According to the latest quarterly report from the Office of the Australian Information Commissioner (OAIC), the education sector is the fourth most likely sector to be impacted by a privacy breach. It is therefore important that schools understand their obligations under privacy laws, particularly in relation to the collection, and use, of personal information. The Privacy Act 1988 (Privacy Act) is the Commonwealth Act that regulates the collection, storage, use and disclosure of different types of personal information by schools. A key component of the legislation is the mandatory requirement for a school to comply with the Australian Privacy Principles (APPs). The APPs set minimum standards for the collection, security, storage, use, correction and disclosure of personal information and access to that information.
Types of Information covered by the Privacy Act
The following types of information are covered by the Privacy Act:
- Personal information – includes information or an opinion about an identified individual or an individual who is reasonably identifiable whether the information is true or not, and whether the information is recorded in a material form or not.
- Sensitive information - includes any information or opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record.
- Health information - is a subset of sensitive information. It is any information or opinion about the health or disability of an individual and the individual's expressed wishes about the current or future provision of health services.
Schools should comply with the APPs at all times as any breach of an APP in relation to personal information about an individual is an interference with the privacy of the individual. The OAIC has authority to investigate any breaches and impose enforcement, or other monetary, remedies.
The NDB Scheme
The Australian Notifiable Data Breach (NDB) Scheme requires organisations covered by the Privacy Act, including most non-government schools, to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm (referred to as an ‘eligible data breach’). Entities must also notify the OAIC about eligible data breaches.
As stated in previous School Governance articles, it is important to note that not all data breaches come under the NDB Scheme. Examples of circumstances which may meet the criteria of a NDB, include when:
- a device containing a member of the school community’s personal information is lost or stolen (e.g a school laptop)
- a database containing personal information is hacked
- personal information about students or staff is mistakenly provided to the wrong person
- records containing student information are stolen from unsecured recycling bins, or
- there is a disclosure of personal information about students/staff for purposes other than what it was collected for and without the consent of the affected students/staff.
For more information on NDBs and how to deal with them, please see here.
The Second Quarterly Data Breach Report
With the release of the Second Quarterly Data Breach Report (Report), the OAIC has highlighted the education sector as the fourth most at-risk from incidents of criminal attack or human error, resulting in a NDB. The Report captures notifications received by the OAIC under the NDB scheme between 1 April and 30 June 2018. It also marks the first time that data for a full quarter has been reported. Since the Scheme began, the OAIC has received 305 breach notifications.
The Report found that malicious or criminal attacks accounted for 59% of data breaches, with theft of paperwork or storage devices a significant source of those attacks. Human error accounted for 36% of data breaches. In most cases, the majority of information involved was contact information (89%), financial information (42%), identity information (39%) or health information (25%).
Human error was the second largest source of data breaches, with the most common data breach in this category including sending personal information to the wrong recipient via email (22 notifications), post (10 notifications) or in other ways (8 notifications), and unintended release or publication of personal information (12 notifications). The education sector also had the greatest number of unauthorised verbal disclosures which were breaches of the Privacy Act.
Unauthorised Verbal Disclosures and Personal Information
Schools collect and store a vast array of personal information about students and staff, through the operation of day-to-day functions. Also, advances in technology are enabling schools to electronically store increasing amounts of personal information such as photos, bank details, family information, contact details, videos of students, medical records and health information. For this reason, it is important that school communities practise a privacy aware culture to ensure that the collection, storage, use and disclosure of personal information about students and staff comply with the APPs.
A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For schools, data breaches generally do not result from hacking or cyber attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person.
Data breaches may also occur through unauthorised verbal disclosures. The Privacy Act does not define 'disclosure'. According to the OAIC Guide, when personal information is made accessible or visible to others outside the school and the school releases the subsequent handling of the personal information from its effective control, it can be considered a disclosure. This focuses on the act done by the disclosing party, and not on the actions or knowledge of the recipient. Disclosure, in the context of the Privacy Act, can occur even where the personal information is already known to the recipient.
What schools can do now
The OAIC’s Acting Privacy Commissioner, Angelene Falk, said "The OAIC continues to work with entities to ensure compliance with the Scheme, offer advice and guidance in response to notifications, and consider appropriate regulatory action in cases of non-compliance.”
- take reasonable steps to make individuals aware that it is collecting personal information about them
- notify those individuals about the purpose for which it is collecting the information and who it might share that information with
- comply with restrictions on how personal information can be used and to whom it can be disclosed, and
- give individuals the right to access the information the school holds about them and to have that information corrected or modified.
Privacy must be a part of the school culture and all staff should be aware of the risks associated with data breaches occurring at the school. Schools can think of privacy as a four step process:
- Embedding a culture of privacy that enables compliance
- Establishing a robust and effective privacy process
- Evaluating a school's privacy processes to ensure continued effectiveness, and
- Enhancing a school's responses to privacy issues.
By training staff, and implementing privacy by design, schools will be responding to the major hazards identified in the Report and will promote the security of personal information of students and staff members.