Privacy, as discussed in our Briefing Paper, can be a burdensome responsibility for many schools. Given that the kind of information that schools handle is often sensitive, of a personal or medical nature, schools carry a huge amount of responsibility in managing the protection of this information. Furthermore, as the information may not only affect the wellbeing, safety and privacy of students but also their families and the wider school community, this responsibility looms even larger.
Despite the gravity of this matter, it is only in light of recent events such as the Cambridge Analytica scandal that privacy is now being explicitly discussed in many sectors, including education. As discussed in a previous School Governance article, the Notifiable Data Breach (NDB) Scheme (that affects any organisation covered by the Privacy Act 1988 (Cth)), which commenced in early 2018, applies to most non-government schools, requiring that they notify individuals when their information is breached and is likely to result in serious harm. These breaches must also be reported to the Office of the Australian Information Commissioner (OAIC).
While legal regulations such as the NDB Scheme establish standards that schools must meet in managing the aftermath of a privacy breach, the question still remains as to how schools can change the culture within their communities to effectively address issues of privacy before, as well as after, they arise.
As reported by The Educator, Civica recently commissioned the Institute of Public Policy & Governance (IPPG) at the University of Technology, Sydney to create a report that would aid schools in their discussions regarding privacy. The title of the report, “Safe Enough? Data Privacy and Security in Schools” addresses the notion that, while schools may feel that they have adequate privacy practices, as the digital world changes rapidly and fluidly, schools must keep up in ensuring that the information they are managing is as protected as possible.
In its report, the IPPG rightly recognises that schools require support systems in order to tackle privacy issues effectively, and in order to access and build this kind of support, schools may need to develop new procedures and practices. The report focused on the following four themes:
- approaches to data management
- attitudes to risk and cyber threats
- governance, responsibility and duty of care
- compliance and legal requirements.
How Should Schools Be Preparing Themselves?
The report notes an overall issue with perceptions of privacy both culturally and within school communities that result in it not being recognised as a collective responsibility. As such, the report recommends that schools aim to establish a community that collectively enacts practices and procedures that recognise and promote the importance of digital security. This can only be achieved once the whole community is encouraged to engage in a conversation surrounding privacy that is grounded in a sense of ethics and trust.
Overall, the report strongly suggests that schools must not only consider issues of legal compliance but whether the school culture and community are acting ethically, and whether they are prepared for a possible privacy breach. As such, the report has a strong focus on governance and compliance being key pillars to a risk management strategy towards privacy.
With respect to governance, the report recommends that schools should acknowledge that “these [privacy] risks point to the need for good governance and oversight from all levels of the school’s organisational structure, from the principal and president of the board through to the administration staff”. In establishing an effective governance structure, schools should ensure that each stakeholder in the school community understands and executes their role in maintaining an effective risk management approach. Communication channels should be established within the school and to the wider community to ensure that everyone, including parents of students, understand the risks, how they may arise, how to prevent them and how to manage them. Some organisations, as reported in this Law in Order blogpost, are now introducing the role of ‘information governance officer’ in certain departments to ensure compliance and management of information, which in a school environment may fit comfortably within the role of the school’s Privacy Officer.
As mentioned above, most schools are covered by the Privacy Act and so it is now mandatory for a school to report notifiable data breaches to the OAIC. Failure to do so may result in a significant fine. Schools should have clear policies and procedures relating to privacy and what constitutes a notifiable breach. These should be communicated effectively to all staff, and where appropriate, to students and their families. Once a school has established its own policies and procedures for privacy matters, these should be reviewed and updated regularly. The OAIC has developed a guidance document to help organisations develop and implement a data breach response plan.
In relation to matters of privacy, the best solution is ultimately preparation and prevention. While schools may face legal obligations regarding the handling of data breaches, preventing and mitigating those breaches in the first place can help schools avoid reputational, financial and other damage. The “Safe Enough?” report highlights the role of compliance and good governance in ensuring privacy in a school setting and pointing a way forward in an area which will only continue to grow in importance.
Svetlana is a Senior Consultant at CompliSpace. She has over 20 years of experience in strategic and operational human resource management, occupational health and safety, and design and implementation of policies and change management programs. She has held national people management responsibility positions in the public and private sectors. Svetlana holds a LLB , Masters in Management (MBA), Master of Arts in Journalism, and a Certificate in Governance for not-for-profits.
Soo Choi is a Legal Research Assistant at CompliSpace. She is currently studying a Bachelor of Arts and Bachelor of Laws at the University of Sydney.