Privacy Webinar: Frequently Asked Questions about privacy management and complaints handling in your school
If a school has not yet taken steps to ensure that the personal information it collects and holds is managed in accordance with the Privacy Act 1988 (Cth) (the Act), it will be exposed to serious reputational damage if a NDB occurs, as well as the risk of serious financial penalties if the breach was due to a failure to comply with the APPs. A recent CompliSpace Webinar (the Webinar) considered the breadth of these laws and how schools can manage their obligations through privacy and complaints management.
On 3 November 2017, CompliSpace Managing Director David Griffiths presented on Privacy & Complaints Handling in Schools, providing an overview of the upcoming NDB scheme, how to manage privacy and complaints, as well as practical steps to achieve compliance.
For more practical guidance on the NDB scheme and complaints handling, consult the recent CompliSpace briefing paper: The Opportunity to Increase Trust: Mandatory Notification of Data Breaches & Complaints Handling Update.
As individuals gradually understand their privacy rights in greater detail, they are increasingly likely to enforce them – this is reinforced by the 17% increase in formal complaints registered with the OAIC, as detailed in its 2016-17 Annual Report. It is hence increasingly important for schools and other organisations to ensure that they are fully cognisant of their privacy obligations and are taking steps to enforce them.
A summary of the questions asked during the Webinar, with our responses, is given below.
Question 1 – Students’ records contain a huge variety of details and are recorded in many different forms. What will be considered non-identifiable personal information, and to what extent will students’ information, such as photos and videos of them, be considered sensitive information?
For information to be personal information, it must be either about an identified individual or about an individual who is reasonably identifiable. Some information may not be personal information when considered on its own, but when combined with other information held by (or accessible to) a school, it may become ‘personal information’. This means the character of a school’s held information about students can be dynamic and can change over time.
Information is ‘about’ a student where there is a connection between the information and them. This is a question of fact and will depend on the context and the circumstances of each particular case. For example, information will be ‘about’ a student where they are a subject matter of the information or opinion. Keep in mind that personal information can be in any format – it is not limited to information that is contained in records and can include information shared verbally, captured digitally or captured on signs. For example, some personal information does not contain any words at all, such as images (especially photos) and sounds (voice or tape recordings).
A student will be ‘identified’ when, within a group of persons, they are distinguished from all other members. This may not necessarily involve identifying the student by name – other information, such as a photograph or a detailed description, may also identify an individual. The key consideration is whether the information can be linked back to the specific person.
Determining whether a person is ‘reasonably’ identifiable will require a contextual consideration of the particular circumstances, including:
- the nature and amount of information
- who will hold and have access to the information
- other information available, and the practicability of identifying the student using that information.
If something is considered to be ‘personal information’ of a student, it will also be considered sensitive information, and requiring of a higher level of protection, where it expresses information/opinion about the student’s:
- racial or ethnic origin
- political opinions
- membership of a political association, professional/trade association or trade union
- religious or philosophical beliefs
- sexual orientation or practices
- criminal record.
Sensitive information also includes health information, genetic information and biometric information.
Any photo, audio or video of a student could contain sensitive information where it clearly implies one or more of these matters.
Question 2: What is the process by which students’ personal and sensitive information is de-identified? Is it sufficient to remove their name, phone number, address, medicare details and student number or is other information required to be removed?
De-identification is a process which involves the removal or alteration of information that identifies a person, as well as applying additional protections required to prevent identification. This will generally require a number of steps, including:
- removal or alteration of personal identifiers (such as name, address, birth date and other identifying information)
- additional techniques to obscure, aggregate, alter and/or protect the data such that it no longer allows any individuals to be reasonably identified.
In addition to techniques applied to the information itself, restrictions on the environment (for example, imposing restrictions on accessing the information and requiring that users sign non-disclosure agreements) may also be necessary to help ensure that no individuals are identifiable.
It can be difficult to determine whether information has been successfully de-identified, as it is heavily dependent on the context. Generally, the information must have a very low risk of re-identification, having regard to all the circumstances – in particular, the context of information handling and who will have access to the data. For example, as individuals can still be identified from their features, a photo/video which contains a student’s face may still be considered personal information, even if all the normal personal identifiers were removed.
The OAIC encourages entities to seek specialist advice when de-identifying information, to ensure appropriate techniques are used.
Question 3: The scope of data breaches which would be considered ‘notifiable’ is very unclear. Can you clarify when a data breach will be ‘likely’ to result in serious harm? And would a personally owned device constitute a NDB?
A NDB arises when:
1. There is unauthorised access to, unauthorised disclosure of, or loss of, personal information that the school holds.
The concept of a ‘data breach’ under the NDB scheme covers any situation in which personal information:
- is accessed by someone who is not permitted to have access (such as hacking by a third party)
- is accessible/visible to persons outside the school and effective control of the information is lost by the school (such as accidentally publishing on the school’s Facebook page for a few hours)
- is lost in circumstances where it is likely to result in unauthorised access/disclosure (such as if a staff member leaves hard copy documents or an unencrypted USB on public transport).
The school will be considered to hold personal information if it has possession or control over a record that contains the information, including records that the school has the right or power to deal with.
It is reasonable to suggest that a staff member’s personal device could house a student record (such as exam results or excursion planning details). Hence if a personal laptop, USB or smartphone were to be lost, in circumstances where it contains student’s information, it may be considered a data breach.
2. AND The data breach is likely to result in serious harm to one or more individuals, which cannot be prevented with remedial action.
Whether serious harm is likely is judged from the perspective of a reasonable person – a properly-informed person in the school’s position, based on information immediately available, reasonable inquiries, or assessment of the breach.
The phrase ‘likely to occur’ means the risk of serious harm is more probable than not, rather than possible. ‘Serious harm’ is not defined in the Act, and should be assessed holistically with regard to the:
- type/s of personal information involved
- circumstances of the breach
- nature of the harm that may result.
Refer to the OAIC’s guide on identifying NDBs for more information.
Question 4: Should schools be moving to data encryption to enhance privacy and reduce risk? What other steps should schools be taking in response to the NDB scheme?
There are many benefits to applying personal information security to your school’s operations, aside from simply ensuring compliance with the Act. Security can improve the efficiency of information handling, reduce the risk of privacy breaches and the time/resources involved in addressing any breaches that occur.
Data encryption – where data is translated into a form which is only readable and accessible with a decryption key or password – is one potential element of achieving personal information security. Securing personal information means using any reasonable measures to protect it from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Whether data encryption should be used for your school to enhance privacy and reduce risk depends on what is necessary to protect the personal information your school holds and collects during all stages of its life cycle.
Strengthening personal information security measures is only one step schools should be taking in the wake of the NDB scheme. Other key steps include developing a data breach response plan, as well as identifying individuals who will form part of a response team to coordinate the school’s response to a data breach incident.
Schools should also update their privacy policies to take into account the NDB scheme and disclose how they respond to breaches. While there is no explicit requirement under the Act for schools to outline how they manage data breaches, the OAIC has recommended that this information be included in order to enhance transparency. This could include letting individuals know when and how they are likely to be notified in the event of a breach, and whether it would be necessary to verify their identity.
Question 5: With the advent of social media, informal complaints are regularly made on the internet and in the public sphere. Should informal complaints be ignored until formal channels are used or are schools obligated to add these kinds of complaints to their Complaints Program?
For the purposes of school registration, it is a requirement for non-government schools in most jurisdictions to have a documented response to complaints, disputes and grievances at the school. Under the Act, it is also a requirement to take reasonable steps to implement practices and procedures that will enable the school to deal with inquiries/complaints about the school’s compliance with the APPs.
While there is no specific obligation for a school to engage with complaints published publicly on social media, none of the requirements above are exclusive of social media or refer to specific channels. Hence from a risk management perspective, the clear regulatory and reputational risks of ignoring social media complaints seem untenable.
A structured complaints policy and a more transparent complaints process builds trust by parents and other individuals that their complaints will be heard and acted upon. This is likely to reduce the propensity for social media to be used as a vehicle for venting criticisms.
Refer to our previous School Governance article on this topic for more information.
About the author
Kieran Seed is a School Governance Reporter. He can be contacted here.