The Acting Australian Information Commissioner Timothy Pilgrim has announced that Privacy Awareness Week 2016 (15-21 May) has the theme of ‘Privacy in Your Hands’.

The Acting Commissioner has advocated that, along with ongoing changes in technology, and with the changes in how we communicate with each other, that businesses, agencies and individuals must also step up to the challenge of taking control of privacy management.

'For organisations and agencies, that means incorporating privacy into strategic planning, making privacy a governance priority, and taking a ‘privacy by design’ approach to integrate privacy management into all projects, products and practices.

For individuals, it means making smart privacy choices by understanding your rights, and also the consequences of choices you make to share personal information.'

Now is a good time for schools to review their privacy policies and procedures and they may wish to refer to the CompliSpace Privacy Briefing Paper (available here). The regular and numerous changes in technology and the changing manner in which schools collect, store and manage personal information, suggests that schools should ensure that their processes and procedures remain compliant with the Privacy Act (1988) and the 13 Australian Privacy Principles (APPs).

For example, refer to the Office of the Australian Information Commissioner article regarding the Ashley Madison breach of privacy (August 2015), a massive data breach that exposed details of 37 million users worldwide.

'The APPs stipulate clear obligations on sending personal information overseas, complaints handling procedures, the use of personal details for direct marketing, the security of personal information and the treatment of unsolicited personal information.'

Also central to compliance, schools must ensure that their policies and procedures are updated and in place regarding the use of ICT and information security, as well as human resources policies such as workplace surveillance, email and internet monitoring, social media usage and staff training.  With the widespread use of cloud technologies and data sharing sites such as ‘Drop Box’, does your privacy program address this technology to ensure that your school is compliant with APP 8: Cross-border disclosure of personal information and APP 11: Security of personal information?

Age is not a limitation under the Act for a member of the school community to make a personal information query to the school; so schools need to be cognisant of requests from students who make application under the Privacy Act, in particular, APP 12 and APP 13 - to access and/or correct their personal information.

In the event that a student makes such a request, a school must decide whether the student in question has “sufficient understanding and maturity to understand what is being proposed (consent)”. This test is very similar to the one adopted by the High Court in deciding whether a minor may give consent to medical treatment (see Marion’s Case).

Schools should not simply base their decision on the student's age. Rather they should genuinely consider the student's understanding and maturity and base their decision upon the staff’s (particularly the teachers), knowledge of the student. If, based on teacher feedback, the school decides that the student lacks sufficient understanding and maturity, the school should then rely upon the student’s parents to make decisions on the student’s behalf.

With this in mind, however, there are a number of possible school based scenarios that come to mind:

• Does your school have procedures in place to account for the possibility that a child may ask to both access and correct the personal information in their student file?
• Can a child determine that his or her school report contains personal information and cannot, therefore be shared with anyone else without his or her formal written consent- including his or her parents?
• Can a student ask that his or her personal information be deleted by the school once he or she has concluded their time as a student at the school? Does the requirement of the Privacy Act to delete or de-identify personal information that is no longer needed overrule the school requirement to maintain and keep certain student records and data?
• Although you may have a signed contract with parents and the written authority to use a child’s photograph on your web-page or other publication, can the child withdraw that permission and ask that his/her image be removed?

Although they may seem a little far-fetched, these are all true-life queries that have already been raised by students in independent schools around the country. The incidents of privacy related student/school conversations are increasing.

Although the most significant reform to the Privacy Act occurred in March 2014, schools should not be complacent. They need to regularly review not only their policies, but also their procedures with regards to why they collect and how they collect, store, disclose and delete the personal information that they collect. Schools also need to keep in mind that privacy is a community expectation and that staff, parents and students are becoming more aware of their rights with regards to the collection, storage and use of their personal information by schools.

It is simply not sufficient to say “We have a Privacy Policy”. Schools need to take charge of their privacy obligations and community expectations and keep them in hand.