A recent finding by the Privacy Commissioner that a non-government school in Brisbane breached the Privacy Act 1988 (Cth) (Act) when it included personal information about a student in a School Council information pack (Information Pack), is an important reminder for all schools to ensure that they are up to date with their understanding of their privacy law obligations and have a robust privacy program in place.
Although the case 'CM' and Corporation of the Synod of the Diocese of Brisbane (2014) was decided under the National Privacy Principles (NPPs), which were replaced by the Australia Privacy Principles (APPs) on 12 March 2014, the important lessons arising from the case are still relevant for schools and how they approach their obligations under the APPs.
The complainant was a former pupil at St Paul's School (School) which is part of the Corporation of the Synod of the Anglican Diocese of Brisbane (Diocese). The complainant alleged that while he was at the school he was sexually abused by a teacher. The allegations were raised in 2000, some years after the complainant had left the school. The complainant first wrote an anonymous letter to a Brisbane newspaper about the abuse before contacting the Diocese directly in March 2007 seeking compensation. The School Council met to discuss the allegations on 6 September 2007 and part of the Information Pack the Council members received prior to the meeting contained documents detailing the complainant's allegations. In 2009 the complainant contacted the School alleging that the distribution of his personal information to the Council was a breach of his privacy. The complainant was particularly concerned that the Information Packs may have been given to the children of the Council members as a means of delivery and that his personal information may have been revealed as a result and that a non-Council member had also received an Information Pack.
The school suggested that the Privacy Commissioner independently assess the situation.
The complainant alleged that the Diocese had interfered with his privacy by committing several breaches of the NPPs. The Privacy Commissioner agreed that the Diocese had breached NPP 4.1 'Data Security' by failing to take reasonable steps to protect his personal information from misuse and loss, modification or disclosure by:
When giving reasons for his findings the Commissioner noted that:
APP 11 'Security of personal information' has replaced NPP 4.
The complainant also argued that the Diocese's disclosure of his personal information to the School and then the School Council amounted to a breach of NPP 2 (Use and disclosure) because this sharing of information was not a 'use or disclosure for the primary purpose of collection or for a permitted secondary purpose.' The basis of this argument was that the assessment of his legal claim was a matter of consideration for the Diocese, not the School or School Council.
However, the Commissioner disagreed with the complainant on this point because the:
APP 6 'Use or disclosure of personal information' has replaced NPP 2.
The Privacy Commissioner found that the complainant was entitled to $7,500 in damages for non-economic loss, including pain and suffering and feelings of humiliation, as a result of the Diocese's breaches of the Act.
The Commissioner noted that since the 2007 incident, the School had introduced a 'Distribution of Confidential Documents to Council and Sub Committee members' policy which is designed to ensure that information is disclosed securely. That policy advises that School Council members are to 'undertake an induction; highlighting that packs are to be treated with the strictest confidence and secured at all times'. Although this policy could not help the School in its defence against the complainant's allegations because it was not in force in 2007, its introduction is an example of the School taking constructive steps to implement stronger data security protocols.
And in an example of the benefit of hindsight, had the policy been in place in 2007, and had it perhaps contained stronger obligations on Council members to secure the Information Packs, the Commissioner might have found that the School had taken 'reasonable steps' to ensure the security of the personal information and that it had not breached the NPPs (the Diocese has agreed to amend the policy to specifically state that Council members are 'advised to keep Council packs under lock and key when not in their person or in use').
This case demonstrates:
Above all, the case shows that it is important to get privacy right because a breach of privacy laws can have serious implications. For more information about how to comply with your school's privacy obligations download the CompliSpace Whitepaper or view the CompliSpace privacy for non-government schools webinar.