It is very apparent that schools collect and store vast amounts of personal information for many people within their community. In recent years, schools have developed privacy policies in order to comply with both the Privacy Act 1988 (Cth) and registration requirements. However, although they have a privacy policy in place, how many schools have a privacy program which actively addresses all of the 13 Australian Privacy Principles (APPs)? How does the school management and school council ensure that school staff are complying with those requirements? Do staff know that they should report data breaches and who within the school knows when to notify the privacy regulator, the Office of the Australian Information Commissioner (OAIC), of a data breach?
Unfortunately, once a policy is developed and published, unless it is actually implemented and its implementation monitored, it quickly becomes ‘forgotten’. Privacy protection is not just a policy, it needs to be a cultural norm and an imperative, with supporting procedures and training that make it clear to staff how they need to address those requirements in their everyday activities.
Privacy legislation now has ‘teeth’ with significant fines for organisations that fail to comply, and major reputational damage as a result of appearing incompetent or insufficiently respectful of people’s privacy.
The federal Privacy Act protects the personal information of an identifiable individual which is collected, used, disclosed, or held by an “APP (Australian Privacy Principles) entity”. In general terms, an “APP entity” is an organisation with an annual turnover over $3 million or that is a “health provider”. While some schools may be so small that they do not meet the financial turnover criteria, if they collect and retain students’ health records, this will bring them within the definition of “health provider”, and so they must comply with the Privacy Act.
The APPs, which articulate the bulk of the Privacy Act compliance requirements, apply to personal information that a school collects from students, parents/carers, volunteers, alumni, and contractors, as well as to most individuals with whom the school may interact. The principal exception to the application of the Privacy Act is the personal information relating to employees, current or past, when the school is handling an employee's personal information for a purpose directly related to the employment relationship. This exemption does not cover job applicants who are not subsequently employed by the school, or employees that are employed through a related corporation that provides them with protections under the Privacy Act. The employee record exemption also does not extend to exempting from the application of the APPs employee records that a school may provide to a third party, such as an educational authority or an industry association.
It should be noted that, while an employee’s personal information is exempt from the federal Privacy Act, it must still be treated confidentially and on a strict need-to-know basis. An employee’s medical records, including work-related injuries or illnesses may be protected by other legislation such as workers’ compensation or workplace safety laws, or state or territory health records legislation.
The 13 APPs apply to the way in which a school collects, uses, discloses, holds, and destroys personal information. The Privacy Act also applies to the school’s handling of unauthorised disclosures of personal information. This culminates in large fines where an organisation has failed to take appropriate steps including notifying the OAIC where personal information held by the school has been hacked, lost, or stolen and there is the risk of significant harm to affected individuals.
For a school to address the risk of not complying with privacy requirements, it goes without saying that it must have a comprehensive, easily accessible privacy policy (APP 1). This usually means that the policy should at least be published on the school’s website. However, schools should also address the following key risks:
While the above list is not an exhaustive list of privacy risks, it becomes clear that, for a school to comply with its privacy obligations, its privacy policy must be underpinned by school staff being supported in doing the right thing, with comprehensive procedures and training. And of course, no risk management program is complete without monitoring, reporting, and review, to ensure that the privacy control measures are in fact, effective.
Privacy is one of the seven "forgotten" risks in schools. This topic will be explored in a free webinar on 27 August 2020. Click here to learn more and register.
With 37 years of educational experience, Craig D’cruz is the National Education Lead at CompliSpace. Craig provides direction on education matters including new products, program/module content and training. Previously Craig held the roles of Industrial Officer at the Association of Independent Schools of WA, he was the Principal of a K-12 non-government school, Deputy Principal of a systemic non-government school and he has had teaching and leadership experience in both the independent and Catholic school sectors. Craig currently sits on the board of a large non-government school and is a regular presenter on behalf of CompliSpace and other educational bodies on issues relating to school governance, school culture and leadership.