Issues such as compliance, safety in the curriculum, duty of care and bullying.

Do you need to comply?

Yes, under the Education and Training Reform Act 2006 (Vic) and the Education and Training Reform Regulations 2017 (Vic).

Conditions of compliance

It is a requirement of The Victorian Registration and Qualifications Authority (VRQA) that schools have policies and procedures in place in relation to student bullying. These regulations stem from the Education & Training Reform Act 2006 (Vic).

Schools have a responsibility to provide a safe and supportive environment for all their students where the risk of harm is minimised. Cybersafety needs to be addressed as part of a planned whole school approach which is integrated into all student wellbeing policies.

If you have to comply, what do you have to do?
  1. Establish a cybersafety team.
  2. Establish a cybersafety contact person
  3.  Develop appropriate policies and procedures which include:
    • Explicit guidelines for acceptable and appropriate online behaviour
    • Expectations of students online and clear consequences for engaging in hostile behaviour online
    • Methods for redressing inappropriate behaviour
    • ‘Bystander’ reporting rules
    • A clear and explicit process for investigating complaints and the follow up support and protection of the reporter.
    • NB: These policies should be extended beyond school based online behaviour to behaviour that occurs outside of school hours or the school grounds that involves or impacts on students from the school
  4. Educate students
    • Understanding cyberbullying
    • Digital Media Literacy
    • Positive online behaviour
    • Peer and personal safety
    • Security
  5. Educate parents
    • Parent information sessions
    • Parent awareness raising and skill building training
    • Newsletter items outlining the schools’ cybersafety policy and procedures.
  6. Educate staff
    • Professional development training
    • Student Technology Audit
    • Lesson plans
    • Legal obligations to minimise and address risks – ‘Duty of Care’.


Student privacy

The eSafety Commissioner, Julie Inman Grant, has written to all state and territory education departments highlighting security and privacy concerns regarding the naming conventions of student email addresses and the ability to validate these through the Google Education Suite.

The eSafety Commissioner has advised ISV that it recommends that:  ‘ICT policies implemented by schools should ensure, in the interest of safeguarding students online, that products and services provided to students should comply with the highest safety, privacy and security standards’.

Schools should work to achieve three main objectives:

  • ‘protecting students against unauthorised access
  • protecting students from having their personally identifiable information collected
  • promoting responsible use of the technology, including safe email practices.’


The Office of the eSafety Commissioner suggests that ‘user names that are easy to guess, along with their associated email addresses,’ could be ‘a security risk’. ‘Schools should consider whether it is necessary to use the firstname.lastname format, or whether another identifier could be used instead. For example, the email address might be composed of a student number, a difficult to guess combination of partial name elements, or a blend of both’.

The eSafety Commissioner acknowledges that the current naming convention ‘does make it easier for younger students to remember their email addresses, which is especially useful if the addresses are also used for single sign-on authentication to school platforms’.

The optimal solution for schools in our sector will be a balance of these various considerations.

What are the consequences if you don’t comply?

You may be in breach of requirements of the Act. You may be compromising the wellbeing of your students.

ISV contacts

Elspeth Adamson
Manager, Student Services
Ph. 9825 7204

Links, resources and downloads