This is the first article in a three-part series on the expanding issue of information sharing and how it relates to the schools system. In this series, Kieran Seed and Lauren Osbich consider the past and future development of information sharing regimes, particularly in the context of child protection, and how schools can gain a stronger understanding of their obligations.
In the modern era of technological development and innovation, there is an inherent uncertainty and a tension between sharing information with others to promote safety and efficiency and the potential invasion of privacy this entails. What can/must be shared, and when, is an area of ongoing confusion, particularly for schools.
But information sharing is becoming an increasingly important compliance topic - it cannot be avoided by feigning ignorance. The Royal Commission into Institutional Responses to Child Sexual Abuse (Royal Commission) is likely to propose national or interjurisdictional information sharing regimes in relation to child protection and Australia will soon have a national facial recognition database, accessing the driver’s licence photos held by individual jurisdictions.
In this first article, we will introduce the topic of information sharing, what it means in practice, how it interacts with your other legal obligations and why it is relevant to schools. Future editions will explore how information sharing is being utilised and expanded through child protection reform and how this area may change after the release of the Royal Commission's final recommendations.
An introduction to information sharing
Information sharing is essentially the exchange of data and other material between people and organisations. Virtually anything can be shared, and it can occur over many different mediums and between various entities.
The expansion of information sharing corresponds with the increasing portability of data - computer networks and social media have provided the means by which information can be easily distributed, and housing information in such platforms is encouraged through significant ease of access.
The largest global networking companies have hundreds of millions of users, and Facebook is reported to have over 2 billion monthly users - over 25% of the global population regularly sharing personal details over the same network. This means millions upon millions of people are sharing information with other Facebook users, third party advertisers and service providers. Depending on privacy settings, it means that some information is being shared to any person with an internet connection – over half the world population, nearly 4 billion people.
How is this relevant to schools?
Schools are required to demonstrate compliance with various legal and regulatory obligations, including in relation to cyber safety, social media usage, records management, confidentiality, privacy and child protection. In each of these areas, there is some element of information sharing, meaning that schools who do not understand the extent of their information sharing obligations may unwittingly be non-compliant.
Let us consider the extent of information sharing in a non-government school with a practical example: a student record. These records must be kept secure, managed, and retained for a certain period of time which varies according to the jurisdiction.
The personal information of the student – such as their name and date of birth – must be managed in accordance with the Privacy Act 1988 (Cth). This record may also include information about the student’s racial or ethnic origin. This is sensitive information and generally afforded a higher level of privacy protection. The student may have a medical condition such as anaphylaxis – once communicated to the school, it would be considered health information. Health information is a type of sensitive information under the Privacy Act and if the school in question is in Victoria, NSW or the ACT, then this information will require compliance with a separate set of health privacy requirements.
The various ways in which the school could share information about the student include:
- publishing photos of the student on the school’s public website for promotional purposes
- placing the student’s health details in public places within the school, including the staff room and the canteen, to protect against the risk of anaphylaxis
- sending examination results to the education department for educational reasons
- sharing medical and other details with volunteers, contractors and third party vendors as part of planning and conducting an excursion
- revealing information or an opinion about the student internally or externally as part of reporting on an allegation or suspicion of child abuse or significant harm.
If information about the student is shared overseas – such as if an email about academic performance is sent to a parent on holiday – this is regarded as a cross-border disclosure and requires reasonable steps to ensure privacy obligations are not breached.
How can schools balance information sharing with their privacy obligations?
There are clear tensions between maintaining the privacy of personal information, and upholding a duty of care. Schools and other organisations are hence risk-averse when it comes to information sharing; often they will be reticent to, for example, display the details of an anaphylactic student in the canteen, for fear of causing an invasion of privacy.
In order for schools to properly respond to their information sharing obligations, they need to understand the extent of their privacy obligations as well.
Under Australian Privacy Principle (APP) 6, an APP entity – such as a non-government school – can only use or disclose personal information for a purpose for which it was collected or a secondary purpose to which an exception applies. Disclosure occurs when information is made accessible to or is visible to others outside the entity and control is released over subsequent handling of the information; this bears striking resemblance to the concept of information sharing.
Where an exception applies, the entity can disclose the information for some secondary purpose. Exceptions include:
- the individual consented to the disclosure
- the disclosure is required/authorised by law
- a permitted general situation exists, such as lessening or preventing a serious threat to life, health or safety
- a permitted health situation exists, such as disclosing to a responsible person for an individual (including to a parent or relative).
The consent exception
The Privacy Act does not differentiate between adults and children and thus clearly envisages that young people are to be afforded the same rights in respect of their privacy. There is no specified age after which individuals can make their own decisions with respect to their personal information.
In most instances, consents received from parents will act as consents given by students. However, ultimately a student’s personal information is theirs, regardless of their age. It may be appropriate to seek and obtain consent directly from students if they have capacity to consent and have sufficient understanding/maturity to understand what is being proposed.
Consent is sometimes provided for under the information regime itself. Under the Children and Young Persons (Care and Protection) Act 1998 (NSW), it is a principle that a child should be given an opportunity to express their views on personal matters; this suggests that consent should be sought for an exchange of information under Chapter 16A of that Act which focuses on the ''exchange of information and co-ordination of services."
Required/authorised by law
There are a number of information sharing regimes which operate in Australia and are established by law. These regimes relate to particular types of information in which there is a common interest, enabling information exchange and disclosure despite any prohibitive privacy or confidentiality laws. Such regimes can either occur between organisations within a jurisdiction (such as family violence in Victoria), or between countries on the global stage (such as sharing criminal history information with New Zealand, and tax information with OECD countries).
Information sharing in the child protection context will be discussed in more detail in the next edition of this series.
Schools who have a comprehensive privacy program and understand the extent of their privacy obligations, will also be aware of the various exceptions operating on their use and disclosure of personal information. This will ensure they are able to share information for the purpose of upholding their duty of care to students without fear of a compliance breach.