A recent decision by the Privacy Commissioner to award compensation of $8,500 to a Virgin Australia airline passenger, for damage suffered through the collection and disclosure of his personal medical information by a Virgin sub-contractor, is a timely reminder that privacy law compliance is a hot compliance issue  for Australian non-government schools following the introduction of the new Australian Privacy Principles on 12 March 2014.

Aerocare, a sub-contractor of Virgin, was responsible for providing passenger services at a Queensland airport. A visually impaired passenger, who had recently undergone surgery, was accompanied by an Assistance Dog and a sighted companion whilst flying from the Sunshine Coast to Melbourne.  The passenger had a hospital letter certifying that he was fit to fly.

Virgin’s conditions of carriage entitle it to refuse to carry a passenger if it is not satisfied that a passenger is medically fit to fly.  The Aerocare representative questioned the passenger in the departure lounge about his medical condition, in the presence of his sighted companion, who was unaware of the full extent of his condition and also within the possible earshot of other passengers.  The passenger was distressed and upset by the manner Aerocare used to collect his personal information.

The Commissioner determined that Aerocare’s representative had breached the National Privacy Principles (now the Australian Privacy Principles) because it:

• collected personal information in an unreasonably intrusive way (the passenger should have been taken out of earshot of others to be questioned);
• did not explain why the information was being collected nor on whose behalf it was being collected (Aerocare should have disclosed its role and should not have assumed that the passenger  knew why the information was being collected); and
• was not protected from unauthorised disclosure (Aerocare questioned the passenger  in earshot of others).

Whilst this decision was determined with reference to the old National Privacy Principles, it highlights the types of every day situations in which privacy laws may be breached and the level of care that workers must take when dealing with an individual’s personal information.

In light of the Commissioner’s decision, schools should review their privacy and staff training programs to ensure staff are aware of the correct ways to use, disclose and secure personal information.  If the collection of information occurs in a public setting, staff should take steps to ensure that the information can’t be heard by others.

To help governors, principals and business managers understand their obligations under new laws, CompliSpace has released a whitepaper and one hour webinar detailing the steps a school should take in preparing for the changes to the Privacy Act.

The whitepaper outlines the steps a school should take to ensure their governance, risk management and compliance (GRC) infrastructure is compliant with the new legislation.

The webinar hosted by CompliSpace Managing Director David Griffiths, provides an overview of the new privacy laws and some practical tips for how schools can manage their obligations.