With less than four weeks to go before the new Privacy Laws commence on 12 March 2014, we thought it would be a good time to publish a step-by-step guide to privacy compliance.

By CompliSpace Managing Director David Griffiths

Step 1 - Appoint a Privacy Officer

This may seem like a strange first step, however, it is critical that at least one person within your school has a good understanding of the new privacy laws and takes the lead in ensuring that your school is compliant. This will not be a dedicated position however you will need someone who knows what they are doing to be responsible for dealing with any privacy enquiries that are received by your school.

Step 2 - Fast track your school’s privacy knowledge

Doing the rounds, it is clear that, at some schools there is a very low awareness of the new Privacy Laws. A month out from the commencement of the new laws, it is important that all members of your school’s executive team are briefed as to the nature of the upcoming changes and that you develop a strategy to ensure that all staff within the school are familiar with the changes before they commence.

Step 3 – Document your school’s Privacy Program

One of the most significant changes under the new legislation is the requirement for schools to adopt a “privacy by design” approach, which involves developing internal practices, procedures and systems that ensure you comply with the 13 Australian Privacy Principles (APPs). A Privacy Program (as distinct from a Privacy Policy referred to in Step 5) sets out the why’s (why do you need to comply), the what’s (what do we have to do), the how’s (how we comply with each of the 13 APPs), the who’s (who is responsible for particular parts of privacy compliance) and the when’s (when and at what frequency do things need to be done). The initial draft of your Privacy Program will serve as a “gap analysis” that will assist you to identify what (if any) changes you will need to make to your current organisational governance infrastructure.

Step 4 – Conduct a Personal Information Audit

The new privacy laws are all about how you manage personal information of individuals within your school. Undertaking a comprehensive audit of the personal information you collect is vital to enable you to clearly identify: which entities within your school are related for the purposes of the Corporations Act*; who you collect personal information from; what types of personal information you collect; how you collect it; where you store it (including identifying all “cloud services” your school uses) ; what security arrangements you have in place to protect it; whether you disclose personal information to oversea recipients; what systems and procedures you have in place to ensure the information is current, and how you enable individuals to access their information, correct their information and make enquires or complaints.

*Related Entities: The entities within your school community that will need to have their own privacy program and which entities can share information. If your schools alumni association or foundation are separate legal entities that are not related for the purposes of the Corporations Act they will also need to implement a privacy program.

Step 5 – Create an initial draft of your school’s Privacy Policy

The new laws require you to publish a Privacy Policy which is a short form disclosure document, that details how your school complies with the requirements of the Privacy Act and the 13 APPs. This is not a document that can just be copied from a precedent as it needs to be drafted with consideration to the findings of your Personal Information Audit (Step 4). In this step we recommend that you create an initial draft of this document as it will assist you to focus on the key issues you will need to address.

One of the biggest myths with respect to privacy is that all you need to do is publish a privacy policy on your website.  Nothing could be further from the truth. In fact schools that simply copy another school’s privacy policy and publish it without having the underlying internal practices, procedures and systems that ensure they comply with the 13 Australian Privacy Principles (APPs), are putting themselves at considerable risk.

Step 6 - Close the gaps

Steps 1-5 will serve to focus your school on what you need to do to comply with the 13 APPs, and more likely than not, these steps will highlight some areas where your school has compliance gaps in its internal practices, procedures and systems.   In this step you will need to work to close these gaps one by one.

Step 7 – Review your complaints handling procedures

Whilst all schools are required to have complaints handling systems in place as part of their registration requirements, it is well known that this is a governance discipline with respect to which many schools struggle. A central compliance obligation under the APPs is that a school must advise individuals, via their Privacy Policy, about how they can complain and of course also need to have practices, systems and procedures in place to manage complaints as they arise. It is recommended that all schools carefully review their complaints handling systems prior to the commencement of the new privacy laws on 12 March 2014.

Step 8 - Train your staff

Ultimately it will be the front line staff within your school that will need to ensure that they conduct their work in compliance with the school’s privacy obligations. All staff will need to know how they can use and disclose personal information, when it is necessary to obtain privacy consents and how to manage a privacy query or complaint. The importance of maintaining password and document security will need to be emphasised and enforced through plain English human resources policies. Technology staff will need to ensure the security of databases and physical security arrangements (including actually locking filing cabinets) which will need to be regularly reviewed.

Protecting personal information ultimately comes down to managing human behaviour. In this context if you don’t train your staff you can not realistically expect to comply.

Step 9 - Publish Privacy Policy

We recommend that prior to 12 March 2014, you not only publish your new Privacy Policy (refer to Step 5) on your public website, but that you also email current parents and others (including alumni) to bring the policy to their attention. If you do not publish a new compliant Privacy Policy (and retain your old format privacy statement) you will essentially be screaming to the world that you are not compliant with the new privacy laws. The risk of significant reputational damage is obvious.

Step 10 – Monitor and review

The management of personal information within your school requires individual staff members to take actions on a daily basis. Privacy compliance is not a set and forget exercise. On the contrary it requires constant monitoring and regular reviews. Schools that have implemented a robust compliance program through which tasks are allocated to responsible individuals and monitored on a regular basis will be ideally placed to ensure ongoing compliance with their privacy obligations. For the 68% of schools that indicated in the recent schoolgovernance.net.au poll that they do not have a documented compliance program in place, now might be a good time to review your overall governance infrastructure.

The author of this article CompliSpace Managing Director David Griffiths will host a webinar on what the new Privacy Laws mean for independent schools on Friday February 14. Registrations for the webinar are still open.