With the new Privacy Laws due to commence in three weeks, we thought it would be timely to highlight the key risks that schools face if they do not ensure compliance. So here we go in no particular order:

1. Knowledgeable parents

Do you have any parents at your school who work in IT, hold senior executive positions, are lawyers or are simply paranoid about the security of their personal information? Given a recent survey by the Office of the Australian Information Commissioner found that 90% of people are concerned about cross-border disclosure of their personal information and 60% had decided not to deal with an organisation because of privacy concerns (up from 40% in 2007), chances are that your school community will be watching how you respond to the new privacy laws. Failure to comply will undoubtedly lead to reputational damage.

2. Cloud service providers

If your school uses email or any social media forum, you are dealing with the cloud. In fact just about everything we do these days (think Google, Facebook, iTunes) involves some form of interaction with the cloud. The new privacy laws don’t mean that you should stop dealing with cloud providers. The new privacy laws don’t suddenly make all cloud providers evil. The privacy laws simply mean that your school will need to understand exactly when it is using cloud services, whether those cloud services store personal information collected by your school, where the information is stored (especially if it is stored overseas) and what arrangements the cloud providers have in place with respect to security of information and compliance with the privacy laws.

3. Not publishing a new Privacy Policy

The most obvious indicator that a school is not compliant with the new privacy laws will be if it fails to publish a new form Privacy Policy before 12 March 2014. Remember your school community will be watching you.

4. Publishing a new Privacy Policy

Nearly as risky as not publishing a new Privacy Policy would be a school that simply copies a privacy policy from another organisation and publishes it when it has not implemented practices, procedures and systems to ensure it actually complies with each of the 13 APPs (Australian Privacy Principles). This action would fall squarely into the category of “misleading and deceptive conduct”.

5. Not having a compliance program in place

Even though we are not ranking these risks, if we were this would probably be ranked No.1.  Why? Because privacy compliance is not a set and forget exercise. On the contrary, it requires constant monitoring and regular reviews. Without a compliance program in place, which monitors whether key compliance activities have been successfully undertaken, how can your school’s board of governors, or senior executive team, be assured that your school is actually complying with its privacy obligations.

6. Not appointing a Privacy Officer

Overkill we hear you say! Surely we don’t need a Privacy Officer. What’s next, a Chief Policy Officer? The risk here is that no one in a school has a good working knowledge of the new privacy laws, which means in turn that a school will not realistically be in a position to comply with its privacy obligations. Perhaps most importantly, without a Privacy Officer how is a school going to respond appropriately to privacy questions and complaints. Running to your local solicitor will not only be an extremely expensive exercise, the likelihood is that they will just end up advising you that you need to implement a privacy program and appoint a Privacy Officer.   You see the world of non-compliance is circular. Best to be proactive and appoint the Privacy Officer so you don’t have to talk to your solicitor, who won’t need to charge you for advice that you don’t actually need.

7. Not understanding the related entities rule

Under the new privacy laws a school can only share personal information with a “related entity” (refer to Corporations Act definition). Given that parent associations, alumni associations and school foundations are often separate entities, they may need to have their own privacy programs in place. If your school wants to share information you may need to obtain consents.

8. Poor information security

So you think your IT security is top notch. Only last week you survived at DDoS (Distributed Denial of Service) attack. What more could happen? Let’s think a little more laterally. Who has access to your administrator passwords; how many people know where you keep the keys to the lockable filing cabinets? when did you last check the cabinets are actually locked? does Jane do her marking coming in on the train? are staff accessing personal information collected by the school through their mobile devices? Information security involves a lot more than IT. It involves human behaviour and creating a culture where your staff understand their privacy obligations and take them seriously.

9. Not training your staff

This risk is stating the obvious. How can your staff understand their obligations with respect to privacy and respond appropriately if they have not received any training? Training is the key to creating a culture where personal information management is taken seriously. If you are not providing training to your staff, you are relying on “good luck” rather than “good management” to manage your privacy risks.

10. Not understanding your privacy risks

If you “don’t know what you don’t know” life can be quite a breeze, until one day when the thing that you didn’t know actually happens. At that time (especially if you are a Principal or a Business Manger) the fact that you didn’t know, when you should have known, becomes a focus for other people (sometimes board members who probably didn’t know either, but with the benefit of hindsight, do know now) and unspeakable substances hit the fan. That’s when you will hopefully be glad that you read and acted upon our recent article 10 steps to Ensure Compliance with the new Privacy Laws.