMS).

Consents are also required for sharing personal learning support information across a learning support cluster.

At any stage of their education, a learner, or their parent or guardian, might want to review and consider changes to consents. This might be when they move from an early learning service to a kura or school, or between schools, and decisions about who has access to information or what should be shared needs to be updated. 

The Privacy ABCs for Schools is online training from the Office of the Privacy Commissioner. 

It's split into modules and each one takes about five minutes to complete. 

It gives practical tips for those dealing with personal information in schools and helps with understanding obligations under the Privacy Act 2020.

Access the Privacy ABCs for Schools modules