Can your school be trustworthy while also being transparent?

The theme of this year’s Privacy Awareness Week is ‘Trust and Transparency.’ Timothy Pilgrim, Commissioner of the Office of the Australian Information Commissioner (OAIC) stated that trust and transparency “speaks to the consumer and community trust that flows to organisations who handle personal information transparently, and with care, throughout the information life cycle. Privacy is rarely about secrecy, but is about transparency, security, and choice. It’s about organisations being up-front about their personal information handling practices so that individuals can make informed choices about how they share their information.”

There is a requirement for all schools in Australia to maintain a high standard of privacy – they collect and hold extremely sensitive information about students and parents. Trust in the school’s ability to store and to handle this information appropriately is critical to interacting successfully with the school community.  Having transparent processes is important in building that trust so that school stakeholders at all levels – whether school board member, principal, employee, teacher, volunteer, student or parent/guardian – know how personal information is protected.


Trust and Transparency in schools

When it comes to privacy in schools, trust and transparency are important concepts schools must observe.  Schools must ensure information is stored securely when processing personal details so as not to compromise individuals’ privacy.  A prime example of a lapse is the recently published confidential information by the Victorian Education Department which identified students who were victims of bullying, committed acts of self-harm and subsequent release of student medical information.  Although state based government departments are not covered under the Privacy Act 1988 (Cth) (the Act), this was an instance where negligent handling of sensitive information compromised privacy.

School Governance previously reported just how trust can be broken in a privacy context.  A school neglected/ignored their obligations under the Act when they disclosed information to the school board about a former student’s allegation regarding a teacher’s sexual abuse of this ex-student.  This disclosure of information was found to have breached the Act and the Privacy Commissioner awarded the complainant $7,500.

The guts of the Act is compliance with all 13 of the Australian Privacy Principles (APPs).  For schools to maintain trust that the personal information they collect will remain private while also remaining transparent to the school community about the handling of information and proposed usage, schools must ensure that their privacy program follows these relevant APPs:

  • APP 1 – Open and transparent management of personal information – advising the school community of the school’s privacy policy and when and how personal information is used.
  • APP 5 – Notification of the collection of personal information – schools will be required to notify the school community about what information is collected in certain situations.
  • APP 6 – Use or disclosure of personal information – how the school will use and disclose information in certain situations.
  • APP 11 – Security of personal information-ensuring that schools have systems in place to ensure personal information provided by the school community is secure and remains private.
  • APP 13 – Correction of personal information – if an individual’s information requires correction due to change in circumstance or incorrect input of information, a school must correct that personal information as soon as they are aware.

When capturing personal information from members of the school community, schools meet their transparency requirements by notifying and conveying to the school community exactly what information is kept on file and how this information is utilised.  This can be accomplished by publishing the  school’s privacy policy on their website, informing parents/guardians and students at time of enrolment or advising those affected by letter or email about the school’s privacy policy. In addition, the school will need to provide a collection notice explaining the purpose of specific information at the time that it is collected, for example if requesting additional medical information after enrolment, with reference to the school’s Privacy Policy for further more general information on the school’s Privacy Program.

Set out below are areas where trust and transparency are particularly important to keep in mind when managing the privacy or confidentiality of personal information.


Parents/Guardians

At the time of enrolling a new student, schools obtain most of their information about parents/guardians.  Information schools store on parents/guardians include, but is not limited to:

  • highest level of education of the parents/guardians;
  • address of the parents/guardians;
  • contact details for parents/guardians;
  • parents/guardians’ occupations;
  • age of parents/guardians; and
  • parents/guardians credit card or banking information.

As most school principals would be aware, parent/guardian information is also collected as part of the NAPLAN question response dataset.  This information is then forwarded to the Australian Curriculum, Assessment and Reporting Authority (ACARA).

Schools must make sure that this information is securely stored so that information about a parent/guardian is not disclosed to anyone other than on a strictly need-to-know basis.


Teachers and General Staff

Although any information that the school may have on employees is exempt under the Act, schools must ensure all employee information remains confidential.  Furthermore, schools must retain some information relating to Fair Work, Work Health and Safety or Occupational Health and Safety legislation (WHS/OHS) and general operation of the employment relationship.  This information may include, but is not limited to:

  • employment information;
  • address and contact information;
  • health information –  medical certificates, dietary requirements, health conditions or injuries.
  • relevant certification such as drivers licence, Working with Children Checks or First Aid certificates;
  • pay slips, superannuation and tax records i.e. Tax File Number or any PAYG information;
  • leave records;
  • professional development;
  • duty and teaching rosters;
  • HECS information;
  • parental leave information;
  • workers compensation;
  • passport/visa information;
  • next of kin; and
  • professional memberships or affiliations.

When it comes to employee records, the Fair Work Act 2009 (Cth) (Fair Work Act) requires any employment records or documents obtained during the course of employment to be held and securely stored for a period of seven years.

Furthermore, for any workers’ compensation claim information or any WHS/OHS incident, reports must be retained for 30 years. However, note that some medical and other identifying information which relates to an employee injured in a workplace incident may only be revealed to health and safety representatives/committee members, even if they may be investigating an incident, with the consent of the individual.

Any information relating to allegations of child abuse must be retained for an indefinite period.

While the requirements for maintaining confidentiality/privacy with respect to employees is not as regimented as the Act’s requirements, a school should have similar systems in place to ensure the security of the information: how it is stored, who can see it and how it can be used.


Current and Former Students

For current and former students, there is a requirement for schools to obtain certain information. Information schools may request includes, but is not limited to:

  • certified copies of birth certificates;
  • copy of the child’s immunisation record;
  • most recent available school reports;
  • custodial documents regarding the custody or shared custody of the child (Parenting orders from the Family Court of Australia or Federal Circuit Court of Australia);
  • any medical records regarding any medical conditions or allergies;
  • whether they are of Aboriginal or Torres Strait Islander descent;
  • main and secondary language spoken;
  • if the child has special needs;
  • whether they are an overseas student and associated visa details;
  • address of the where the child resides;
  • whether the child has any siblings;
  • NAPLAN certificate of academic testing; and
  • whether the child receives any tutoring or external assistance.

Most of this information is obtained and captured at the time of enrolment when completing forms and other enrolment requirements.  This information may be used at a later date to help schools secure funding and appropriately accommodate students. Information relating to a student who is under the age of 18, must be securely stored so the child’s privacy is not compromised.  In normal situations, schools need to retain information about a student or former student for a period of seven years.

However, if the information relates to a particular circumstance or incident, such as an allegation of child abuse, then that information must be stored for longer period or held indefinitely. If a school believes that an incident at school may give rise to future litigation, they would also be wise to retain it.  When it comes to these requirements, schools must make sure they have a process or system in place to ensure these sensitive documents are securely stored, so a child is not affected in the event of an unauthorised disclosure.


How a school’s privacy program responds to stakeholders’ privacy needs

It is important schools comply with requirements of the Act, APPs, State and Territory Privacy and Data Protection legislation, and WHS/OHS legislation and the Fair Work Act, when considering the school’s privacy needs.

This translates to schools ensuring there is a compliant Privacy Policy in place and implemented to protect the personal information of students, parents/guardians, volunteers, teachers and other employees to help ensure that information remains private and confidential.

A school Privacy Policy must stipulate precisely the information that will be collected, its main uses, how it will be retained and the period of time the information will be stored.  This will inform the school community about what private information will be utilised by the school and how to check that the information is accurate about the person, and how to make any complaints about privacy concerns.

A policy is meaningless unless staff understand their responsibilities and comply with the policy. This means that staff must be trained: for example, what information they can disclose to parents/ carers or others, when they need consent to do so, and how to handle requests for personal information.  There will be times when your school will need to work out how they can be transparent to one stakeholder while maintaining the privacy of another, for example when parents seek information about an incident which involved their child and others.

Complying with privacy requirements goes considerably beyond a mere Privacy Policy, but is an area which requires active monitoring and action. A school should have a nominated ‘privacy officer’ who will be the point of contact for privacy complaints and inquiries, and over time will become the expert in dealing with and advising on privacy issues.   Further information and guidance is available on the OAIC website, including the OAIC guide which explains what information is ‘personal information’.

About the author


William
 Kelly is a School Governance reporter. He can be contacted here.

 

Leave a comment