As Australia’s higher education regulator, TEQSA protects the quality and integrity of the Australian higher education sector and expects providers to manage sensitive information, such as intellectual property, research data and personal details, responsibly. This includes establishing and enacting measures to identify and manage cyber security risks.

Higher Education Standards Framework provisions

Under the Higher Education Standards Framework (Threshold Standards) 2021, providers are required to maintain their information security systems by: 

• ensuring that information systems and records are securely and confidentially maintained to prevent unauthorised or fraudulent access to private or sensitive information (standard 7.3.3(b))
• promoting and fostering a safe environment, including by advising students and staff on actions they can take to enhance safety and security online (standard 2.3.4)
• having a critical incident policy and readily accessible procedures (standard 2.3.5)
• taking preventative action to mitigate foreseeable risks to academic and research integrity (standard 5.2.2)
• exercising due diligence to identify, prevent and manage risks within a provider’s remit of operations (domain 6).

To ensure compliance with these obligations providers should:

• have measures in place to understand the nature of cyber threats faced by their institution. Senior management and the governing council need to stay abreast of existing and emerging threats to inform and support the whole-of-institution risk mitigation strategy
• ensure students and staff (including sessional staff) receive appropriate training on how to safeguard sensitive information and report concerns
• have appropriate policies to identify and address cyber security incidents and embed such policies effectively into daily operations
• be aware of cyber security threats associated with learning management systems (LMS), particularly if courses are delivered by a third-party provider
• take prompt action in accordance with their security and incident response plans, paying close attention to the wellbeing and safety of all affected parties.
   

Our resource, Australian higher education cyber security agencies and organisations, provides an overview of Australia’s cyber security bodies.

• Download the Australian higher education cyber security agencies and organisations placemat (PDF, 95 KB)

This page provides:

• key contacts for reporting cyber security incidents
• an overview of Australian higher education cyber security agencies and organisations
• information on TEQSA’s role and providers’ responsibilities, as they relate to information management and cyber security.

Reporting obligations may change over time. It is each provider’s responsibility to stay up to date on their cyber security and compliance obligations.

Institutes of Higher Education and University Colleges can also access TEQSA’s cyber security e-learning modules. These modules are designed to build knowledge and awareness of cyber security in higher education, the related risks and how to mitigate them. The modules are an adaptation of resources which were developed for Australian universities by the Department of Education. 

In response to the Royal Commission into Institutional Responses to Child Sexual Abuse, the Australian Government implemented the Commonwealth Child Safe Framework (the Framework) to ensure minimum standards for child safe behaviours and practices are in place at Commonwealth entities.

The Tertiary Education Quality Standards Agency (TEQSA) is Australia’s independent national quality assurance and regulatory agency for higher education. Our purpose is to safeguard student interests and the reputation of Australia’s higher education sector by assuring the quality of higher education providers through a proportionate, risk-reflective approach to regulation.

Although TEQSA’s business activities do not directly involve interaction with children, our agency remains proactive in identifying and mitigating any potential risks associated with its operations, roles or business interactions. We are committed to fostering a culture of awareness, accountability, and continuous improvement in child safety. TEQSA does not fund third-party providers to deliver services to children.

TEQSA is compliant with the Framework’s four key requirements. The agency maintains a position of zero tolerance for child abuse, neglect, and exploitation. TEQSA evaluates risks to child safety in relation to its activities and operations and monitors the effectiveness of strategies implemented in managing identified risks.

In 2025, TEQSA conducted its annual child safety risk assessment. The assessment found no material changes to the agency’s overall risk profile compared to 2024. However, the assessment identified further opportunities to strengthen existing controls and processes. The identified risks are rated as minor, and controls remain effective and proportionate to the nature of TEQSA’s activities.

TEQSA has reviewed its Child Safety Policy and will continue to regularly review the policy to ensure the agency remains aligned with current best practice child safety measures. TEQSA incorporates the National Principles for Child Safe Organisations into its culture and practices where these apply.

TEQSA continues to embed the Framework and National Principles into its culture and practices by:

• incorporating the Framework into its mandatory annual training performance development processes
• building staff capability through online training modules and awareness initiatives
• reviewing roles during recruitment activities to determine whether they involve potential interactions with children and, if so, classifying them as child safe positions
• maintaining a comprehensive register of child-safe positions and Working with Children Checks (WWCC).

TEQSA will continue to monitor its risk environment, strengthen its child safety governance, and promote a culture of shared responsibility to ensure the highest standards are upheld across all areas of the agency’s work.