Privacy Awareness Week: From Principles to Practice

17 May 2018


Schools may be forgiven for thinking that 2018 is the year of privacy and not just a week!  Given the introduction of the NDB Scheme earlier this year and our various articles about it (see for example  New data breach privacy laws in effect – what does this mean for schools?) regular School Governance readers would hopefully have privacy high on their compliance priorities this year.
The PAW theme this year, ''from principles to practice'' sees the OAIC  encouraging all organisations governed by the Privacy Act 1988 (Cth) to:
  • review and improve how they handle personal information to ensure they are transparent and accountable, in line with community expectations and legislative requirements
  • discuss and improve individual privacy practices, to increase awareness about potential privacy risks and how to reduce them.

A key message schools should be aware of is that “simply publishing a privacy statement on your public website is not enough.” Implementing privacy in your school involves far more than just directing employees and other individuals to read the policy.

Review personal information handling

PAW provides a great opportunity for every school to review its personal information-handling practices to ensure compliance with the latest updates to the Act.

By conducting a review, schools may find themselves at different ends of a 'privacy compliance spectrum'.  In our work with schools around Australia we have seen privacy "programs" which have consisted entirely of a very basic privacy policy which still referenced the National Privacy Principles (NPP)(replaced in 2014!), and did not even address the far more far-reaching requirements of the changes in the Privacy Act which occurred in 2014.

At the other end of the compliance spectrum are schools who have developed and implemented  detailed privacy policies and procedures, which they have communicated to staff, students and the broader school community, and they have conducted training to ensure that all staff are aware of how to deal with and protect personal information. A school in this position would not have that much more of a stretch to ensure that it is complying with the NDB Scheme requirements, which came into effect in February of this year. Meaning that school staff would know how they should protect personal information, and would recognise the importance of a data breach, which if it occurred, they would know the need to report to the school, and which the school would then manage in compliance with their Data Breach Response Plan and any external obligation requirements. For more information on the requirements of the NDB Scheme, CompliSpace has written a Briefing Paper: Privacy update: Mandatory Notification of Data Breaches & Complaints Handling Update.

In thinking of the PAW theme of "from principles to practice", we would stress the importance of a school being aware of who in a school may be in a position where they may be requested to provide personal information. The school must ensure that these staff fully understand what types of information they can give out, and to whom, or if there are any further measures that need to be taken, such as referring  the matter to the school's privacy officer.

The OAIC is encouraging organisations to ''take stock of how you manage personal information''. Due to the breadth of their operations and the amount of personal information they hold, schools encounter privacy issues on a daily basis, with common scenarios including obtaining parental consent to publish student images in photos, recording and disseminating alumni contact details, and passing student information on to third parties in Australia or overseas.

All staff should also be aware of and comply with, sensible steps to protect the personal data that they possess - whether in hardcopy, electronic, or thinking more carefully before discussing personal information with others. Failure to take these steps in your school means that you are running the risk of a significant data breach occurring. This can potentially not only cause harm to  the person or people whose  personal information has been breached, but also have serious financial and reputational consequences for your school.  There are also very significant penalties under the Privacy Act. Our Briefing Paper includes a checklist of practical steps a school can take to ensure compliance with the NDB Scheme.

Discuss and improve privacy practices

Regardless of what end of the privacy compliance spectrum your school may be on, schools can use PAW to initiate privacy compliance discussions with their staff to better identify improvement opportunities.  Staff should be clearly aware of who in the school can assist them in addressing privacy scenarios, or addressing privacy questions.  Such queries provide a valuable opportunity to test your privacy policies and procedures through using them to find an answer/resolve a potential privacy breach.  If the policies and procedures are unclear or incomplete, work should be done to improve them.  Schools can also conduct a more formal Personal Information Management Audit to test the security of personal information protection processes and procedures.

The European Union General Data Protection Regulation (GDPR)

We should also note that some schools may also need to consider the  new EU GDPR taking effect on 25 May. The GDPR applies to Australian businesses of any size if they process data and they:

  • have an establishment in the EU
  • offer goods and services in the EU, or
  • monitor the behaviour of individuals in the EU (irrespective of the individual's residence).

It may be that schools which offer educational services in the EU would be caught by this requirement when dealing with enquiries, processing applications and then dealing with those students once enrolled.

The OAIC has released this guidance note on the GDPR summarising how it may apply to Australian entities and similarities and differences between it and the Privacy Act.

Schools who whose services may require it to meet the GDPR obligations should seek legal advice on the development of policies and procedures to ensure compliance with the new international regulation.

Xenia Hammon

Xenia joined CompliSpace in 2014 having previously worked as a lawyer in Melbourne for six years. Xenia was a lawyer at a leading Australian law firm in their corporate team before taking up the role of in-house Legal Advisor at an ASX listed company. Xenia has experience in Australian and international law on various areas of commercial practice. She is currently completing a Graduate Diploma of Applied Corporate Governance at the Governance Institute of Australia.