An Interactive Guide to Effective Policy Management In Schools
Subscribe

School's privacy breach costs $7,500

29/09/14
Resources

A recent finding by the Privacy Commissioner that a non-government school in Brisbane breached the Privacy Act 1988 (Cth) (Act) when it included personal information about a student in a School Council information pack (Information Pack), is an important reminder for all schools to ensure that they are up to date with their understanding of their privacy law obligations and have a robust privacy program in place.

Although the case 'CM' and Corporation of the Synod of the Diocese of Brisbane (2014was decided under the National Privacy Principles (NPPs), which were replaced by the Australia Privacy Principles (APPs) on 12 March 2014, the important lessons arising from the case are still relevant for schools and how they approach their obligations under the APPs.

The facts

The complainant was a former pupil at St Paul's School (School) which is part of the Corporation of the Synod of the Anglican Diocese of Brisbane (Diocese).  The complainant alleged that while he was at the school he was sexually abused by a teacher.  The allegations were raised in 2000, some years after the complainant had left the school.  The complainant first wrote an anonymous letter to a Brisbane newspaper about the abuse before contacting the Diocese directly in March 2007 seeking compensation. The School Council met to discuss the allegations on 6 September 2007 and part of the Information Pack the Council members received prior to the meeting contained documents detailing the complainant's allegations.  In 2009 the complainant contacted the School alleging that the distribution of his personal information to the Council was a breach of his privacy.  The complainant was particularly concerned that the Information Packs may have been given to the children of the Council members as a means of delivery and that his personal information may have been revealed as a result and that a non-Council member had also received an Information Pack.

The school suggested that the Privacy Commissioner independently assess the situation.

Breaches of the NPPs

The complainant alleged that the Diocese had interfered with his privacy by committing several breaches of the NPPs.  The Privacy Commissioner agreed that the Diocese had breached NPP 4.1 'Data Security' by  failing to take reasonable steps to protect his personal information from misuse and loss, modification or disclosure by:

  • including his name in the documentation provided to the School Council and non-School Council members when his identity was unnecessary to the decision making process (the complainant's name could have been redacted from the Information Packs); and
  • providing a non-Council member with the Information Pack (the Diocese admitted the non-Council member had received the Pack but argued that it was an accident and that the recipient had not read it).

When giving reasons for his findings the Commissioner noted that:

  • the Council had not been asked to examine the veracity of the Claimant's allegations but just had the task of approving draft correspondence relating to a settlement and that the complainant's identity was not necessary to the decision making process; and
  • the question of whether or not the non-Council member had read the Information Packs was irrelevant to considering whether a breach of NPP 4 had occurred because the Diocese had failed to adequately check to whom the Information Packs were being provided and this showed that it had not taken reasonable steps to protect the information from unauthorised disclosure.

APP 11 'Security of personal information' has replaced NPP 4.

Relationship between Diocese, School and School Council

The complainant also argued that the Diocese's disclosure of his personal information to the School and then the School Council amounted to a breach of NPP 2 (Use and disclosure) because this sharing of information was not a 'use or disclosure for the primary purpose of collection or for a permitted secondary purpose.'  The basis of this argument was that the assessment of his legal claim was a matter of consideration for the Diocese, not the School or School Council.

However, the Commissioner disagreed with the complainant on this point because the:

  • relevant documents in the Information Pack were provided to the Diocese and then the School and Council, for the primary purpose of considering and responding to the allegations and legal claim; and
  • legal structure of the Diocese and the role of the School and School Council in that structure, whereby the Council exercises delegated powers on behalf of the Diocese, meant that the Diocese, the School and the School Council were considered to be a single legal entity and that sharing information between them was a 'use' within that entity.

APP 6 'Use or disclosure of personal information' has replaced NPP 2.

Finding in favour of the complainant

The Privacy Commissioner found that the complainant was entitled to $7,500 in damages for non-economic loss, including pain and suffering and feelings of humiliation, as a result of the Diocese's breaches of the Act.

What should your school do?

The Commissioner noted that since the 2007 incident, the School had introduced a 'Distribution of Confidential Documents to Council and Sub Committee members' policy which is designed to ensure that information is disclosed securely.  That policy advises that School Council members are to 'undertake an induction; highlighting that packs are to be treated with the strictest confidence and secured at all times'. Although this policy could not help the School in its defence against the complainant's allegations because it was not in force in 2007, its introduction is an example of the School taking constructive steps to implement stronger data security protocols.

And in an example of the benefit of hindsight, had the policy been in place in 2007, and had it perhaps contained stronger obligations on Council members to secure the Information Packs, the Commissioner might have found that the School had taken 'reasonable steps' to ensure the security of the personal information and that it had not breached the NPPs (the Diocese has agreed to amend the policy to specifically state that Council members are 'advised to keep Council packs under lock and key when not in their person or in use').

This case demonstrates:

  • that schools should treat all personal information carefully and should consider whether or not sensitive information should be included in materials to be distributed to the school board or council, especially if redacting the identification information or disclosing the information verbally could suffice; and
  •  the importance of having a strong privacy program in place which, under the APPs, is now an express obligation under APP 1.

Above all, the case shows that it is important to get privacy right because a breach of privacy laws can have serious implications. For more information about how to comply with your school's privacy obligations download the CompliSpace Whitepaper or view the CompliSpace privacy for non-government schools webinar.
Share this
About the Author

CompliSpace

CompliSpace is Ideagen’s SaaS-enabled solution that helps organisations in highly-regulated industries meet their governance, risk, compliance and policy management obligations.

Resources you may like

Article
Compliance Training Plans: How Can They Help?

I’m often asked by schools, “What training courses are my staff legally required to complete, and...

Read More
Article
Sextortion: A Growing Concern for Schools

Trigger warning: This article references sexual assault, child abuse, and suicide.

Read More
Article
Changes to the Australian Consumer Law – What Schools Need to Know

Many schools rely on standard form contracts to avoid the time and cost of drafting and negotiating...

Read More

Want School Governance delivered to your inbox weekly?

Sign up today!
Subscribe