The laws, the policies, the consent forms, and the process. How our children's photos end up on public Facebook pages, and why the current system was never designed for AI.
Multiple layers of Australian law and policy govern how schools collect and publish children's images. The gaps between them are where the problem lives.
Under the Privacy Act, a photograph of an identifiable person is personal information. The OAIC guidance is clear: organisations should use "particular care in the handling the images and other personal information of children" and seek "express consent after telling them, in as much detail as possible, about what their picture will be used for and who will be able to see it."
The federal Privacy Act applies to private schools, but NSW government schools are not directly covered by it. They fall under NSW state privacy law instead.
NSW government schools are covered by the Privacy and Personal Information Protection Act 1998 (PPIP Act), the state equivalent of the federal Privacy Act. It sets out Information Protection Principles covering collection, use, accuracy, security, and disclosure of personal information.
Posting a child's photo on a public Facebook Page is a disclosure to the entire internet. The PPIP Act requires that disclosure be lawful, for a purpose the information was collected for, and with appropriate consent.
The Online Safety Act gives the eSafety Commissioner authority over cyberbullying, image-based abuse, and illegal content. Its Basic Online Safety Expectations (strengthened by the 2024 Amendment Determination) require platforms to take reasonable steps to ensure "the best interests of the child are a primary consideration in the design and operation of any service that is likely to be accessed by children."
The Online Safety Amendment (Social Media Minimum Age) Act 2024 requires platforms to prevent under-16s from holding accounts, effective December 2025. It does not address adults posting children's images.
The OAIC is developing a Children's Online Privacy Code, mandated by the Privacy and Other Legislation Amendment Act 2024. The Code must be registered by 10 December 2026. The exposure draft was released in March 2026, with public consultation open until 5 June 2026.
The draft Code would require children's best interests as a primary consideration, consent before using children's personal information, the right to request deletion, and coverage beyond social media to include educational tools and apps. Parents have already raised concerns about school platforms that store children's photos linked to their names, ages, and school details.
The NSW DoE Social Media Policy (PD-2011-0418, last updated April 2026) has detailed procedures for how schools use social media. This is the policy that directly governs how children's photos end up on Facebook.
The DoE procedures state that school social media accounts "must not restrict access or be set as 'private' or 'closed.'" Schools are not just choosing to post publicly. They are required by Department policy to keep accounts open to the entire internet. A school that wanted to protect its students by switching to a private Group would be acting against DoE procedures.
The stated rationale: "the main purpose for using a public platform is to reach a broader audience and build a stronger community." This policy contains no mention of AI, scraping, or automated data collection. It was written before Meta admitted to scraping public posts for AI training, before Clearview AI breached the Privacy Act, and before deepfakes of Australian schoolgirls made national news.
For contrast: Victoria's Department of Education encourages schools to "restrict public access to student content to mitigate privacy and safety risks." NSW requires the opposite.
Student images can only be posted if the school holds a signed Permission to Publish form identifying the specific platforms. Schools must not tag photos of children or name them without specific permission. Even if a student is not identifiable, images that include a student must not be used without consent.
Staff cannot share any student information or images on personal social media, even if the student is not identifiable. A teacher posting a class photo to their personal Facebook would breach policy. The school posting the same photo to its official public Facebook Page, visible to the entire internet, is standard practice.
The full analysis of the consent form is on the No Consent page. Here's how the process works in practice.
The consent form includes this notice:
"Parents should be aware that when information is published on public websites and social media channels, it can be discoverable online for a number of years, if not permanently. Search engines may also cache or retain copies of published information. Published information can also be linked to by third parties." NSW Department of Education, General Permission to Publish form
This warning talks about discoverability and caching. It says nothing about AI training, facial recognition scraping, or inclusion in training datasets. That's not because the Department was being deceptive. It's because these risks did not exist in their current form when the policy was written.
The DoE distinguishes between general permission (the form above) and specific permission for posts that focus on one or a few students, or relate to topical or public debate issues. Specific consent requires a detailed privacy notice covering purpose, recipients, storage, and contact details. In practice, most school Facebook posts fall under the general permission form.
In most NSW public schools, photos are taken by teachers, admin staff, and principals using school or personal devices. The DoE has a specific rule about personal devices: "If a personal device is used the photographs should be uploaded to a school device and deleted from the personal device as soon as reasonably practicable. That deletion must include any cloud backups."
Account administrators post to the school's Facebook Page. In practice, posting often falls to whoever has the login. Content is moderated during school hours only (9am to 3pm weekdays, excluding public holidays). Comments from the public outside those hours go unmoderated until the next school day.
The DoE privacy guidelines state that when consent is absent, "all information regarding the identity of the student needs to be removed" through cropping, blurring, blocking, or pixelation. At a busy school event with group photos, this is difficult to enforce perfectly.
Every element of this system was designed in good faith. The laws, the policies, the consent forms, the processes. They were built for a world where posting a photo on Facebook meant sharing it with a community. Nobody anticipated that "sharing" would mean:
The system hasn't failed. It just hasn't caught up with what "public" means in 2026.
The Children's Online Privacy Code (due December 2026) may begin to close the gap. But the NSW DoE social media policy can be updated now. Schools and P&Cs do not need to wait for federal legislation to start the conversation about what "public" should mean in the age of AI.
| Law / Policy | What it covers | What it misses |
|---|---|---|
| Privacy Act 1988 (Federal) | Photos are personal information. Children need special care. Consent required for sensitive info. | Does not directly cover NSW government schools. No mention of AI training or scraping. |
| PPIP Act 1998 (NSW) | Covers NSW public schools. Sets information protection principles for collection, use, disclosure. | No specific guidance on social media posting. No mention of AI or automated data collection. |
| Online Safety Act 2021 | Platform accountability. Image-based abuse. Best interests of the child in platform design. | Focused on platform obligations, not school obligations. Does not address school-posted content. |
| Under-16 ban (Dec 2025) | Platforms must prevent under-16s from having accounts. | Does not address adults posting children's images. Schools are not covered. |
| NSW DoE Social Media Policy | Consent required for student images. Principal oversight. Moderation during school hours. | Requires accounts to be public. No AI/scraping disclosure. Binary consent form. No annual renewal required. |
| Children's Privacy Code (due Dec 2026) | New standards for children's personal information online. Broader than social media. Right to deletion. | Not yet in effect. Exposure draft under consultation until June 2026. |