The theme of this year's Privacy Awareness Week (PAW) is 'privacy everyday'. The Office of the Australian Information Commissioner (the OAIC) explains that this theme means that 'privacy should be an essential component of everyday life, including transactions such as internet banking, social media and online shopping. The theme emphasises the need for organisations to embed privacy practices into business as usual processes, and for individuals and the community to think about how to protect privacy in their everyday lives.'
Although online shopping is not likely to be amongst the typical daily transactions for non-government schools - many of their other daily transactions involve privacy issues, such as sending emails and compiling board papers. So on this basis, schools and school staff should be asking - do we have a culture of privacy compliance everyday?
There should only really be one answer to this question, as it has been a year since the Privacy Act 1988 (Cth) (the Privacy Act) amendments and the Australian Privacy Principles (the APPs) were introduced and entities affected by the APPs were given substantial time to ensure that they had systems in place to comply with the APPs prior to them taking effect in March 2014. However, if your school has not properly implemented a privacy program, the key elements of which are outlined in CompliSpace's Briefing Paper for Non-Government Schools, it should do so now as a priority.
The answer is pretty simple. How would you feel if your GP left your medical records unsecured and they were accessed by a neighbor? How would you feel if your personal contact details were given out without your permission? How would you feel if you received a fund raising letter addressed to a recently deceased member of your family? How would you feel if your bank's security was breached and your credit card details compromised? These are typical privacy scenarios which apply equally to schools. The answers to the questions don't require much imagination. Complaints and reputational damage are sure to follow.
Schools should be aware that the new privacy laws provide the Privacy Commissioner with teeth in the form of new investigation and audit powers, as well as the power to accept enforceable undertakings (EUs), develop and register binding privacy codes, and commence court proceedings. The first EU recently entered into between the Privacy Commissioner and Singtel Optus Pty Ltd demonstrates that the Commissioner may be prepared to flex its enforcement muscles more often now that the one year anniversary of the reforms has passed.
Privacy law compliance does not operate in a vacuum and compliance under the new privacy laws requires a lot more than simply publishing a 'Privacy Policy' on your School’s public website, or putting a Privacy Collection Notice on a form. The Privacy laws require a school to incorporate privacy compliance into its existing governance infrastructure and into its day-to-day operations - hence the PAW theme.
Schools must take reasonable steps to implement practices, procedures and systems that will ensure they comply with the APPs, and are able to deal with related enquiries and complaints.
In this regard, as part of its risk management procedures, a school should ensure that all staff receive training with respect to their privacy obligations and the school’s expectations with respect to the management of personal information. Such training should be in addition to staff understanding how their privacy compliance obligations integrate with their other legal obligations under complaints handling procedures and human resources policies such as a social media policy.
This is especially important given the fact that schools can be held legally responsible for non-compliant acts done by their staff, while performing their employment duties. If staff don't understand how to comply with the privacy laws, how can they be expected to avoid breaching them?
As the OAIC's 2015 Guide to Securing Personal Information (the Guide) states, 'personal information security is more than just ensuring compliance with the requirements of the Privacy Act. If you mishandle the personal information of your customers, it can cause a financial or reputational loss to the customer. In turn, this can also lead to a loss of trust and considerable harm to your reputation.'
If you apply this interpretation to a school's context, it's easy to see how a school's mishandling of the personal information of any of its current and former students, parents or staff, can lead to a breach of trust between the school community and the school and, in some cases, financial or reputational loss to students, parents, staff - and the school.
The potential confluence of damaging consequences that can result from a routine exercise going wrong was recently demonstrated by the recent reported actions of a non-government school who accidentally disclosed the personal details of former students in a well-intended offer to provide them with support. The school sent a group email to alumni to offer counselling to anyone who may have been sexually abused by one of their teachers, who was facing multiple criminal charges. But instead of listing the email address in the 'BCC' section - which would ensure the identities remained undisclosed - they were added in the 'CC' section, which meant everyone who was sent the email could see everyone else's name and email address. This action unwittingly revealed the identities and personal contact details of about 1000 former students who potentially may have been subject to sexual abuse.
Our previous article 'School's privacy breach costs $7,500' describes another unfortunate example of personal information involving an alleged child abuse victim being disclosed in school communications - board papers. In this case the PC was involved at the suggestion of the school.
Practicing privacy everyday involves more than just directing staff and other members of your school community to your privacy policy. Staff need to understand how all their daily activities, including sending emails, can include personal information of some sort which must be handled in accordance with the law. Your school privacy program and conducting training are integral to assisting staff to understand what compliance looks like and how they can be mindful of their obligations every day.
NEXT WEEK CompliSpace will be hosting a live Webinar ‘Privacy in Practice: One Year On' which will provide a forum for you to ask any privacy related questions you may have. For more information and to reserve your webinar seat click here.