top of page
Search

Heads Up: How Australia's privacy reforms could impact your LMS

  • Writer: TCA
    TCA
  • Sep 3
  • 4 min read

Updated: Sep 4

Australia has strengthened privacy protections, with key changes already in force and more coming. If your organisation has a Learning Management System (LMS), these changes may impact how you use your system, what you need to communicate with your learners and which LMS you choose.


ree

We’re here for changes that keep information safe

We’re always behind changes that keep private information safe and secure, so now is a good time to review platform settings, vendor contracts and privacy notices.

This post shares helpful general information. It’s not legal or technical advice. For specific obligations, seek legal counsel and talk to your IT teams.

What’s changed or changing?

Stronger security is now expected

The law expects sensible, proven steps to protect learner data. That includes things like two-step sign-in for admins, only the right people changing settings, encrypted data, and safe removal of old information. Keep a note that shows what is in place.

Clearer rules for data stored overseas are coming

Government can now set clearer rules for data held or accessed outside Australia. Until those rules are finalised, know where your LMS data lives (where the servers are located) and who can see it.

Faster, clearer breach responses

There are new tools to help reduce harm after major incidents. Have a simple plan that says who leads, how you will tell people, and what your vendor must provide so you can act quickly and confidently.

Extra care for learners under 18

A Children’s Online Privacy Code is being developed. If any learners are under 18, set high privacy by default, collect the minimum information, and use clear, age-appropriate wording.

Transparency about automated decisions

From 10 December 2026, your privacy notice must explain any automated rules that could significantly affect learners and the kinds of information they use. This can include AI tools, automatic enrolment, progression rules, or exam proctoring flags. Start preparing simple explanations now.

Here are some questions to ask to get you started

This isn’t an exhaustive list, but it’s a useful start...

Who can get into our LMS and make changes?

  • Who has permission to change settings in the LMS, and why do they need it?

  • When someone changes role or leaves, how quickly is their access removed?

  • Do admins use a second step to sign in (MFA, multi-factor authentication)?

  • What’s the easiest way to keep the admin list small and up to date?

  • Can the system send alerts when new admin access is given?

Where does our learner data live?

  • Where is our LMS data stored right now (where are the servers located)? Is Australia an option and are we using it?

  • Do we have a simple map or list of all locations and companies that handle our data?

  • Are there any other tools that touch learner data, like reporting dashboards or helpdesk tickets?

  • Do any support teams outside Australia see our data?

If something goes wrong, who does what?

  • In the first hour of a suspected incident, who leads, who decides and who informs leaders?

  • Do we have short message templates ready if we need to notify people?

  • When did we last run a short practice, and what did we improve?

Are our privacy notices clear for learners?

  • What information do we collect in the LMS, and why?

  • Where is it stored, who supports it, and how long do we keep it?

  • How can a learner see, correct or delete their information?

  • Have we described any automated rules in plain language on our privacy page?

Could under-18s use our LMS?

  • Do we have any learners under 18 now or do we plan to, such as apprentices or work experience?

  • Can we set high-privacy defaults for minors, with minimal data collected?

  • Do we have plain-English examples we can use for teen-friendly and parent-friendly wording?

Are we being transparent about automated decisions?

  • Do we use any AI functions or automated rules that could affect a learner, like auto-enrolment or marking progress, and have we explained this clearly to learners?


Are we keeping only the data we need?

  • Do we have time limits for keeping reports, logs and exports?

  • What built-in tools help us set retention rules and clean up old data?

 

How we can help?

We’re capability and learning specialists. We work alongside you to:

  • Take a strategic capability lens that links your LMS and learning approach to workforce outcomes, governance and the skills your people need.

  • Manage implementation projects and coordinate your internal stakeholders and vendors.

  • Make the complex simple for learners with plain-English reference guides, change support and training.

  • Deliver Managed Learning Services for ongoing help to align capability, design programs and provide practical administrative know-how.

👉 Need a hand? Get in touch to book an LMS review and health check.

If you like reading, here's some more info!

Johnson Winter Slattery. (2025, January 14). Practical implications of the new transparency requirements for automated decision making. https://jws.com.au/what-we-think/practical-implications-of-new-transparency-requirements-for-automated-decision-making/

Norton Rose Fulbright. (2024, December). Australian privacy alert: Parliament passes major and meaningful privacy law reform. https://www.nortonrosefulbright.com/en/knowledge/publications/be98b0ff/australian-privacy-alert-parliament-passes-major-and-meaningful-privacy-law-reform

Office of the Australian Information Commissioner. (2022, December). Australian Privacy Principles guidelines. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines

Office of the Australian Information Commissioner. (2024, November 29). Passing of bill a significant step for Australia’s privacy law [Media release]. https://www.oaic.gov.au/news/media-centre/pasing-of-bill-a-significant-step-for-australias-privacy-law

Office of the Australian Information Commissioner. (2025, August 5). Children’s Online Privacy Code. https://www.oaic.gov.au/privacy/privacy-registers/privacy-codes/childrens-online-privacy-code

 

MEET US

Level 3

9 The Esplanade

Perth / Boorloo

Western Australia

TCA Icon TP.png
FOLLOW US
  • LinkedIn

© 2024 The Capability Alliance Pty Ltd

Read our Privacy Policy

The Capability Alliance acknowledge this land that we live and work on as the traditional lands of the Whadjuk people, who are the Traditional Owners of the greater Walyalup area and we honour and respect their Elders, past and present. We celebrate the stories, cultures and traditions of all Aboriginal and Torres Strait Islander people.

bottom of page