Keeping Te Rito's information safe and secure
Te Rito is designed to keep personal information safe and secure while building an understanding of learners.
It is maintained to the highest security standards.
Edsby, the vendor who owns the platform supporting Te Rito, has:
- ISO27001 Certification for their Information Security Management System.
- Safer Technologies for Schools (ST4S) badging.
- Under the US-based Common Sense Privacy programme, achieved a Basic Evaluation Pass with a score of 93% for its privacy and security practices (last reviewed 2023).
- Regular security testing in place to assure learners, their whānau and schools that information is protected and only shared with authorised people.
All data sent between Te Rito and a user or another data store (such as a Student Management System) is encrypted in transit and when stored in Te Rito.
Te Rito's Privacy Impact Assessment (PIA)
Te Rito has completed a full Privacy Impact Assessment (PIA).
It was proactively released on 13 December 2024.
A PIA is a way for organisations to assess and address privacy risks when they’re collecting, using or sharing personal information.
Te Rito's PIA outlines the approach for managing privacy risks and it was developed in consultation with Ngā Rau Whakatupu, the Office of the Privacy Commissioner, and other Ministry teams.
You can access copies at the links below:
- For the full PIA see Te Rito Privacy Impact Assessment
- For a summary see Te Rito PIA plain language summary
Download a summary of the PIA in Te Reo Māori at the link below.
Managing Te Rito's information
Kura, schools and the Ministry share responsibility for protecting Te Rito’s information.
The Te Rito privacy statement and Te Rito Terms of Use provide more on managing Te Rito's information.
Below are key considerations and responsibilities for kura and schools.
Requirements under the Privacy Act
The personal information held in Te Rito is subject to the Privacy Act 2020.
- It can only be collected if it is necessary for a lawful purpose related to education functions or activities.
- It must be protected from loss and unauthorised access, use, and modification or disclosure.
- It should only be used for the reason it was collected and must be disposed of when it's no longer needed.
- It should not be shared unless there is a good reason.
Learners and their parents or legal guardians have a right to:
- Know what information is being collected about them and why.
- See information about them held in school systems (including Te Rito).
- Have it corrected it if it's not accurate.
The following are considerations for kura and schools when developing processes for managing information under requirements of the Privacy Act.
Access to Te Rito's information
Only authorised people can access Te Rito's information.
- Educators use their Ministry Education Sector Logon (ESL) and can only see information they need to do their jobs.
- Only Ministry technical support staff have access to ensure the platform's integrity and security.
- Te Rito's Data Kaitiakitanga Group oversees management of Te Rito’s information including access to it.
Consent to collect and use information held in Te Rito
Kura and schools don't need consent under the Education Act or other legislation to use Te Rito, but:
- It's good practice to let your communities know what information is being collected and how it will be used.
- Consent is required for sharing personal information in Te Rito and enrolment forms or privacy statements are the most common way to do this.
Schools' privacy statements, enrolment forms and policies
Kura and schools should regularly review their privacy documentation to ensure it's up-to-date and fit for purpose.
Learners, parents and legal guardians' rights under the Privacy Act 2020 should be included, and:
- Why information is being collected
- Who will see it
- The legal basis for collecting it
- Whether providing it is mandatory or voluntary
- Rights to access it
- Rights to correct it
Kura and schools should ensure:
- Enrolment forms request consent to share learner information with learners' next kura or school; and
- Privacy statements state one purpose for collecting learner information is to share it with the next kura or school, or through Te Rito.
Privacy skills and training
The Privacy ABCs for Schools is online training from the Office of the Privacy Commissioner.
It's split into modules and each one takes about five minutes to complete.
It gives practical tips for dealing with personal information in schools and helps with understanding obligations under the Privacy Act 2020.