A School’s Privacy Obligations During the COVID-19 Pandemic

Published
07 May 2020

COVID-19 has provided a tsunami of new issues to be considered and old issues needing to be addressed in new ways. Privacy is probably not the first concern that comes to mind when a school is dealing with online learning, working from home, child safety, and potential staff stand downs, but health information needs to be collected to keep staff and students safe, and disclosing personal information inappropriately can still cause serious harm. Schools need to balance all of these considerations on a daily basis, while factoring in delays where staff may not be working within hailing distance of one another.

As this week is Privacy Awareness Week, we canvas the key issues and discuss what schools should be doing.

 

Collection of COVID-19 Information by the School

As the Office of the Australian Privacy Commissioner (OAIC) points out in relation to the COVID-19 pandemic circumstances:

“The Privacy Act will not stop critical information sharing. Agencies and private sector employers (including private health service providers) have important obligations to maintain a safe workplace for staff and visitors and handle personal information appropriately…”

This certainly does not mean open slather but a school, in fulfilling its student duty of care and its health and safety responsibilities as an employer, can certainly ask staff, students and visitors:

  • whether the individual or a close contact has been exposed to a known case of COVID-19
  • whether the individual has recently travelled overseas and to which countries.

A collection notice would include wording to the effect that:

The purpose of collecting personal information from a student or visitor is to prevent or manage the risk of COVID-19, as a communicable disease, and to ensure that necessary precautions can be taken in relation to that individual and any other individuals that may be at risk.

 

Disclosure of Information Relating to COVID-19

As a general principle, the OAIC advises that only personal information that is reasonably necessary in order to prevent or manage COVID-19 in the workplace may be used or disclosed. The OAIC approves informing staff that a colleague or visitor has or may have contracted COVID-19 but only to the extent that is necessary, so it may not be necessary to reveal the name of an individual in order to prevent or manage COVID-19, or the disclosure of the name of the individual may be restricted to a limited number of people on a ‘need-to-know basis’.

With respect to informing the wider school community of a suspected or actual case, a school should consider firstly, what information is reasonably necessary to prevent or manage COVID-19 in the school and school community, and secondly, if providing information will identify an individual, whether it is appropriate to seek their consent to do so. Advice should be sought from public health officials on what information should be provided and who should be informed, for example, the whole school, or just that class, or year.

If it is reasonably necessary to provide identifying information about an affected individual to others who may have been in contact with the affected individual, obtaining the consent of the affected individual is preferable. If obtaining consent is unreasonable or impracticable, the Privacy Act provides an exemption for a “permitted general situation”. This exception applies where the school reasonably believes that the collection, use or disclosure of this sensitive personal information “ is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety” and it is unreasonable or impracticable to obtain the individual’s consent.

 

The ‘App’

How Does ‘the App’ Work?

Arguably the biggest issue in relation to privacy at the moment is the Federal Government’s COVIDSafe tracking app. The app has been developed to trace people who may have been exposed to someone who has tested positive to COVID-19, those “people” being defined as those who have spent 15 minutes or more with the potentially infected person while within a distance of 1.5 metres and who also have the app. If a person with the app tests positive to COVID-19, they would be asked to download the encrypted log on their phone and send it to a central server, where the relevant federal and state/territory public health officials could access and decrypt it. The person’s local health department would then call anyone who had been in contact with a COVID-19 case. This would be supplemented by public health officials asking for the names and contact details of anyone that the individual recalls having been in contact with for the requisite time and within the requisite distance. The log on the phone is deleted on a 21-day rolling cycle. The app does not record the location of the app holders.

 

Can People Be Forced to Download ‘the App’?

It should also be noted that under the terms of the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Cth) a person cannot be required to download and operate the app, or be refused entry to premises or to participate in an activity, or to have “adverse action” taken against them in their employment if they don’t download it. In other words, a school cannot force staff, students, or any visitors to ‘have the app’ before entering school premises.

 

Safeguarding

While the app has been given the tick by the Australian Privacy Commissioner, it is recommended that anyone considering downloading the app should ensure that they only do so from official channels on the Apple App Store or Google Play Store, and if they receive phone or email requests for additional information, that the authenticity of the caller/sender is checked before sharing any private information.

 

Information Requests from Public Health Officials

In tracking down contacts of people infected with COVID-19, public health officials may contact the school or staff or students. This information can be very personal but once again its collection is carried out under the auspices of the Federal Government’s emergency powers in order to lessen or control the impact of a threat to public health.

If approached and asked to provide this type of information, the school would be prudent to ask the public health officers to identify themselves and to confirm their authority to require the information to be provided.

The school should record the request, the information disclosed and any follow up actions by the public health authority or the school.

 

Working from Home

Staff should have regular reminders to maintain their school-related work on password protected devices, set automatic locking on their devices if they have not been used after a few minutes, separate school-related information on devices from their personal work wherever possible, keep hard copy personal information securely, and to conduct phone calls and video calls in private.

It is also recommended that schools monitor online learning to check that only the appropriate students are participating. This will probably need to be done with the assistance of IT departments, rather than expecting teachers to perform such a multiplicity of tasks in the midst of conducting an online session.

For the purposes of due diligence, schools should also check Zoom’s recently released international privacy policy for K-12.

 

Learning from Home

We have previously canvassed the concerns relating to online learning and child safety. Social isolation can be a factor in students reaching out on social media with greater desperation and less caution. Schools should be monitoring online behaviour where this is done through school portals, and once again, in the context of privacy and child protection, students and their parents/carers should be reminded regularly to be careful.

 

What Should Schools Do?

Schools should:

  • regularly remind staff, students, parents, and the school community that privacy is still important and must be observed
  • develop protocols on how frequently asked questions to the school should be addressed
  • provide training to frontline staff about how to manage requests for different categories of information
  • ensure that any more complex or difficult queries (or difficult people) can be referred easily to an appropriately qualified and trained person - usually the school’s privacy officer
  • keep a record of disclosures made in relation to COVID-19, including the relevant circumstances and to whom the personal information was disclosed
  • increase monitoring of all electronic traffic on school equipment including video conferences.

Access Privacy Resources

Svetlana Pozydajew

Svetlana is a Principal Consultant (NFP) at CompliSpace. She has over 20 years of experience in strategic and operational human resource management, occupational health and safety, and design and implementation of policies and change management programs. She has held national people management responsibility positions in the public and private sectors. Svetlana holds a LLB, Masters in Management (MBA), Master of Arts in Journalism, and a Certificate in Governance for not-for-profits.