Independent schools not ready for new Privacy Laws

More than 80% of those who responded to a poll on the School Governance website have admitted they are not prepared for the new Privacy Laws that will commence on March 12, 2014.

The poll provides more anecdotal evidence that the clear majority of non-government schools across Australia could have a busy four months ahead preparing for the new laws.

Under the new laws, organisations are required to have a lot more than just an updated Privacy policy in order to ensure they comply.

Non-government schools that deal with “personal information” or “sensitive personal information” or have a turnover of more than $3 million a year will need to have – and be able to show that they have – rigorous procedures and systems in place in order to manage the way they record, store, use and share personal information.

Your school might well be asking itself where it should start in ensuring compliance with the new Laws that will include a new set of Australian Privacy Principles (APPs).

The first step any school should take is to conduct an audit of the existing procedures it has in place to handle personal information – and assess whether it is compliant with the 13 new APPs.

Even if your current procedures do not comply with current Privacy Laws, you need to take note that the new Laws will also be accompanied with harsher penalties. The Privacy Commissioner will also have powers to undertake “performance assessments” on organisations.

By reviewing your current procedures, you may identify gaps that may only require an enhancement and/or update to your existing processes and policies. Or, as is more likely the case, your school may need to develop completely new processes altogether in how it collects, stores and handles personal information on an ongoing basis.

Some of the new APPs are the same as the current National Privacy Principles (NPPs) that apply to businesses. But there are some updates to the Principles (or completely new Principles altogether) that are more than likely going to require most schools to have a total rethink in how they manage and document personal information.

APP 1 provides an overview on the extent to which a school will need to update its practices and procedures. Aside from having a clearly expressed Privacy policy, APP 1 requires organisations to take a “proactive approach to informing individuals about how their personal information will be handled”.

In other words, schools need to have procedures in place that enable them to know where and when specific personal information is collected, stored, used and with whom it is shared.

One way to assess how your current system measures up is to audit all of the personal information you currently have in your possession. For instance, your bursar’s office may have a parent’s bank account number, while one of your sports teams may have their child’s email address. You then need to assess where all of this information is stored (ie, is it in a filing cabinet, a personal computer or a cloud-based computer server?).

There are a multitude of issues your school will need to consider in order to develop a set of procedures that comply with the new laws.

Here are just some – and not all – the things you will need to consider.

Does your school know how you originally collected the various bits of personal information it has on hand?

If not, you will need to ensure you establish a system and set of procedures that allow you to record the place, time and circumstances in which you collect every piece of personal information, whether it is an email address or more sensitive data.

The new Privacy Laws will require organisations to provide individuals the option of not having to identify themselves or of identifying themselves using a pseudonym. Does your school currently have systems in place to address this?

One of the most significant changes under the new Laws is APP 8, which relates to the disclosure of personal information to overseas recipients. Under the new Laws, an entity is liable for any breaches of the APPs made by an overseas recipient that it has provided personal information to. In the case of a school, this could relate to personal information that could be stored by a third-party cloud computing service, which has its servers located outside Australia. Or an IT or financial management system that may hold personal information.

Schools are only exempt from being liable for personal data breaches by offshore recipients of the information if they obtain informed consent from the individual who has provided them the information. That means, you will need to let an individual know that they may not be protected by Australian Privacy Laws if they provide you with personal information about themselves. Not exactly the best message to be sending out to the parents of students on which you may hold some personal information.

The new laws will require non-government schools to destroy or de-identify personal information that is no longer required for any authorised purpose. What does your school do with the personal information of former students and unsuccessful job applicants?

Once your school has gone about putting the right system and procedures in place, it will also need to ensure all its staff who collect, store and handle personal information receive the proper training in order to comply with the new Laws.

In the coming weeks, School Governance will publish a Briefing Paper on Privacy for non-government school boards and executives. We will also commission a webinar that will delve into these issues.