On 26 March 2015 the Federal Government passed the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 (Cth) (the Bill). The Bill attracted a lot of media attention due to concerns from civil liberties advocates and legal experts about its privacy implications.

In light of this new legislation, this article discusses how the Bill works and what similar data retention practices schools should be adopting as part of their obligations under the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (the APPs).

New data retention requirements

According to the Explanatory Memorandum, the new data retention obligations ensure the availability of a specified range of basic telecommunications data (also known as 'metadata') for law enforcement and national security purposes. 'Telecommunications data' is not a defined term but can be considered to be information about a communication, but not its content or substance eg a telephone number or email address but not the words spoken during a phone call, or an email subject line.

Such data is central to counter-terrorism, organised crime, counter-espionage and cyber-security investigations.

Information or documents kept under the data retention regime is 'personal information' for the purposes of the Privacy Act and the APPs apply to service providers' handling of the data.  For example, APP 11 requiring entities to take active measures to ensure the security of personal information they hold and to actively consider whether they are permitted to retain personal information.

Do the laws apply to schools?

The retention requirements apply to telecommunications services providers and require them to store telecommunications data for two years. The retention obligation creates a consistent obligation for record-keeping across the telecommunications industry.

Clearly, schools don't fall into this category!

But what is interesting about the new laws is the:

• Government's reinforcement of the importance of providers having practices, procedures and systems in place to protect the handling of the metadata personal information (similar to APP 1: Open and transparent management of personal information); and
• introduction of a consistent time period for retaining information.

Metadata and schools

While schools are not required to keep telecommunications data in relation to their own internal networks, they do collect, create and possibly also retain, metadata.  According to an article by Edith Cowan University, a practical explanation of metadata is 'information embedded in photos, videos and files which includes camera settings, personal information and, critically, the exact location of the user when a photo or file is created or uploaded.'

This means that schools will be collecting metadata about their students and staff when they upload photos and personal information using a school's internal network.

Libraries also use metadata for the description of any resource object such as book titles.

If the metadata is personal information, schools must engage in an exercise of discretion as to if, and for how long, they intend to keep it -  in accordance with APP 11.

As we wrote in a previous article,  'Record keeping in schools: If it’s personal how long should you keep it?'  the APPs give no guidance to non-government schools as to how long personal information should be retained.  Under APP 11, non-government schools are simply required to destroy or de-identify personal information when it is no longer 'needed' - but it's up to schools to determine when a document is 'needed'.

This is in contrast to government schools who are assisted by record-keeping guidance issued by State education departments.

That said, metadata management is not referred to in such government guidance.

Protection and retention

The Bill has shone a new light on an area of privacy law which many organisations might not realise exists - metadata that is 'personal information' under the Privacy Act.

As explained in more detail in our Briefing Paper for Non-Government Schools, personal information is the general term that is used to describe information or an opinion about an identified individual, or an individual who is reasonably identifiable. It includes sensitive information and health information and in a school context, will be information it collects from individuals who deal with it, including students, parents, prospective parents, staff, prospective staff, volunteers, alumni and suppliers ... the list goes on.

The question for schools to consider is 'do we collect, create or retain metadata that is also personal information'?

Although schools are not required to keep metadata for a minimum of two years, if it contains personal information they should also not keep it for longer than the purpose for which it was collected under the APPs. Schools that retain personal information unnecessarily may expose it to risk of misuse, interference and loss if it is not being monitored or handled securely.

Implementing strategies in relation to ICT security is an example of a reasonable step schools can take to ensure the security of any personal information that is held in electronic form, including from unathorised access.  As part of the 'life cycle' of information management schools should also have procedures in place to de-identify or destroy personal information once it's no longer needed.

Lessons for schools

Reading this article should not make anyone run in a panic to their ICT department asking to see 'metadata'. Instead, it's intended to explore an area of privacy regulation that has received media attention recently, but which schools may not have previously considered also relates to them.  Like all forms of data which may contain personal information, a school need to consider how it stores metadata and if it does, consider implementing management systems so that such data is destroyed or is put 'beyond use' once it's no longer needed.

Over the coming weeks we will dig deeper into privacy laws in practice and provide commentary on what practical steps schools should be taking to ensure compliance.

Finally, CompliSpace will be hosting a live Webinar ‘Privacy in Practice: One Year On' which will provide a forum for you to ask any privacy related questions you may have. For more information and to reserve your webinar seat here click here.