Privacy statement

This privacy statement explains how Te Rito collects, stores, uses and shares ākonga and learner information in accordance with the Privacy Act 2020

What is Te Rito?

The Te Rito platform (Te Rito) is a cloud based software service that supports the provision of quality teaching and learning for kura, schools and early childhood education providers, Kōhanga Reo and tertiary providers (education providers).

The purpose of Te Rito is to create a learner centric record and enable ākonga and learner’s information (personal or otherwise) to be available to them, and education providers, wherever the learner is on their education journey. 

Te Rito will ensure education providers are able to access the most up to date and accurate information about a learner so that they are appropriately supported from day one. Te Rito will enable this to happen regardless of what student management system (SMS) a kura/school is using. Education providers will be able to choose what learner information they enter directly into Te Rito. Education providers will also be able to choose which Te Rito functionality best suits their requirements, and learner information that is required for that functionality will be automatically sent to Te Rito from the kura or school’s SMS. 

What is the role of the Ministry of Education?

The Ministry of Education ('the Ministry') has four roles in regard to Te Rito:

  • Service provider (making Te Rito available to education providers)
  • Data consumer (Te Rito can be the source of information kura or schools send the Ministry by regulation or agreement. The purpose for collecting this data will vary per regulation or agreement, but includes supporting administrative, operational, and policy decision making, and in some cases will be used for research and analysis.)
  • Data contributor (Ministry authoritative data sources, for example education provider details, are sent to Te Rito to ensure data accuracy and appropriate separation between each education provider's data)
  • End user support (providing a 'help desk' service to end users experiencing issues.

Te Rito Kaitiakitanga1 is being established in order to be the oversight group responsible for assessing and making recommendations on the appropriate collection, storage, access, use and sharing of student data between Te Rito and other end points (eg Student Management Systems, the standardised Learning Support Register, Ministry of Education and other education agencies' systems, and other education related digital tools).

1The Te Rito Kaitiakitanga focus will be on how the education sector and it's participants can derive value from student data in order to improve students' lives, and be applied in the interests of the education sector. Transparency and legitimacy of data access and use is especially important given the convenience that a national platform brings for a number of participants. This includes:

  • Individual student-level data used by kura or schools and education sector agencies for operational and administrative purposes;
  • Aggregated and de-identified data used by kura or schools, education sector, and social sector agencies for operational and administrative purposes;
  • Aggregated and de-identified data available to the public or external organisations, eg academia.

Why does Te Rito require personal information?

To enable Te Rito to create a learner centric record of the ākonga or learner’s education journey, it requires personal information about the ākonga  or learner. 

The Education and Training Act 2020, the Privacy Act 2020, the National Administration Guidelines (NAG), and other legal instruments enable education providers to collect and use personal information about their ākonga or learners which they manage and store in their student management systems and other digital tools (eg google education, spreadsheets, etc.). It is this information that Te Rito collects and uses to create the ākonga or learner centric record.

How does Te Rito collect personal information?

  1. The personal information is sent electronically from the education provider’s student management system (SMS) directly to Te Rito on a daily basis.
  2. The personal information is entered directly into Te Rito by the education provider, or the learner themselves.
  3. The personal information is sent electronically from assessment tools used by education provider’s, including Ministry assessment tools such as e-asTTle or Te Waharoa Ararau, directly to Te Rito on a regular basis.
  4. The personal information is sent by the education provider to other Ministry systems, such as ELI or ENROL, and this information is presented in Te Rito.

What information about individuals does Te Rito collect and store?

Te Rito collects three types of information about people:

  1. Personal and personally identifiable information about learners, their whānau/caregivers and staff of education providers 
  2. Digital content created by education providers or learners including text, images audio, video, files and web links (digital content can be placed in messages, calendar events, user postings and notes)
  3. Te Rito Usage information including:
  • Service Access details: Each time a user logs in to Te Rito information is stored about that session including the time of login, the duration of the session, information about the type of computing device being used, the IP address of the computing device, and the type of browser or application software being used to access Te Rito.
  • Content Usage details: Te Rito stores information about usage of the platform including which areas of the Site users have visited and which items users have viewed, edited or deleted.
  • Cookies: A cookie is a piece of data stored on the user’s computer tied to information about the user. Te Rito uses cookies to store a secure encrypted token that is used to optimise performance and reduce the number of times a user needs to re-authenticate from the same computer. Personal information is not collected or stored in this cookie.

What personal and personally identifiable information does Te Rito collect and store?

Te Rito collects, uses and stores personal and personally identifiable information about learners, their whānau/caregivers and staff of education providers. 

Category of user Category of personal information collected

Assessment information
Biographical information
Name, National Student Number, date of birth, gender, ethnicity, iwi

Enrolment information
Education provider, student type, year level, class, curriculum

Pastoral information
Learning support information (for use in the standardised Learning Support Register)

Digital information
Photos, video footage

Usage information
IP address, pages visited, data viewed or edited


Biographical information

Name, contact details (phone number, email address), relationship to learner

Education provider staff

Biographical information
Name, contact details

Teaching information
Teaching role details


How does Te Rito keep your personal information safe?

Te Rito runs in the cloud and embraces best practices for security and privacy. The Te Rito vendor uses Microsoft as its cloud services provider and Te Rito data is stored in the Microsoft Azure data centres in Australia. Every part of Te Rito including how information is passed from other systems into Te Rito is assessed for security and privacy risks, and mitigations put in place to protect that information before ‘live’ data can be received or stored.

All Te Rito user accounts set up for a provider are done so based on information provided by the education organisation itself, or in a small number of cases by a community of education providers (eg a Learning Support Coordinator account may be set up by a Learning Support Cluster across multiple education providers). 

There is no way for a person from outside the education provider to create an account. Each account in Te Rito has a role assigned to it which limits the scope of what that user can do, and what information they can have access to. 

All data sent between Te Rito server and Te Rito client (web browser, smartphone app, tablet app), along with data sent between external data stores including student management systems, is encrypted via TLS (Transport Layer Security). This is the standard security technology used by banks, online retailers and the like, to ensure that all data remains private.

Education provider responsibilities

Education providers who choose to use Te Rito are obliged to ensure that they continue to comply with the privacy principles of the NZ Privacy Act 2020 when using Te Rito. This includes ensuring that: 

  • the data collected and stored in Te Rito by that provider (whether by sync or entered by staff) has been collected lawfully and in a privacy-centric way 
  • information is accurate and up to date
  • only those people entitled to access the information are granted that access
  • users within their organisation carry out appropriate password management and protection (eg not sharing logins) 

Ministry responsibilities

Te Rito supports data flows between many different systems. This is either:

  • to enhance the service provided (eg authoritative data sources, education agency systems for exchange of data like curriculum strands, NCEA learning standards) or
  • at the request of an education provider (eg the student management system, assessment tools or other education software)

The Ministry will ensure that any system connecting to Te Rito meets minimum security and privacy standards, and any risks identified are appropriately mitigated or managed. The Ministry will test Te Rito functionality, including that functionality designed to ensure the privacy and security of information before it is made available to education providers, and will automatically provide any necessary patches and updates to the system.

Every action a user takes in Te Rito is audited to ensure that the provider can meet its obligations under the Privacy Act 2020, particularly when an individual requests information about who has accessed or edited information about that individual from an education provider.

Access to personal information in Te Rito

The Ministry and other education sector agency staff do not have direct access to the information in Te Rito except for a limited number of staff within the Ministry Service Desk for the purposes of end user support. Te Rito is provided as a service to each education provider that chooses to use Te Rito. Each education provider’s information is kept secure and partitioned from other education provider information except where authorised by consent and supported by the appropriate privacy protocols (eg within a learning support cluster). 

Education providers determine which of its staff should have access to Te Rito, and in what role. Education providers can choose whether or not to extend access to an expert partner or external person supporting their learners (eg a Ministry regional office staff member or Learning Support provider organisation staff member) and what role that person will have in Te Rito. Education provider staff log in to Te Rito using the Education Sector Login (ESL). Delegated Authorisers within each education provider grant access to staff via ESL. This process requires evidence of identity as a security measure when granting access. 

When a learner moves from one education provider (in the compulsory sector), some learning support information is automatically passed to the next education provider to ensure continuity of service provision. This only happens for learner data in the ECE sector with parental consent.

Ministry's information technology specialist staff

A small number of authorised Ministry information technology specialist staff will have access to Te Rito for the sole purpose of providing [technical] support to education providers who are experiencing problems with the platform. These Ministry staff will only access Te Rito in response to a support request and in discussion with the education provider themselves. Authorised Ministry IT specialist staff will also receive training in privacy and on the conditions of and restrictions on their access. All access to Te Rito by Ministry IT specialist staff will be audited.

Sharing information with third parties

Te Rito does not share information (personal or otherwise) with any third party unless it is authorised or required to do so by law. 

Corefour Inc.

The Te Rito vendor (Corefour Inc.) staff have limited access to Te Rito information to provide technical support to Te Rito users (eg service desk functions).

The Ministry

Te Rito sends de-identified and aggregate information to the Ministry to enable the Ministry to enhance the delivery of Te Rito (usage information), and to support the planning and provision of resourcing (learning support information).


Te Rito does not provide any form of advertising to any Te Rito user. In addition, neither the Ministry, as a service provider, or the vendor sells any information or data about users to any outside company.

Your rights under the Privacy Act

Any individual has the right to ask for a copy of personal information held about them, to ask for it to be corrected if it is wrong, or to have a statement of correction added if there is disagreement on the accuracy of information.

Individuals (learners and whānau/caregivers) can contact their education provider to request a copy of information held by the education provider (including information held in Te Rito). Education providers can contact if they need help with extracting information from Te Rito in response to a Privacy Act request. In the rare occasion that an individual is between education providers and therefore has no education provider to ask, that individual can contact the above email address and the Ministry will ensure their request is addressed.

Staff can see the information stored about themselves via the ‘Personal Information’ menu command within the Te Rito user interface, and correct that information via either the provider’s student management system, the Education Sector Login service or the Te Rito user interface (depending on the provider’s information management policy).

Official Information Act

Te Rito information is not considered to be information ‘held’ by the Ministry for the purposes of the Official Information Act. 

In providing Te Rito the Ministry is offering a ‘safe custody of information’ service to the sector. In providing this service, the Ministry is holding that information on behalf of education providers as an agent. Section 2(1)(f) of the Official Information Act states that any information the Ministry holds as an agent is not official information under that Act. 

The effect of this is that any OIA request the Ministry receives for information held in Te Rito on behalf of a kura or school will be transferred to the appropriate kura/school or schools for a response to the requestor.

Privacy Breach Management

The Ministry will proactively notify education providers of any privacy breaches, and will support education providers to manage a privacy incident relating to Te Rito.

Education providers will proactively notify the Ministry of any actual or suspected privacy breach involving Te Rito. The notification should include mitigation strategies undertaken by the education provider to manage the breach.

For any questions about this Privacy Statement, contact