Privacy laws and bundled consents – is your school compliant?
Recently, the Daily Telegraph reported that government schools administered by the NSW Department of Education and Communities (Department) were asking parents for blanket permissions to publish photos or videos of students online, prompting concerns from the parents. These concerns arise from the release of new enrolment forms which bury the ‘publishing consent’ on page 13 of a 16 page form.
The issue raised by the Daily Telegraph article is not so much the legality of this practice but whether schools should be allowed to use consent forms in this way. Based on the parents’ reactions referred to in the article, arguably the community’s answer is ‘no’.
What this case shows is that government schools might not be getting their approach to student privacy right. But non-government schools may not be either. In a recent survey by School Governance, 49% of schools surveyed did not have an effective set of policies and procedures to comply with the Australian Privacy Principles (APPs) that came into effect on 12 March 2014.
Privacy in Schools and Non-Government Schools
The use of blanket permission forms is troubling and the issues that they raise are not confined to government schools. That said, as we discussed in our previous article, government and non-government schools are subject to different privacy law obligations and what might be legal for government schools may not be legal for non-government schools.
In most states and territories, government schools are considered to be government institutions and they are subject to privacy legislation that applies to government agencies. By way of example in NSW, as schools are administered by the Department, they are obligated to comply with the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA).
Non-government schools in all States and Territories in Australia, in contrast, are required to abide by the Federal Privacy Act 1988 (Cth) and the new APPs. Refer to the CompliSpace privacy non-government schools whitepaper for more information about the updated laws. There is also a webinar available for those that prefer to watch than read.
Although a perpetual, blanket consent form may generally comply with privacy laws under the PPIPA as they apply to (NSW) government schools, the legality of their use by non-government schools is less clear.
Are government schools getting it right?
The ‘Application to enrol in a NSW Government school‘ states:
The school/Department of Education and Communities may publish information about your child… [on platforms including]
- Public websites of the Department of Education and Communities…
- Department of Education and Communities publications…
- Official Department of Education and Communities and school social media accounts on networks such as YouTube, Facebook and Twitter.
Parents should be aware that when information is published on public websites and social media channels it can be linked to by third parties and may be discoverable online for a number of years, if not permanently. Search engines may also cache or retain copies of published information.
A parent is then given two options:
- I give permission; or
- I do not give permission.
This permission remains ‘effective until I advise otherwise’. That is, possibly for the duration of a child’s entire enrolment.
The upshot of this form is that a parent may only give consent on an all-or-nothing basis. There is no option, for instance, to allow a child’s photos or videos to be published in the school newsletter, but not shown to the world on Facebook or Twitter.
This ‘perpetual consent’ approach is somewhat at odds-with the reminder by the Department in its Privacy Management Plan For Department of Education and Communities that principals, when using personal information collected from students, should renew consent from parent/caregivers for publication of their child’s personal information on an annual basis. Clearly, ‘reminding’ and ‘requiring’ are two different concepts.
Consent is the issue
What the Department’s form glosses over is the issue of consent. Ethically, if not in law, a parent should not be forced to give a blanket consent without realising the full ramifications. A tick box on a 16-page form full of other tick-boxes arguably doesn’t suffice.
The APPs (which bind most non-government schools) mandate that consent must be obtained to publish photos or video imagery. Photos and videos are considered personal information because they have the capability of identifying individuals. The Australian Privacy Principles Guidelines helpfully sets out that consent contains four key elements. Consent must be:
- current and specific; and
- given only if a person has the capacity to do so.
If the APPs did apply to government schools, it is difficult to see how it could be said that NSW government schools are obtaining informed or current and specific consent from parents by using a bundled consent with a check-box on an 16 page enrolment form. This is because the form purports to obtain perpetual consent during the child’s enrolment for Department promotional material and social media sites in general. This approach fails to respect a parent’s right to know when, how, where and for how long their child’s image may appear in a public forum during their 12 years of schooling. This right has apparently been outweighed by the need to alleviate the administrative burden on Department staff which comes from obtaining specific and current consents.
Non-government schools, which are regulated by the APPs, should be of adopting a similar approach.
Is your school getting it right?
Under the APPs, non-government schools may be required to obtain proper consent to use student photos or videos for any public or promotional purpose if that purpose is not the primary purpose, or a secondary purpose related to the primary purpose for which the information was collected (or directly related in the case of sensitive information). This consent must be obtained in compliance with the APPs.
According to the APP Guidelines, the following would be likely to breach a school’s privacy obligations:
- an ‘opt-out’ form sent to parents, telling them that if they do nothing the school will use their children’s photos or video imagery;
- a form asking for permission to use photos or video imagery on social media, without stating which social media platforms are to be used; and
- a form asking for consent for ‘undefined future uses’, which does not have a definite end date.
Under the APPs, if personal information is to be sent overseas, a school might consider obtaining consent from parents if the disclosure will expose the school to the risk of being accountable for the misuse of this information by the overseas recipients. This risk may arise if the recipient is in a jurisdiction that does not have a similar privacy regime in place to that offered by the APPs. The CompliSpace Whitepaper explains this in more detail.
The servers of websites such as Facebook, YouTube and Twitter, are all located outside of Australia, meaning that using any of these sites means schools are sending information overseas.
For these reasons, a non-government school should carefully consider the manner in which it obtains consents for the use and disclosure of its students personal information, so as to avoid a potential breach of the APPs and consequential liabilities.
What can your school do?
Although abiding by privacy obligations may be seen as yet another compliance burden for schools already dealing with a complex array of other compliance issues, it is still important to get it right. Protecting student privacy can be an issue of safety which is a key element of a school’s duty of care owed to its students, among other things.
There are some reasonable steps you can take to ensure compliance with privacy laws. All of them revolve around implementing an effective privacy program.
It is important to get privacy right because a breach of privacy laws can have serious implications. The Privacy Commissioner has the power to investigate potential breaches of privacy. The Commissioner also has the power to award damages for breach of privacy.