A number of these third party relationships will involve the collection, use or disclosure of the personal information of students and/or staff. Typical examples of these service providers include:

• companies providing specific sports or sports coaching to a school
• outdoor education and school campsite providers
• software companies providing specific services such as permission notes or medical records management, sports scheduling and sports team management
• companies that provide a ‘complete’ database management solution covering student and staff records, timetabling, pastoral care and medical records management and academic reporting.

The types of personal information that are likely to be collected by or disclosed to these service providers would include names, dates of birth, contact details, next of kin, and may also include more sensitive information such as medical conditions, disabilities, and health care requirements. In some cases the service provider would receive the information from the school which had collected it from students or parents/guardians. In other cases, the service provider, as directed by the school, would collect the information directly from the parents/guardians or students.

Schools should now be attuned to the issues surrounding their obligations regarding privacy even when only a hint of “personal information” is involved. This means that a school should always be considering how the 13 Australian Principles (APPs) are likely to apply in relation to “personal information” and what the school must do to comply.

 

Does the Privacy Act Apply?

Personal information is any information or an opinion about an individual who is reasonably identifiable. It is protected by the Privacy Act 1988 (Cth) and the 13 APPs which provide rules covering a school’s privacy obligations across the personal information life cycle, from collection to disposal.

The Privacy Act will apply to schools and to most of the personal information collected and held by a school. The Privacy Act may also apply to a school’s service providers if they meet the relevant criteria (set out below).

In the school context, the Privacy Act applies to companies, organisations, partnerships, sole traders (called “APP entities”) if they:

• have an annual turnover of more than $3 million
• provide a health service
• are a business that sells or purchases personal information
• are a credit reporting body; or
• are a contracted service provider for an Australian Government contract.

Providing a “health service” and who therefore is a “health service provider” is interpreted rather widely and, in addition to the obvious health and allied health providers, includes entities that:

• assess, maintain or improve a person’s physical or psychological health
• record a person’s health for the purposes of assessing, maintaining, improving or managing the person’s health.

Schools and gyms are specifically included in the definition of “health service provider”. Service providers who request health and medical information from potential participants in their extracurricular activities to ensure the participants’ health and safety during the course of those activities, are also likely to be also covered by the Privacy Act even if they do not meet the $3 million threshold.

A third party service provider may be required to comply with the APPs because the Privacy Act applies to them directly as they fall within one of the above categories. If however this is not the case and they do not themselves fall within the ambit of the Privacy Act, they may nevertheless be required to comply with some of the APPs because, as the school and its personal information management are covered by the Privacy Act, the school will require the service provider to comply with the relevant protections in the Privacy Act. A school, in discharging its obligation to protect the personal information that it collects from “misuse interference, loss or unauthorised access”, must ensure that the service provider that receives the personal information from the school meets this legal obligation even if the provider is not directly covered by the Act.

Where the service provider collects the personal information directly from the students or parents/guardians, the service provider is usually acting on the direction of the school, which means that the school still holds some responsibility for ensuring that the personal information is managed in accordance with the Privacy Act.

In summary, the service provider may be required to comply with the APPs because the Privacy Act applies to them directly or because the school and its personal information management are covered by the Privacy Act.

 

Collecting Personal Information (APP 5)

When a school or a service provider to whom the Privacy Act directly applies (an “‘APP entity”) collects personal information about an individual, they are subject to the APP 5 requirement to provide a “collection notice”. The individual must be notified prior to, or at the time of collection of:

• the identity and contact details of the school or service provider (whoever is collecting the information)
• the facts and circumstances of collection
• whether the collection is required or authorised by law
• the purposes of collection
• what happens if the personal information is not collected (for example, the child cannot go on the excursion)
• where and when the information is likely to be disclosed (for example, to a service provider)
• information about the school or service provider’s Privacy Policy
• whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

Where a school will be providing the personal information that it is collecting to a service provider, this must be included in the collection notice. If the service provider is located outside of Australia, this must also be included in the collection notice.

 

School collection notices should notify parents and carers of any other personal information that the school collects while the student is enrolled at the school and advise that some of this information may also be disclosed to third parties. This information might include details of student welfare and health and wellbeing that is collected and recorded on school records. This may include information about behaviour management and students’ special needs.

While a collection notice specifically refers to how the information will be used or disclosed in this instance, the Privacy Policy of the school and/or service provider should encompass all of the types of information collected and its uses and likely disclosures. The Privacy Policy must be available and accessible (APP 1).

 

Schools Disclosing Confidential Information to Third Parties

When a school uses service providers to whom it provides personal information, the school will need to ensure that it meets the “disclosure” requirements in APP 6.

APP 6 limits the circumstances in which a school or service provider may use or disclose personal information that it has collected (or that it may have received from the school, in the case of the service provider). When a school provides personal information to a third party they are disclosing that information to the third party. The following requirements apply to the disclosure of personal information to a third party by a school:

• information that was collected by a school can only be used or disclosed for the particular purpose for which it was collected (the “primary purpose”), usually as set out in the collection notice
• a school must not disclose the information for another purpose (the “secondary purpose”) unless the individual has consented to the disclosure or an exception applies
• additional requirements apply where the information is being disclosed to a service provider located overseas or who will be taking the information overseas.

There are a number of exceptions, but the most relevant for schools include:

• where the disclosure is related to the primary purpose of collection. In the case of sensitive information such as health information, it must be directly related to the primary purpose of collection
• where a permitted “general situation” exits under section 16A of the Privacy Act.

The general situations relevant here are where:

• it is impracticable or unreasonable to obtain an individual’s consent to the disclosure AND the disclosure is necessary to lesson or prevent a serious threat to life health or safety of an individual or to public health and safety
• the school or service provider reasonably believes that the collection, use or disclosure is reasonably necessary to assist in locating a person who has been reported as missing
• the school or service provider suspects that there has been unlawful activity or serious misconduct in relation to their functions or activities and that the collection, use or disclosure is necessary for the school or service provider to take appropriate action.

The best way to ensure that a school or service provider is appropriately using and disclosing personal information is for this to be included in the privacy collection notice thereby advising parents/guardians or students at the time of collection and allowing them to make an informed decision as to whether to provide the information.

This information should also be included in the school’s Privacy Policy.

 

Health Records– Additional Privacy Requirements

The Privacy Act regards health information as particularly sensitive personal information and has additional safeguards. The key requirement is that health information must only be used for the primary purpose for which it was collected or to which it is directly related.

Some states and territories also have legislation that applies to the privacy of health records, including defining what is a health record, and the collection, storage, use and disclosure of health information. Both the school and service providers must ensure that they meet the requirements of the health records legislation that applies in their state or territory as well as the requirements under the Privacy Act. For example, in Victoria, under the Health Records Act 2001 (Vic), there are 11 health privacy principles that apply where a school collects the health information of a student or employee. In New South Wales, schools must comply with the Health Records and Information Privacy Act 2002 (NSW) which only applies (in the school context) to health information collected from students, and not employees. The ACT has similar health records requirements in the Health Records (Privacy and Access) Act 1997 (ACT).

The good news is that the gist of the requirements under the respective state and territory laws largely mirror the federal Privacy Act provisions relating to health information.

 

Sending or Storing Personal Information Overseas

Where a student’s personal information is sent overseas, for example, for the purposes of student exchanges or school tours, the school must take reasonable steps to ensure that the overseas service provider does not breach the APPs in relation to that information. The school may be liable for privacy breaches by the overseas service provider.

In practical terms, to discharge its privacy obligations, the school must:

• assure itself that the overseas provider is subject to privacy requirements substantially similar to the Australian Privacy Act
• impose contractual terms on the overseas service provider that are the equivalent to the Australian privacy protections; or
• seek express consent from the parents/guardians or students for the information to be sent overseas.

A school should also seek information from a service provider regarding where the service provider’s data will be stored and, if this is stored in a server overseas, the school should take reasonable steps to assure itself of the safety and security of that data in that location (which may be by contractual means).

 

Misuse, Interference, Loss and Unauthorised Access

Schools should ensure that a service provider to whom they are entrusting their students’ personal information has reasonable measures in place to protect that information from misuse, interference or loss, as well as unauthorised access and disclosure (See APP 11). This includes the school being satisfied that the service provider’s cybersecurity is satisfactory, and that the service provider’s employees have confidentiality requirements stipulated in their Code of Conduct or employment contracts. There should also be a clear understanding that the information can only be used for the purposes for which it was collected (with the exceptions set out above).

 

How Can Schools Protect Themselves?

Schools should consider including terms in the contractual arrangements that they enter into with service providers that address the requirements of the Privacy Act and any relevant health records legislation. These terms might include:

• undertakings as to data security measures and cybersecurity including how and in what format the data will be stored and the data security systems to be used
• undertakings in relation to employee confidentiality obligations which may include relevant training
• notifying the school when there has been a data breach of any kind or unauthorised access to confidential information
• storage, archiving and destruction of data including:
  • requirements as to geographical location of data storage
  • access to the data by the school to retrieve records
  • notifying the school if there are any proposed changes to any of these arrangements
  • notifying the school before any records are destroyed
• provisions related to what happens to the data in the event of the sale or winding up of the third party.

A truly prudent school may also like to consider surveying service providers at regular intervals to ask about their privacy protection measures including cyber security.

A guide to the Commonwealth Privacy Act 1988 and the Australian Privacy Principles (APPs) contained in Schedule 1 to the Act APPs can be found here: https://www.oaic.gov.au/privacy/australian-privacy-principles.

 

Authors

Jonathan Oliver

Jonathan Oliver is the Principal Consultant, Governance, Risk and Compliance at CompliSpace. Jonathan has been a Solicitor for over 35 years and has worked in private legal practice and in school administration as a business manager. He has a BA and an LLB.

 

Svetlana Pozydajew

Svetlana Pozydajew is the Principal Consultant, Workplace Relations at CompliSpace. Svetlana has a background in management of national HR and WHS functions across the private and public sectors, and has an LLB, MBA and MA (Journalism).