Privacy in Schools – A Forgotten Risk


It is very apparent that schools collect and store vast amounts of personal information for many people within their community. In recent years, schools have developed privacy policies in order to comply with both the Privacy Act 1988 (Cth) and registration requirements. However, although they have a privacy policy in place, how many schools have a privacy program which actively addresses all of the 13 Australian Privacy Principles (APPs)? How does the school management and school council ensure that school staff are complying with those requirements? Do staff know that they should report data breaches and who within the school knows when to notify the privacy regulator, the Office of the Australian Information Commissioner (OAIC), of a data breach?

Unfortunately, once a policy is developed and published, unless it is actually implemented and its implementation monitored, it quickly becomes ‘forgotten’. Privacy protection is not just a policy, it needs to be a cultural norm and an imperative, with supporting procedures and training that make it clear to staff how they need to address those requirements in their everyday activities.

Privacy legislation now has ‘teeth’ with significant fines for organisations that fail to comply, and major reputational damage as a result of appearing incompetent or insufficiently respectful of people’s privacy.


Whose Privacy is Protected?

The federal Privacy Act protects the personal information of an identifiable individual which is collected, used, disclosed, or held by an “APP (Australian Privacy Principles) entity”. In general terms, an “APP entity” is an organisation with an annual turnover over $3 million or that is a “health provider”. While some schools may be so small that they do not meet the financial turnover criteria, if they collect and retain students’ health records, this will bring them within the definition of “health provider”, and so they must comply with the Privacy Act.

The APPs, which articulate the bulk of the Privacy Act compliance requirements, apply to personal information that a school collects from students, parents/carers, volunteers, alumni, and contractors, as well as to most individuals with whom the school may interact. The principal exception to the application of the Privacy Act is the personal information relating to employees, current or past, when the school is handling an employee's personal information for a purpose directly related to the employment relationship. This exemption does not cover job applicants who are not subsequently employed by the school, or employees that are employed through a related corporation that provides them with protections under the Privacy Act. The employee record exemption also does not extend to exempting from the application of the APPs employee records that a school may provide to a third party, such as an educational authority or an industry association.

It should be noted that, while an employee’s personal information is exempt from the federal Privacy Act, it must still be treated confidentially and on a strict need-to-know basis. An employee’s medical records, including work-related injuries or illnesses may be protected by other legislation such as workers’ compensation or workplace safety laws, or state or territory health records legislation.


What Are the Key Touchpoints for Privacy Risk in a School?

The 13 APPs apply to the way in which a school collects, uses, discloses, holds, and destroys personal information. The Privacy Act also applies to the school’s handling of unauthorised disclosures of personal information. This culminates in large fines where an organisation has failed to take appropriate steps including notifying the OAIC where personal information held by the school has been hacked, lost, or stolen and there is the risk of significant harm to affected individuals.

For a school to address the risk of not complying with privacy requirements, it goes without saying that it must have a comprehensive, easily accessible privacy policy (APP 1). This usually means that the policy should at least be published on the school’s website. However, schools should also address the following key risks:

  • Not knowing what personal information is actually being collected by all arms of the school, how it is being used, to whom it is being disclosed, and how it is stored, and destroyed or de-identified when no longer required. If the school does not know what is being collected by whom and how it is being used, it is extremely likely to be breaching the Privacy Act. A privacy information audit is a key starting point. Consideration should be given to conducting this annually to also monitor compliance.
  • Collection notices that are inadequate or a lack of collection notices. When collecting personal information, APP 5 requires a school to inform the individual whose information is being collected the specific purpose for which the information is being collected, the consequences of not providing the information, and some further information relating to the school and its privacy policy. It is not enough to have a privacy policy or a single collection notice on enrolment which seeks to cover every foreseeable situation for which any personal information may be collected over the student’s school life. The collection notice must address each of the requirements in APP 5.
  • Collection notices that mix the collection of a student’s personal information for educational and duty of care purposes together with using the information to promote the school, or for placing student images on public-facing websites. This is considered a “bundled consent” and is strongly discouraged; if used it should be clear that a person can ‘opt out’ of each of the uses.
  • Anonymity (and pseudonymity) (APP 2). An individual can choose to interact with a school anonymously or using a pseudonym unless that is not reasonably practicable. While there are many situations in a school context where this is not reasonably practicable, provision should be made to enable complaints and feedback to be made anonymously.
  • The role of students in obtaining consent for the use and collection of their personal information. The Privacy Act does not distinguish between the rights of adults and minors, and while this seems bizarre, the OAIC provides sensible interpretation. The OAIC guidance requires the school to either determine a child or young person’s capacity and maturity to make decisions on a case-by-case basis or, where that is not practicable, then they may assume a young person to have that capacity from over the age of 15 unless the school is unsure. This is particularly relevant in communicating health or child abuse information to parents/guardians or in relation to use of student images for other than educational purposes.
  • Staff who are not trained to understand their obligations under the Privacy Act, and in particular frontline staff who are called on to respond to queries about students on an hourly basis and who want to be helpful.
  • Not having a designated person to deal with privacy issues. A school should nominate a staff member to be the privacy officer, and that person should be charged with acquiring the expertise to manage the school’s compliance with the Privacy Act. This includes the expertise to determine the type of personal information that an individual is entitled to access about themselves or the student, and when, why and how they may be refused access (APP12). Having a privacy officer is not required by the Privacy Act but strongly recommended by the OAIC.
  • Not adequately maintaining security of information (APP 11). Inadequate physical and electronic measures to ensure that personal information and in particular sensitive information is kept securely and confidentially. This includes cybersecurity training for all staff. This is particularly important during the COVID-19 pandemic when staff may be working from home and will need additional physical and electronic security measures to be in place.
  • Insufficient or no data breach response plan. The school must have procedures to respond to unauthorised disclosures of personal information, whether this is a lost or stolen school laptop, hacking into school databases or the sending of an email to the wrong person. The plan must also include guidance on when to notify the OAIC of a “notifiable data breach”, that is, where a data breach involving personal information is likely to result in serious harm.



While the above list is not an exhaustive list of privacy risks, it becomes clear that, for a school to comply with its privacy obligations, its privacy policy must be underpinned by school staff being supported in doing the right thing, with comprehensive procedures and training. And of course, no risk management program is complete without monitoring, reporting, and review, to ensure that the privacy control measures are in fact, effective.

Free Webinar:  "The Forgotten School Risks (that can come back to bite You!"

Privacy is one of the seven "forgotten" risks in schools. This topic will be explored in a free webinar on 27 August 2020.  Click here to learn more and register

About the Authors

Svetlana Pozydajew

SvetlanaSvetlana is a Principal Consultant (NFP) at CompliSpace. She has over 20 years of experience in strategic and operational human resource management, occupational health and safety, and design and implementation of policies and change management programs. She has held national people management responsibility positions in the public and private sectors. Svetlana holds a LLB, Masters in Management (MBA), Master of Arts in Journalism, and a Certificate in Governance for not-for-profits.

Craig D’cruz


With 37 years of educational experience, Craig D’cruz is the National Education Lead at CompliSpace. Craig provides direction on education matters including new products, program/module content and training. Previously Craig held the roles of Industrial Officer at the Association of Independent Schools of WA, he was the Principal of a K-12 non-government school, Deputy Principal of a systemic non-government school and he has had teaching and leadership experience in both the independent and Catholic school sectors. Craig currently sits on the board of a large non-government school and is a regular presenter on behalf of CompliSpace and other educational bodies on issues relating to school governance, school culture and leadership.

Share this
About the Author


Resources you may like

National Boarding Week - Boarding Staff Training: An Essential Risk Control

This article has been adapted from an article that was originally published in “Lights Out”. You...

Read More
Weekly Wrap: May 19, 2022

The information in the Weekly Wrap is aggregated from other news sources to provide you with news...

Read More
Significant Amendments to the Education Act 2004 (ACT) - A Summary of the New Requirements for ACT Schools

The Education Amendment Bill 2022 (ACT) (Bill) was presented to the Legislative Assembly on 7 April...

Read More

Want School Governance delivered to your inbox weekly?

Sign up today!