On Friday 8 May 2015 over 100 people attended our School Governance Webinar: Privacy in Practice: One Year On. You can access a recording of the Webinar here.

The Webinar took place during Privacy Awareness Week, the theme of which was 'privacy everyday'. The feedback from the webinar showed that there are still many areas of uncertainy for schools when it comes to privacy compliance.

In this article we answer the 5 key questions we received following the webinar which we hope will be of assistance to all schools.

1. You need consent to pass on a parent's contact details

We were asked: Can a school pass on a parent's contact details to other parents, if we have stated in our Privacy Policy and Collection Notice that we will do so? We have given parents the option of saying 'yes' or 'no'.

The answer is yes, as long as your Privacy Policy and Collection Notice are clear and you have obtained consent. The Privacy Policy and Collection Notice must explain how you will collect and disclose the personal information, referring specifically to parent contact details. You must also obtain consent. 'Consent' in this case means that:

• parents are adequately informed before providing their contact details;
• parents give consent voluntarily;
• consent is current and specific; and
• the parents are capable of understanding and communicating their consent.

Providing an 'opt-out' mechanism as a means of obtaining a parent's consent is not always effective. This is because, as the APP Guidelines explain, the parent's intention in responding to an 'opt-out' form can be ambiguous. By way of illustration, a failure to tick an 'opt-out' form may be the result of failing to read the form, rather than giving consent.

To ensure that a parent's consent is properly given, you should provide an express opt-out to allow them to reject the option to have their details distributed and you should also ensure that:

• the opt-out option is clearly and prominently presented on the form;
• it is likely that the parent received and read the information about the proposed collection and distribution, and the option to opt-out;
• the opt-out is freely available and not 'bundled' with other personal information collection/consent purposes;
• parents understand the implications of not opting out; and
• a parent who decides to opt-out at a later time will be placed in a position as if they had opted out earlier.

2. Photos are regulated by privacy law

We were asked: Is the publication of photographs, without identifying the names of those in the photos, regulated by the Privacy Act/APPs?

The answer is yes. By way of general explanation, personal information is information that identifies an individual.

To the extent that a photo identifies an individual it is considered to be personal information under the Privacy Act (a photo is also considered a ‘record’ by the Act). So even though a photo may not include a caption identifying the persons in a photo, the image in the photo is still personal information, contained on a record, from which a person can be identified. Privacy law therefore applies to the photo.

If a school wishes to publish a photo of students or other members of the school community, and the publication (or ‘disclosure’) is not the primary purpose of collecting that information, then consent from the persons identified in the photo – or their parent/guardian – may be required. For example, publishing a student’s individual photo, taken for enrolment purposes, on the school’s public website for marketing reasons may require parental consent. Specific consent for this purpose may also be required.

3. You may have to hold onto sensitive personal information after a student leaves school

We were asked: The retention of records is still very confusing for non-government schools. You mentioned in the Webinar that medical records were sensitive information and should not be retained for a long period. We ask for student medical information on our enrolment forms and enter this information into our student database. Should this information be retained or should it be removed on exit? What about the information contained in our old database and the hard copies held?

Answer: We appreciate the confusion non-government schools experience in relation to record retention. We have previously written a blog article on School Governance on the topic - Record keeping in schools: if its personal how long should you keep it? Personal information, including sensitive information, should only be kept by a school as long as necessary, or until it’s no longer needed for any purpose for which it can be used or disclosed under the Privacy Act.

This means that, in theory, student medical records can be disposed of after the student has left the school. However, it must be remembered that sometimes such information may need to be retained in anticipation of court proceedings. Under the Crimes Act 1914 (Cth) and corresponding State legislation, it’s an offence to intentionally destroy documents that a person knows are, or may be, required as evidence in a judicial proceeding in order to prevent them being used in a court proceeding. This view applies to soft and hard copy records. For example, in NSW, other legislation also applies to retaining health records, such as the Health Records and Information Privacy Act 2002 (NSW) (which contains Health Privacy Principles in relation to record retention which are similar to the APPs and Privacy Act).

Although it’s not possible for a school to always anticipate when court proceedings may occur, it should be possible to isolate and retain student records where there has been some sort of disciplinary action, complaint, accident or other matter noted in those records.

Such incidents may indicate to a school that future court proceedings could be instigated by a student. If a school does decide to destroy or de-identify information that is no longer required, it must ensure it does so securely. Another article we wrote which includes a summary of the Pound Road Medical case, includes some useful information on this point. That article is available here.

4. You should probably hold on to those permission slips

We were asked: Parental permission slips for excursions etc - can we dispose of these securely or should we keep them?

The answer to this question is similar to the answer to Question 3, above. Unfortunately, there is no clear rule on how long, and in what form, non-government schools should keep personal information for. Our previous School Governance article explains this issue.

However, permission slips are important records of events and schools should not discard them lightly. For guidance, the Victorian General Retention & Disposal Authority for School Records, which provides record management principles for Victorian government schools, states that camp/excursion permission slips and related confidential medical forms should be kept for 7 years where no accident occurred during the camp/excursion or 20 years if an accident did occur. These time frames reflect the legislative requirements described above which prevent schools from destroying documents which may be required in legal proceedings. Non-government schools can elect to follow the government record-keeping guidance at their discretion.

5. Your privacy policy should explain how you allow people to deal with your school anonymously or by pseudonym

We were asked: Do we have to explain our anonymity/pseudonymity procedures in our privacy policy?

Answer: The right to deal with a school anonymously, or by pseudonym, is contained in APP 2 - Anonymity and pseudonymity. The aim of privacy law in this respect is to ensure that personal information is not collected if it is not needed, and to minimise the risks of providing personal information.

There are exemptions. An organisation does not need to deal with a person anonymously or by pseudonym if:

• the organisation is authorised by law, or a court order, to deal with individuals who have identified themselves; or
• 'it is impracticable for the APP entity to deal with individuals who have not identified themselves or used a pseudonym'.

Schools that enrol students are obviously required under law to collect the personal information of students and their parents. Personal information must also be collected in circumstances such as where permission slips or other information needs to be collected.

However, this does not mean a school cannot deal with individuals anonymously or by pseudonym. A school may decide to receive compliments or complaints anonymously. It may also choose to allow other feedback or submissions anonymously, or to be published by pseudonym.

In these circumstances, a school's privacy policy should outline the circumstances in which a school may deal with persons anonymously or by pseudonym, and the procedures for doing so. This is so people in the community can know how to access these procedures, or otherwise interact with the school without providing their contact details.

More information, is provided by the APP guidelines.

Conclusion

Privacy compliance is a complicated obligation for non-government schools, but this does not lessen the requirement for schools to understand and comply with privacy laws. However, this task is made easier by having a privacy program in place.

The answers we have provided above are general guidance only and we recommend that schools obtain legal advice for more detailed advice on particular situations.

Do you have any other questions about privacy? Leave a comment below.