On 1 April 2015 the OAIC released an updated version of the Australian Privacy Principles (the APPs) guidelines which are the primary guidance for entities on how to interpret and comply with the APPs, as well as good privacy practice. Given that 12 March 2015 is the anniversary of the APPs, and Privacy Awareness Week (PAW) will be held 2-9 May 2015, it is an opportune time to look at privacy in non-government schools.
This is the first part in a series of articles on what privacy law compliance looks like for schools today, recent privacy regulatory changes and case law, and what key privacy topics schools need to understand and apply to ensure compliance with privacy laws everyday.
This article looks at the recent update to the APP Guidelines issued by the Office of the Australian Information Commissioner (OAIC), and the impact they have on your school.
You should already be familiar with the APPs, which have been binding on non-government schools since last year. The APPs were introduced in Australia on 12 March 2014 as part of broader reforms to the Privacy Act 1988 (Cth) (the Privacy Act). CompliSpace has published a Briefing Paper for Non-Government Schools, which provides a plain English overview of the 13 APPs and outlines some of the key issues that schools should consider in developing their privacy programs. There is also a webinar presented by David Griffiths of CompliSpace, which walks you step by step through the issues.
The OAIC released an updated version of the APP guidelines on 1 April 2015 (we checked - it wasn't an April fools joke). These provide the primary guidance for entities on how to interpret and comply with the APPs, as well as good privacy practices.
According to the OAIC website, the updates were made following feedback from stakeholders throughout the first year of the new privacy laws.
Some of the key changes are:
Overall, these changes are unlikely to require material changes to your school's privacy program but they will require you to review your understanding of the APPs to ensure you are clear on their application.
In January 2015 the OAIC released a Guide to Securing Personal Information (the Guide). The Guide is based on and replaces a previous OAIC publication 'Guide to Information Security' which was published in 2013 before the AAPs were introduced.
Although the Guide is not binding, the updated APP guidelines (also non-binding) now directly refer organisations to the Guide for further information on how to comply with their obligations under APP 11 'security of personal information'. These two guidance documents set a benchmark for compliance for schools, and should assist in designing a privacy program that aligns with best practices.
Under APP 11 a school is required to take 'reasonable steps' to protect the personal information it holds from misuse, interference and loss as well as unauthorised access, modification or disclosure. To comply with APP 11, a school must also take reasonable steps to destroy or de-identify the personal information it holds once it is no longer needed for any purpose for which it can be used or disclosed under the APPs.
We have previously written articles on how APP 11 applies to personal information held by schools including:
We also summarised cases where organisations had failed to meet their obligation to take 'reasonable steps' to protect personal information in our article Privacy Law Reminders: data security.
The Guide is intended to help organisations understand how to comply with APP 11 but it does not definitively state what constitutes taking 'reasonable steps' in the context of APP 11.
Instead it places greater emphasis on how to protect personal information through the 5 stages of its 'information lifecycle'.
The 5 stages are:
The Guide demonstrates the importance of governance, the creation of a privacy and security aware culture within the workplace, and the necessity for a privacy culture to be driven from the board-level within organisations. A section on using cloud storage solutions is introduced for the first time, outlining the continued requirements that apply when information handling is outsourced to a third party provider.
Although the APP guidelines and the Guide are not legally binding, they provide context and information on the legal requirements of the APPs which means that they are important documents because they establish a compliance 'benchmark'. On that basis, schools should revisit their privacy programs to review their policies and procedures in light of the latest guidance from the OAIC, as included in the APP guidelines and the Guide, on how to comply with their privacy legal obligations. The focus on an information lifecycle in the Guide may provide schools with a useful model to review the structure of their existing program.
Over the coming weeks we will dig deeper into privacy laws in practice and provide commentary on what practical steps schools should be taking to ensure compliance.
Finally, CompliSpace will be hosting a live Webinar ‘Privacy in Practice: One Year On' which will provide a forum for you to ask any privacy related questions you may have. For more information and to reserve your webinar seat here click here.